[BUG] Polaris can't use S3 when KMS is enabled #480
Description
Is this a possible security vulnerability?
- This is NOT a possible security vulnerability
Describe the bug
When using Polaris with S3 (without KMS), everything is working fine (I can create Iceberg table from spark-sql on Polaris).
However, when I enable S3 KMS, I get:
ServerError: S3Exception: User: arn:aws:sts::601864557682:assumed-role/cep-analytics-platform-role-dev-polaris-catalog/snowflake is not authorized to perform: kms:GenerateDataKey on resource: arn:aws:kms:eu-west-1:601864557682:key/401edca7-d545-4907-9c9f-2695305beb5e because no session policy
allows the kms:GenerateDataKey action (Service: S3, Status Code: 403, Request ID: C0MA61C4VYNS88CP, Extended Request ID: ZboVDdn8eh4YBIjMUbG8X6fDT4oq6OFFqDcq/dKbVsrNDGW3IIhojELznwkyWhMDmSxO376I5o0=)
It seems that we have a missing security configuration to use with KMS.
To Reproduce
Just use S3 KMS with Polaris.
Actual Behavior
It works fine without KMW, but fails with S3 KMS enabled:
ServerError: S3Exception: User: arn:aws:sts::601864557682:assumed-role/cep-analytics-platform-role-dev-polaris-catalog/snowflake is not authorized to perform: kms:GenerateDataKey on resource: arn:aws:kms:eu-west-1:601864557682:key/401edca7-d545-4907-9c9f-2695305beb5e because no session policy
allows the kms:GenerateDataKey action (Service: S3, Status Code: 403, Request ID: C0MA61C4VYNS88CP, Extended Request ID: ZboVDdn8eh4YBIjMUbG8X6fDT4oq6OFFqDcq/dKbVsrNDGW3IIhojELznwkyWhMDmSxO376I5o0=)
Expected Behavior
No response
Additional context
No response
System information
No response