GitHub user jornfranke added a comment to the discussion: Security Concern: Vended Credentials — Credential Delegation Violation & Workload Identity Binding
"Any actor who obtains the token — compromised executor, malicious insider, accidental log exposure — can use it against S3 as if they were the original authorized requestor" This is the case with any token you obtain (ie it has nothing to do with how Polaris provides the token). You can have a bucket policy that allows access to the bucket only from trusted private networks (using a condition key based on aws:SourceVpc https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-network-properties with an explicit deny from all other networks). "AWS CloudTrail will show S3 access under Polaris's assumed role, not under Spark's or the end user's identity" This is the case with anything that is not AWS. This was a long time a problem in AWS. You may be able to integrate Trusted Identity Propagation for custom applications (https://docs.aws.amazon.com/singlesignon/latest/userguide/trustedidentitypropagation-integrations.html) to achieve this. This may be a feature for Polaris to support. An alternative would be to simply import all the application logs in your SIEM and check for unusual patterns. GitHub link: https://github.com/apache/polaris/discussions/3972#discussioncomment-16089102 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected]
