Re: [PR] Add GCS principal attribution to vended credentials via Workload Identity Federation [polaris]

Mon, 22 Jun 2026 08:06:15 -0700 


sungwy commented on code in PR #4707:
URL: https://github.com/apache/polaris/pull/4707#discussion_r3453291702


##########
polaris-core/src/main/java/org/apache/polaris/core/config/FeatureConfiguration.java:
##########
@@ -209,6 +209,64 @@ public static void enforceFeatureEnabledOrThrow(
               .defaultValue(List.<String>of())
               .buildFeatureConfiguration();
 
+  // 
---------------------------------------------------------------------------
+  // GCS principal attribution via Workload Identity Federation
+  //
+  // GCP downscoped credentials have no session-tag mechanism (unlike AWS 
STS), and custom audit
+  // headers only reach GCS audit logs if the client forwards them. To 
attribute GCS data access
+  // to the Polaris principal for ANY client, credential vending can chain
+  // catalog-signed JWT -> STS token exchange -> per-catalog service-account 
impersonation, so the
+  // principal appears in serviceAccountDelegationInfo of every GCS Data 
Access audit log entry.
+  //
+  // Attribution activates automatically once the audience, issuer, and 
signing key file are all
+  // set (no on/off flag); it additionally requires a gcpServiceAccount on the 
storage config.
+  // 
---------------------------------------------------------------------------
+
+  public static final FeatureConfiguration<String> 
GCS_PRINCIPAL_ATTRIBUTION_WIF_AUDIENCE =

Review Comment:
   Thanks all for chiming in. I agree it's fine to keep the config at the realm 
level.
   
   On validation timing: would moving the presence/value checks into a 
`ProductionReadinessCheck` be a good way to verify them at startup? There's 
precedent for per-realm checks there: 
[checkTokenBrokers](https://github.com/apache/polaris/blob/e3f26cf69f6ee189328f1b7adb90ec83cbbb26d9/runtime/service/src/main/java/org/apache/polaris/service/config/ProductionReadinessChecks.java#L143)
 iterates the realms and validates each realm's config at startup. We could do 
the value-presence checks there, and keep the more involved logical validation 
at request time as we do today. I think this is also fine to add as a follow up 
PR.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to