netapp-acheng commented on issue #3440: URL: https://github.com/apache/polaris/issues/3440#issuecomment-3769391796
PR #3445 removes the KMS inline policy, but it does not fix the credential‑usage bug. With STS + AssumeRole enabled, Polaris correctly uses STS temporary credentials when creating the table (PUT metadata.json). However, when inserting data, Polaris falls back to the original static AWS access/secret key instead of the STS credentials (which include the session token). This causes S3 PUTs for data files to fail with 403 AccessDenied, because the static key is only intended to acquire the STS token and has no direct bucket access. The correct fix is for Polaris to continue using the STS temporary credentials for all FileIO operations (metadata + data files), without adding any KMS permissions when allowedKmsKeys is empty. In short: removing KMS actions is necessary, but not sufficient — the FileIO layer must be updated to consistently use STS credentials. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
