dennishuo commented on code in PR #2523: URL: https://github.com/apache/polaris/pull/2523#discussion_r2371080622
########## runtime/service/src/main/java/org/apache/polaris/service/identity/AwsIamServiceIdentityConfiguration.java: ########## @@ -0,0 +1,74 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.polaris.service.identity; + +import java.util.Optional; +import org.apache.polaris.core.identity.resolved.ResolvedAwsIamServiceIdentity; + +/** + * Configuration for an AWS IAM service identity used by Polaris to access AWS services. + * + * <p>This includes the IAM ARN and optionally, static credentials (access key, secret key, and + * session token). If credentials are provided, they will be used to construct a {@link + * ResolvedAwsIamServiceIdentity}; otherwise, the AWS default credential provider chain is used. + */ +public interface AwsIamServiceIdentityConfiguration extends ResolvableServiceIdentityConfiguration { + + /** The IAM role or user ARN representing the service identity. */ + String iamArn(); + + /** + * Optional AWS access key ID associated with the IAM identity. If not provided, the AWS default + * credential chain will be used. + */ + Optional<String> accessKeyId(); Review Comment: I agree "Service Secrets" management is a slightly different flow from `UserSecretsManager` so we wouldn't be using `UserSecretsManager` directly, but I also agree that the fact that we introduced `ServiceSecretReference` made me expect the flow to be more parallel to the UserSecrets flow. Specifically, to push down the access of secrets as deep as possible into an exchange where you have a `secretsManager.readSecret(SecretReference)` of some sort. If `ServiceIdentityRegistry` is the analogous ServiceSecretsManager then it seems like it should take `ServiceSecretReference` as an argument whenever producing something with direct access to the sensitive credentials. Or alternatively, if the service-secret flow is different, where you use `ServiceIdentityRegistry` -> `ResolvableServiceIdentityConfiguration` -> `ResolvedAwsIamServiceIdentity` where we only intend the `ResolvedAwsIamServiceIdentity` to be the thing holding the sensitive credentials (in the form of an AwsCredentialsProvider) then maybe `resolve` should be what takes ` ServiceSecretReference` as an argument? In general at least any method that returns a secretAccessKey should be given a `ServiceSecretReference` as an argument so it can figure out what secret to fetch, even if basic cases might hard-code it. Even if our default ServiceSecretReference only uses the `realmId`, the existence of the `ServiceSecretReference` implies that it's extensible so that there might be multiple different service secrets to choose from even for the same realm. We could push the `Optional<String> secretAccessKey(); Optional<String> sessionToken();` etc methods either into `protected` methods (maybe make this an abstract class instead of interface then?) or into a separate class like `DirectStaticAwsCredentialsSupplier` to segregate responsibilities. In general, the caller who wants to call `resolve(...) -> Optional<ResolvedAwsIamServiceIdentity>` should probably *not* also be able to call public methods that give raw `secretAccessKey()`, etc.; the contract with that caller is that they get ahold of a `ResolvedAwsIamServiceIdentity` which perhaps provides StsClients, and at most maybe is also willing to give back a `AwsCredentialsProvider`, but should be protected from the credential internals. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
