Re: [PR] Add GCS principal attribution to vended credentials via Workload Identity Federation [polaris]

Thu, 11 Jun 2026 16:58:07 -0700 


dimas-b commented on code in PR #4707:
URL: https://github.com/apache/polaris/pull/4707#discussion_r3399843829


##########
polaris-core/src/main/java/org/apache/polaris/core/storage/gcp/GcpCredentialsStorageIntegration.java:
##########
@@ -246,6 +273,42 @@ static StorageAccessConfig 
compute(GcpStorageCredentialCacheKey key) {
     return accessConfig.build();
   }
 
+  /**
+   * Returns the credential to be used as the source for downscoping.
+   *
+   * <p>When GCS principal attribution is configured and a principal is 
present (so the cache key
+   * carries it), the impersonation source is a federated identity whose 
subject is {@code
+   * <realm>/<principal>}, which surfaces the principal in {@code 
serviceAccountDelegationInfo} of
+   * GCS Data Access audit logs. Otherwise this is the standard path: 
impersonate the configured
+   * service account from the ambient source credentials, or use those 
credentials directly.
+   */
+  private static GoogleCredentials baseCredentialsForVending(
+      GcpStorageCredentialCacheKey key,
+      GcpStorageConfigurationInfo storageConfig,
+      GoogleCredentials sourceCredentials,
+      GcpCredentialOps credentialOps) {
+    RealmConfig realmConfig = key.realmConfig();
+    String serviceAccount = storageConfig.getGcpServiceAccount();
+    if (serviceAccount != null
+        && !key.principalName().isEmpty()
+        && principalAttributionConfigured(realmConfig)) {
+      String subject =
+          GcpAttributionSubjectBuilder.buildSubject(key.realmId(), 
key.principalName());
+      GcpFederatedCredentialsExchanger exchanger =
+          new GcpFederatedCredentialsExchanger(
+              
realmConfig.getConfig(FeatureConfiguration.GCS_PRINCIPAL_ATTRIBUTION_TOKEN_ISSUER),

Review Comment:
   This will probably work correctly given that `realm ID` is part of the cache 
key, but conceptually, I think it would be nicer to evaluate these parameters 
at cache key build time (i.e. around line 185) and just use the values here. 
   
   The cache key is meant to be a "rich" object, so it should be fine to add 
new data as another (immutable) sub-object, that is if we want to avoid having 
too many properties at the same level (just an aesthetic concern).



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to