Re: [PR] adding support to use a kms key for s3 buckets data encryption [polaris]

via GitHub Wed, 15 Oct 2025 04:35:05 -0700


fabio-rizzo-01 commented on code in PR #2802:
URL: https://github.com/apache/polaris/pull/2802#discussion_r2432224031



##########
polaris-core/src/main/java/org/apache/polaris/core/storage/aws/AwsCredentialsStorageIntegration.java:
##########
@@ -242,6 +244,21 @@ private IamPolicy policyString(
     return 
policyBuilder.addStatement(allowGetObjectStatementBuilder.build()).build();
   }
 
+  private static void addKmsKeyPolicy(String kmsKeyArn, IamPolicy.Builder 
policyBuilder) {
+    if (kmsKeyArn != null) {
+      IamStatement.Builder allowKms =
+          IamStatement.builder()
+              .effect(IamEffect.ALLOW)
+              .addAction("kms:GenerateDataKeyWithoutPlaintext")
+              .addAction("kms:Encrypt")
+              .addAction("kms:DescribeKey")
+              .addAction("kms:Decrypt")
+              .addAction("kms:GenerateDataKey");

Review Comment:
   I don't think it is needed, the policy for the key and S3 bucket is 
restrictive enough and adding more restriction would cause the GenerateDataKey 
operation during the assume role to probably fail.
   
   This is an example of a policy generated while creating a table:
   
    ```
   IamPolicy(version=2012-10-17, statements=[
   
    IamStatement(effect=IamEffect(value=Allow), 
actions=[IamAction(value=s3:PutObject), IamAction(value=s3:DeleteObject)], 
resources=[IamResource(value=arn:aws:s3:::app-id-bucket/fns/t3/*)]), 
   
    IamStatement(effect=IamEffect(value=Allow), 
actions=[IamAction(value=kms:GenerateDataKeyWithoutPlaintext), 
IamAction(value=kms:DescribeKey), IamAction(value=kms:Decrypt), 
IamAction(value=kms:GenerateDataKey), IamAction(value=kms:Encrypt)], 
resources=[IamResource(value=arn:aws:kms:us-east-1:*********:key/id)]), 
   
    IamStatement(effect=IamEffect(value=Allow), 
actions=[IamAction(value=s3:ListBucket)], 
resources=[IamResource(value=arn:aws:s3:::app-id-bucket)], 
conditions=[IamCondition(operator=StringLike, key=s3:prefix, value=fns/t3/*)]), 
   
    IamStatement(effect=IamEffect(value=Allow), 
actions=[IamAction(value=s3:GetBucketLocation)], 
resources=[IamResource(value=arn:aws:s3:::app-id-bucket)]), 
   
    IamStatement(effect=IamEffect(value=Allow), 
actions=[IamAction(value=s3:GetObject), IamAction(value=s3:GetObjectVersion)], 
resources=[IamResource(value=arn:aws:s3:::app-id-bucket/fns/t3/*)])])
   
   
   ```
   Also in 
https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html#encryption-context
   it says that the bucket path is added by default in the encryption context.
   
   Checking the encryption context in CloudTrail for the GenerateDataKey 
request I can see:
   
   ```
   "encryptionContext": {
   "aws:s3:arn": "arn:aws:s3:::app-id-*****"
   }
   
   ```
   



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Re: [PR] adding support to use a kms key for s3 buckets data encryption [polaris]

Reply via email to