https://github.com/apache/polaris/issues/4706
https://github.com/apache/polaris/pull/4707 Polaris can correlate vended-credential data access back to the catalog operation that issued the credentials on AWS — via SESSION_TAGS_IN_SUBSCOPED_CREDENTIAL, which stamps polaris:principal, polaris:realm, polaris:catalog, etc. as AWS STS session tags that then appear in CloudTrail S3 data events. There is no equivalent on GCP. GCS Data Access audit logs cannot today be tied to the Polaris principal that requested the credential, which breaks audit correlation, chargeback/attribution, and incident response for GCS-backed catalogs. This issue and PR provide a way to achieve similar correlation using WIFs in GCP. Please review. - Anand
