Re: [PR] (fix) Remove KMS policies when KMS is not configured [polaris]

Thu, 15 Jan 2026 11:34:13 -0800 


dimas-b commented on code in PR #3445:
URL: https://github.com/apache/polaris/pull/3445#discussion_r2695686230


##########
polaris-core/src/main/java/org/apache/polaris/core/storage/aws/AwsCredentialsStorageIntegration.java:
##########
@@ -309,30 +316,31 @@ private static void addKmsKeyPolicy(
       addAllowedKmsKeyResources(allowedKmsKeys, allowKms);
     }
 
-    // Add KMS statement if we have any KMS key configuration
-    if (hasCurrentKey || hasAllowedKeys) {
+    // Only add wildcard KMS access for read-only operations on AWS S3 when no 
specific keys are
+    // configured. This does not apply to services like Minio where region and 
accountId are not
+    // available.
+    boolean shouldAddWildcard = !hasCurrentKey && !hasAllowedKeys && !canWrite 
&& isAwsS3;
+    if (shouldAddWildcard) {
+      addAllKeysResource(region, accountId, allowKms);
+    }
+
+    if (hasCurrentKey || hasAllowedKeys || shouldAddWildcard) {
       policyBuilder.addStatement(allowKms.build());
-    } else if (!canWrite) {
-      // Only add wildcard KMS access for read-only operations when no 
specific keys are configured
-      // this check is for minio because it doesn't have region or account id
-      if (region != null && accountId != null) {
-        addAllKeysResource(region, accountId, allowKms);
-        policyBuilder.addStatement(allowKms.build());
-      }
     }
   }
 
   private static IamStatement.Builder buildBaseKmsStatement(boolean 
canEncrypt) {
     IamStatement.Builder allowKms =
         IamStatement.builder()
             .effect(IamEffect.ALLOW)
-            .addAction("kms:GenerateDataKeyWithoutPlaintext")
             .addAction("kms:DescribeKey")
-            .addAction("kms:Decrypt")
-            .addAction("kms:GenerateDataKey");
+            .addAction("kms:Decrypt");
 
     if (canEncrypt) {
-      allowKms.addAction("kms:Encrypt");
+      allowKms
+          .addAction("kms:Encrypt")
+          .addAction("kms:GenerateDataKey")

Review Comment:
   nit: this looks like a valid change to me, but it goes a bit beyond the 
immediate purpose of this PR as fixing policies when KMS is _not_ in use... 
Would you mind mentioning this change in the PR description?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to