duc-dn opened a new issue, #2970:
URL: https://github.com/apache/polaris/issues/2970
### Is your feature request related to a problem? Please describe.
Currently, Polaris requires AWS credentials to be provided via environment
variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) at the service startup
level. This creates the following problems in MinIO deployments:
- Lack of Credential Isolation: All catalogs share a single set of AWS
credentials, violating the principle of least privilege. Each catalog should
have its own credentials with access restricted to its specific bucket.
- Missing MinIO Support: Unlike AWS (which supports STS AssumeRole for
credential vending), MinIO does not provide an equivalent service. Currently,
the only option for MinIO users is to use a single shared credential set, which
is not production-ready.
### Describe the solution you'd like
Add support for inline AWS credentials (accessKeyId and secretAccessKey) in
the storageConfigInfo object when creating a catalog. This would allow users to:
- Pass per-catalog credentials during catalog creation:
```
{
"name": "catalog1",
"storageConfigInfo": {
"accessKeyId": "catalog1_access_key",
"secretAccessKey": "catalog1_secret_key",
"endpoint": "https://minio.example.com";,
"storageType": "S3",
"pathStyleAccess": true,
"region": "us-west-2",
"allowedLocations": ["s3://bucket1/catalog1"]
}
}
```
- Isolate credentials per catalog - each catalog uses only its own
credentials for S3 operations
### Describe alternatives you've considered
_No response_
### Additional context
_No response_
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
