Package org.apache.polaris.service.credentials.connection

Class SigV4ConnectionCredentialVendor

java.lang.Object
org.apache.polaris.service.credentials.connection.SigV4ConnectionCredentialVendor
All Implemented Interfaces:
org.apache.polaris.core.credentials.connection.ConnectionCredentialVendor
@RequestScoped @Priority(100) public class SigV4ConnectionCredentialVendor extends Object implements org.apache.polaris.core.credentials.connection.ConnectionCredentialVendor
Connection credential vendor for AWS SigV4 authentication.

This vendor uses Polaris's AWS IAM service identity to assume a customer-provided IAM role via AWS STS, generating temporary credentials that Polaris uses to access external AWS services (e.g., AWS Glue catalog) with SigV4 request signing.

Flow:

  1. Receives Polaris's AwsIamServiceIdentityCredential (the IAM user/role Polaris owns)
  2. Extracts customer's role ARN from SigV4AuthenticationParametersDpo
  3. Calls AWS STS AssumeRole to get temporary credentials
  4. Returns temporary access key, secret key, and session token

This is the default implementation with @Priority(CredentialVendorPriorities.DEFAULT). Custom implementations can override this by providing a higher priority value.

  • Constructor Summary

    Constructors
    Constructor
    Description
    SigV4ConnectionCredentialVendor(org.apache.polaris.core.storage.aws.StsClientProvider stsClientProvider, org.apache.polaris.core.identity.provider.ServiceIdentityProvider serviceIdentityProvider)
     

  • Method Summary

    Modifier and Type
    Method
    Description
    org.apache.polaris.core.credentials.connection.ConnectionCredentials
    getConnectionCredentials(org.apache.polaris.core.connection.ConnectionConfigInfoDpo connectionConfig)
     

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

  • Constructor Details

    • SigV4ConnectionCredentialVendor

      @Inject public SigV4ConnectionCredentialVendor(org.apache.polaris.core.storage.aws.StsClientProvider stsClientProvider, org.apache.polaris.core.identity.provider.ServiceIdentityProvider serviceIdentityProvider)

  • Method Details

    • getConnectionCredentials

      @Nonnull public org.apache.polaris.core.credentials.connection.ConnectionCredentials getConnectionCredentials(@Nonnull org.apache.polaris.core.connection.ConnectionConfigInfoDpo connectionConfig)
      Specified by:
      getConnectionCredentials in interface org.apache.polaris.core.credentials.connection.ConnectionCredentialVendor