MonkeyCanCode commented on code in PR #3445:
URL: https://github.com/apache/polaris/pull/3445#discussion_r2693003202
##########
polaris-core/src/main/java/org/apache/polaris/core/storage/aws/AwsCredentialsStorageIntegration.java:
##########
@@ -297,42 +297,42 @@ private static void addKmsKeyPolicy(
String region,
String accountId) {
- IamStatement.Builder allowKms = buildBaseKmsStatement(canWrite);
boolean hasCurrentKey = kmsKeyArn != null;
boolean hasAllowedKeys = hasAllowedKmsKeys(allowedKmsKeys);
+ if (!hasCurrentKey && !hasAllowedKeys) {
+ // No KMS keys configured, do not add any KMS-related policies.
+ return;
+ }
+
+ IamStatement.Builder allowKms = buildBaseKmsStatement(canWrite);
+
if (hasCurrentKey) {
addKmsKeyResource(kmsKeyArn, allowKms);
}
if (hasAllowedKeys) {
addAllowedKmsKeyResources(allowedKmsKeys, allowKms);
- }
-
- // Add KMS statement if we have any KMS key configuration
- if (hasCurrentKey || hasAllowedKeys) {
- policyBuilder.addStatement(allowKms.build());
- } else if (!canWrite) {
+ } else if (!canWrite && region != null && accountId != null) {
Review Comment:
Thanks for the quick review @dimas-b and that is a fair point which I
missed. It appears this is really specific for handling s3 and s3-compatible
and I am not sure if the above logic will break or not due to lack of infra to
test. I had made the needed code changes to preserve this workflow. Please take
another look when you get a chance.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
