Hi, I think WIF in GCP makes sense. I believe we can map principalSubject and mapped_principal (WIF maps external token claims into google.subject with attribute.NAME).
I will take a look on the issue/PR in details. Thanks! Regards JB On Thu, Jun 11, 2026 at 6:22 PM Anand Kumar Sankaran via dev < [email protected]> wrote: > https://github.com/apache/polaris/issues/4706 > > https://github.com/apache/polaris/pull/4707 > > Polaris can correlate vended-credential data access back to the catalog > operation that issued the credentials on AWS — via > SESSION_TAGS_IN_SUBSCOPED_CREDENTIAL, which stamps polaris:principal, > polaris:realm, polaris:catalog, etc. as AWS STS session tags that then > appear in CloudTrail S3 data events. There is no equivalent on GCP. GCS > Data Access audit logs cannot today be tied to the Polaris principal that > requested the credential, which breaks audit correlation, > chargeback/attribution, and incident response for GCS-backed catalogs. > > This issue and PR provide a way to achieve similar correlation using WIFs > in GCP. > > Please review. > > - > Anand >
