UNCLASSIFIED / NON CLASSIFI? Hi! As per our findings in [2], we are looking to enable connectivity with our on-prem S3 storage appliance, which requires changes to how Polaris connects to S3. Currently, the way Polaris connects to S3 does not work for our on-prem S3 instance because of the way it expects to connect to the STS server (i.e. without any specific authentication). We propose enhancing the AwsCredentialsStorageIntegration to support a more flexible authorization mechanism:
* Goal: We want the ability to pass the requesting user's identity (likely a token) to the STS. This would allow the STS to make fine-grained decisions on what the user can and cannot do based on their specific identity. * Proposed Implementation: We believe this functionality can be achieved by adding an option within AwsCredentialsStorageIntegration [1] to connect using the AssumeRoleWithWebIdentity flow. We would greatly appreciate some guidance on the following changes before we begin development: 1. What is the recommended or existing mechanism within Polaris for capturing and passing along an authenticated user's identity token to the AwsCredentialsStorageIntegration component, so we can pass it to the STS? I could be wrong, but I believe the token that gets passed to STS doesn't need to be scoped for the STS, so it could just be whatever token is given to Polaris by the user. 2. How should we best modify the AwsCredentialsStorageIntegration class and configuration to be able to handle both the existing AssumeRole use case and the new AssumeRoleWithWebIdentity use case? Any pointers or suggestions on the best place to inject the user token and manage the configuration switch would be helpful. [1] https://github.com/apache/polaris/blob/main/polaris-core/src/main/java/org/apache/polaris/core/storage/aws/AwsCredentialsStorageIntegration.java#L107 [2] https://github.com/apache/polaris/issues/3038
