Package org.apache.polaris.service.identity

Interface AwsIamServiceIdentityConfiguration

All Superinterfaces:
ResolvableServiceIdentityConfiguration
public interface AwsIamServiceIdentityConfiguration extends ResolvableServiceIdentityConfiguration
Configuration for an AWS IAM service identity used by Polaris to access AWS services.

This includes the IAM ARN and optionally, static credentials (access key, secret key, and session token). If credentials are provided, they will be used to construct a AwsIamServiceIdentityCredential; otherwise, the AWS default credential provider chain is used.

  • Method Summary

    Modifier and Type
    Method
    Description
    Optional<String>
    accessKeyId()
    Optional AWS access key ID associated with the IAM identity.
    default Optional<org.apache.polaris.core.identity.credential.AwsIamServiceIdentityCredential>
    asServiceIdentityCredential(org.apache.polaris.core.secrets.SecretReference secretReference)
    Converts this configuration into a AwsIamServiceIdentityCredential with actual AWS credentials.
    default Optional<org.apache.polaris.core.admin.model.AwsIamServiceIdentityInfo>
    asServiceIdentityInfoModel()
    Returns the AwsIamServiceIdentityInfo model containing only the IAM ARN.
    default software.amazon.awssdk.auth.credentials.AwsCredentialsProvider
    awsCredentialsProvider()
    Constructs an AwsCredentialsProvider based on the configured access key, secret key, and session token.
    static AwsIamServiceIdentityConfiguration
    defaultConfiguration()
    Returns the default AWS IAM service identity configuration.
    default org.apache.polaris.core.identity.ServiceIdentityType
    getType()
    Returns the type of service identity represented by this configuration, which is always ServiceIdentityType.AWS_IAM.
    String
    iamArn()
    The IAM role or user ARN representing the service identity.
    Optional<String>
    secretAccessKey()
    Optional AWS secret access key associated with the IAM identity.
    Optional<String>
    sessionToken()
    Optional AWS session token associated with the IAM identity.

  • Method Details

    • iamArn

      String iamArn()
      The IAM role or user ARN representing the service identity. If not provided, Polaris won't surface it in the catalog identity.

    • accessKeyId

      Optional<String> accessKeyId()
      Optional AWS access key ID associated with the IAM identity. If not provided, the AWS default credential chain will be used.

    • secretAccessKey

      Optional<String> secretAccessKey()
      Optional AWS secret access key associated with the IAM identity. If not provided, the AWS default credential chain will be used.

    • sessionToken

      Optional<String> sessionToken()
      Optional AWS session token associated with the IAM identity. If not provided, the AWS default credential chain will be used.

    • getType

      default org.apache.polaris.core.identity.ServiceIdentityType getType()
      Returns the type of service identity represented by this configuration, which is always ServiceIdentityType.AWS_IAM.
      Specified by:
      getType in interface ResolvableServiceIdentityConfiguration
      Returns:
      the AWS IAM service identity type

    • asServiceIdentityInfoModel

      default Optional<org.apache.polaris.core.admin.model.AwsIamServiceIdentityInfo> asServiceIdentityInfoModel()
      Returns the AwsIamServiceIdentityInfo model containing only the IAM ARN.

      This method is lightweight and does not construct AWS credential providers. It should be used for API responses where only identity metadata is needed.

      Specified by:
      asServiceIdentityInfoModel in interface ResolvableServiceIdentityConfiguration
      Returns:
      the service identity info model, or empty if the IAM ARN is not configured

    • asServiceIdentityCredential

      default Optional<org.apache.polaris.core.identity.credential.AwsIamServiceIdentityCredential> asServiceIdentityCredential(@Nonnull org.apache.polaris.core.secrets.SecretReference secretReference)
      Converts this configuration into a AwsIamServiceIdentityCredential with actual AWS credentials.

      Creates a credential object containing the configured IAM ARN and AWS credentials provider. The credentials provider is constructed based on whether static credentials (access key, secret key, session token) are configured or whether to use the default AWS credential chain.

      This method should only be called when credentials are actually needed for authentication.

      Specified by:
      asServiceIdentityCredential in interface ResolvableServiceIdentityConfiguration
      Parameters:
      secretReference - the secret reference to associate with this credential
      Returns:
      the service identity credential

    • awsCredentialsProvider

      @Nonnull default software.amazon.awssdk.auth.credentials.AwsCredentialsProvider awsCredentialsProvider()
      Constructs an AwsCredentialsProvider based on the configured access key, secret key, and session token. If the access key and secret key are provided, a static credentials provider is created; otherwise, the default credentials provider chain is used.
      Returns:
      the constructed AWS credentials provider

    • defaultConfiguration

      static AwsIamServiceIdentityConfiguration defaultConfiguration()
      Returns the default AWS IAM service identity configuration.

      This configuration is used only when the default realm (DEFAULT_REALM_KEY) has no explicit service identity configuration. It uses the AWS default credential provider chain to obtain credentials from the environment (e.g., environment variables, EC2 instance metadata, ECS task metadata, etc.) without requiring an explicit IAM ARN.

      Returns:
      the default AWS IAM service identity configuration