Re: [PR] Add KMS support for S3 [polaris]

via GitHub Tue, 08 Jul 2025 07:11:54 -0700


pavibhai commented on code in PR #1424:
URL: https://github.com/apache/polaris/pull/1424#discussion_r2192643775



##########
polaris-core/src/main/java/org/apache/polaris/core/storage/aws/AwsCredentialsStorageIntegration.java:
##########
@@ -198,7 +206,32 @@ private IamPolicy policyString(
     bucketGetLocationStatementBuilder
         .values()
         .forEach(statementBuilder -> 
policyBuilder.addStatement(statementBuilder.build()));
-    return 
policyBuilder.addStatement(allowGetObjectStatementBuilder.build()).build();
+
+    policyBuilder.addStatement(allowGetObjectStatementBuilder.build());
+
+    if (isKMSSupported(callContext)) {
+      policyBuilder.addStatement(
+          IamStatement.builder()
+              .effect(IamEffect.ALLOW)
+              .addAction("kms:GenerateDataKey")
+              .addAction("kms:Decrypt")
+              .addAction("kms:DescribeKey")
+              .addResource("arn:aws:kms:" + region + ":" + awsAccountId + 
":key/*")

Review Comment:
   I would think we should determine the KMS Key associated with the bucket and 
provide access to the same instead of all keys in the account.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@polaris.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Re: [PR] Add KMS support for S3 [polaris]

Reply via email to