Hi Dmitri, thanks for raising the call for review. And thanks Anand for working on this PR!
I took a look a look, and I added a clarifying question on whether realm is the right level to introduce the feature flag. Sung On 2026/06/16 01:47:05 Dmitri Bourlatchkov wrote: > Hi All, > > I approved PR 4707 in GH. > > Any concerns / volunteers for additional review before merging? > > Thanks, > Dmitri. > > On Thu, Jun 11, 2026 at 12:22 PM Anand Kumar Sankaran via dev < > [email protected]> wrote: > > > https://github.com/apache/polaris/issues/4706 > > > > https://github.com/apache/polaris/pull/4707 > > > > Polaris can correlate vended-credential data access back to the catalog > > operation that issued the credentials on AWS — via > > SESSION_TAGS_IN_SUBSCOPED_CREDENTIAL, which stamps polaris:principal, > > polaris:realm, polaris:catalog, etc. as AWS STS session tags that then > > appear in CloudTrail S3 data events. There is no equivalent on GCP. GCS > > Data Access audit logs cannot today be tied to the Polaris principal that > > requested the credential, which breaks audit correlation, > > chargeback/attribution, and incident response for GCS-backed catalogs. > > > > This issue and PR provide a way to achieve similar correlation using WIFs > > in GCP. > > > > Please review. > > > > - > > Anand > > >
