netapp-acheng commented on issue #3440:
URL: https://github.com/apache/polaris/issues/3440#issuecomment-3775222727
@MonkeyCanCode insert data into iceberg table in the catalog without region
works now.
I re-tested the behavior of Polaris after PR‑3445, and running Spark with
the correct vended‑credentials configuration and full catalog permissions
(NAMESPACE_*, TABLE_*, READ/WRITE_DATA). Below are the results.
{
"type": "INTERNAL",
"name": "**sts_noregion**",
"properties": {
"default-base-location": "s3://sts-noregion"
},
"createTimestamp": 1768943653438,
"lastUpdateTimestamp": 1768943653438,
"entityVersion": 1,
"storageConfigInfo": {
"roleArn": "arn:aws:iam::123456789101112:role/assumerole",
**"allowedKmsKeys": [],**
"endpoint": "https://sgdemo.example.com";,
"stsEndpoint": "https://sgdemo.example.com";,
"stsUnavailable": false,
"pathStyleAccess": false,
"storageType": "S3",
"allowedLocations": [
"s3://sts-noregion"
]
}
},
{
"type": "INTERNAL",
**"name": "sts_east1",**
"properties": {
"default-base-location": "s3://sts-east1"
},
"createTimestamp": 1768943671346,
"lastUpdateTimestamp": 1768943671346,
"entityVersion": 1,
"storageConfigInfo": {
"roleArn": "arn:aws:iam::123456789101112:role/assumerole",
**"allowedKmsKeys": [],**
**"region": "us-east-1",**
"endpoint": "https://sgdemo.example.com";,
"stsEndpoint": "https://sgdemo.example.com";,
"stsUnavailable": false,
"pathStyleAccess": false,
"storageType": "S3",
"allowedLocations": [
"s3://sts-east1"
]
Spark was started with the correct Iceberg REST settings:
--conf
spark.sql.catalog.sts2_catalog.header.X-Iceberg-Access-Delegation=vended-credentials
--conf spark.sql.catalog.sts2_catalog.token-refresh-enabled=true
(so vended STS credentials are used during writes, per REST spec)
Also granted these catalog privileges to my principal for each catalog:
NAMESPACE_LIST, NAMESPACE_CREATE,
TABLE_CREATE,
TABLE_READ_DATA, TABLE_WRITE_DATA
sts_noregion — SUCCESS
CREATE TABLE works
INSERT works
STS inline policies contain only S3 actions
StorageGRID logs show temporary STS keys (vended credentials)
No KMS actions appear anywhere
Behavior is correct
sts_east1 — FAILURE (Residual KMS Policy)
CREATE TABLE succeeds, but INSERT fails with:
Failed to get subscoped credentials:
Invalid action: kms:DescribeKey
(Service: Sts, Status Code: 400)
Polaris log shows that PR-3445 still emits KMS read-only actions when region
is set, even though KMS is not configured.
Below is the decoded inline AssumeRole policy from Polaris during the
failing INSERT:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["kms:DescribeKey", "kms:Decrypt"],
"Resource": "arn:aws:kms:us-east-1:123456789101112:key/*"
},
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::sts-east1",
"Condition": {
"StringLike": {
"s3:prefix": "ns1/table1/metadata/*"
}
}
},
{
"Effect": "Allow",
"Action": "s3:GetBucketLocation",
"Resource": "arn:aws:s3:::sts-east1"
},
{
"Effect": "Allow",
"Action": ["s3:GetObject", "s3:GetObjectVersion"],
"Resource": "arn:aws:s3:::sts-east1/ns1/table1/metadata/*"
}
]
}
This KMS statement:
{
"Action": ["kms:DescribeKey", "kms:Decrypt"],
"Resource": "arn:aws:kms:us-east-1:<acct>:key/*"
}
appears even though:
currentKmsKey = null
allowedKmsKeys = []
Catalog has no KMS settings
Only difference from sts_noregion is region = "us-east-1"
Because the backend STS service is non-AWS, it rejects the unsupported kms:*
actions, causing AssumeRole to fail and Spark’s write to abort.
Conclusion:
When region is unset, Polaris emits correct S3-only policies.
When region is set, Polaris still emits a wildcard KMS read-only statement,
even with no KMS keys configured.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
