obelix74 opened a new issue, #3325: URL: https://github.com/apache/polaris/issues/3325
### Is your feature request related to a problem? Please describe. **Description:** Add support for AWS STS Session Tags when vending S3 credentials via AssumeRole. This enables deterministic correlation between Polaris catalog operations and downstream S3 access events in AWS CloudTrail. **Motivation:** Currently, the only correlation mechanism between catalog credential vending and S3 access is the role session name. This provides principal-level attribution but lacks granularity for: * Fine-grained audit trails (table → S3 reads) * Cost allocation by catalog/namespace/table * Security forensics * Compliance reporting ### Describe the solution you'd like **Proposed Solution:** Add session tags (`polaris:catalog`, `polaris:namespace`, `polaris:table`, `polaris:principal`, `polaris:request-id`) to `AssumeRoleRequest`. Controlled by a new feature flag `INCLUDE_SESSION_TAGS_IN_SUBSCOPED_CREDENTIAL` (default: `false`). **Acceptance Criteria:** * New feature flag `INCLUDE_SESSION_TAGS_IN_SUBSCOPED_CREDENTIAL` added * Session tags added to AssumeRoleRequest when feature enabled * Tags marked as transitive for role chaining scenarios * Values truncated to AWS limits (256 chars) * Documentation updated with IAM policy requirements * Unit and integration tests added ### Describe alternatives you've considered **1. Use sts:SourceIdentity** Pros: Immutable, appears in CloudTrail Cons: Single value only, cannot convey structured data **2. Encode metadata in role session name** Pros: No IAM policy changes needed Cons: 64-char limit insufficient; parsing complexity; potential collisions **3. External correlation via timestamp** Current approach: Join audit logs and CloudTrail by time window Cons: Non-deterministic; fails with concurrent requests; complex queries ### Additional context **Dependencies:** * Requires IAM role trust policy update to allow sts:TagSession **Related:** `INCLUDE_PRINCIPAL_NAME_IN_SUBSCOPED_CREDENTIAL` feature flag -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
