Security Concern: Vended Credentials — Credential Delegation Violation & Workload Identity Binding #3972
Replies: 8 comments 7 replies
-
|
@RB-ETArch :
This pattern is a feature of the Iceberg REST Catalog API. Polaris supports it for S3 systems by using STS for generating Session Tokens. Session Tokens are scoped down by the use case (read or write) to the most specific location Polaris can deduce (normally the table's base location). |
Beta Was this translation helpful? Give feedback.
-
#3327 enables a rich set of Session tags to be passed down to STS. #3224 enables passing the API user (authenticated principal) name to STS. |
Beta Was this translation helpful? Give feedback.
-
Please feel free to propose an enhancement on the |
Beta Was this translation helpful? Give feedback.
-
|
Also: you might be interested in #3170 - that PR did not merge, but if you find this approach valuable, we can certainly re-open that PR and discuss it again (or something similar) |
Beta Was this translation helpful? Give feedback.
-
|
Thank you @dimas-b for pointing to the PR. On sub-scoped credentials — agreed, this limits the blast radius and is valuable. However our concern is less about the breadth of access and more about the delegation pattern itself: the token is requested by Polaris but consumed by Spark. On the session tags PR — this definitely helps for audit trail and CloudTrail visibility. We will be able to trace S3 access back to the authenticated principal and enforce tag presence via bucket policies. That said, two follow-up questions:
Or
|
Beta Was this translation helpful? Give feedback.
-
|
The architecture in Polaris is not only common practice; it is considered an Industry-Standard Design Pattern (often called a Token Broker or Security Token Exchange pattern). In 2026, this is the preferred way to handle client-side access to cloud resources without giving clients permanent credentials or overly broad permissions. How the "Token Broker" Pattern WorksIn this flow, the client never talks to the cloud provider (AWS, etc.) to get credentials. Instead, it talks to your Governing Service (the Broker).
Why This is Standard PracticeThis approach satisfies several "Zero Trust" security principles: 1. Minimal Blast Radius (Session Policies)Even if the IAM Role the service uses has 2. Identity Federation & "Identity Hiding"The Cloud Provider doesn't need to know who your 10,000 end-users are. They only see your Governing Service requesting tokens. This keeps your IAM user list clean and reduces the management overhead of cloud-native identities. 3. Centralized Audit & GovernanceBy routing credential requests through your own service, you can log business-level context that AWS CloudTrail doesn't see.
4. Short-Lived Ephemeral SecretsBecause these tokens are generated on-the-fly, they typically have a very short TTL (e.g., 15 minutes to 1 hour). Even if a client "leaks" the token (e.g., via a browser log or git commit), the window of opportunity for an attacker is extremely small. Critical Security GuardrailsIf you implement this, you must follow these specific implementation rules:
Comparison of Patterns
|
Beta Was this translation helpful? Give feedback.
-
|
"Any actor who obtains the token — compromised executor, malicious insider, accidental log exposure — can use it against S3 as if they were the original authorized requestor" This is the case with any token you obtain (ie it has nothing to do with how Polaris provides the token). You can have a bucket policy that allows access to the bucket only from trusted private networks (using a condition key based on aws:SourceVpc https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-network-properties with an explicit deny from all other networks). "AWS CloudTrail will show S3 access under Polaris's assumed role, not under Spark's or the end user's identity" This is the case with anything that is not AWS. This was a long time a problem in AWS. You may be able to integrate Trusted Identity Propagation for custom applications (https://docs.aws.amazon.com/singlesignon/latest/userguide/trustedidentitypropagation-integrations.html) to achieve this. This may be a feature for Polaris to support. An alternative would be to simply import all the application logs in your SIEM and check for unusual patterns. |
Beta Was this translation helpful? Give feedback.
-
|
Noting:
and
I, personally, don't think there is any model which satisfies both the attack vector and your concerns without placing some level of responsibility on the client side of things. @jornfranke's response is bluntly correct - I don't think your issues with token-level security have anything to do with Polaris or even IRC credential vending. Any set of credentials can be exfiltrated and used somewhere else technically, neither Polaris nor IRCs in general claim to solve this issue on the client-side. I'd recommend @dimas-b's comment for passing user information into the vended credential if what you're looking for is reactive reporting of which user had originally requested this token (and should, barring some security loophole, be the user using this credential). If you're looking for a solution to proactively have S3 allow/deny requests based on a credential and some information about the client, then I believe Polaris is not the right repo to ask these questions. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Environment: Polaris on AWS EKS | Compute Engine (Eg: Spark) on on-prem or AWS | Entra ID as IdP | S3 object storage
The Core Security Violation: Vended Credential Delegation
Our organization's security team has flagged a fundamental violation in the vended credentials model as it stands today — one that goes beyond the typical bearer token concern:
The entity that requests the STS token (Polaris) is not the entity that uses it (Spark). Polaris requests vended credentials on its own identity, then hands them to another party, compute engine in this case
This is a credential delegation violation. The standard security principle for STS tokens — and bearer tokens generally — is that the requesting entity is the consuming entity. That assumption is broken here by design
The flow today is:
This is a risk - meaning:
Threat vectors our security team has identified:
This is a compliance and audit concern for us, particularly because our compute spans on-premises and multiple clouds, making network perimeter controls (VPC endpoints, IP allowlisting) operationally unscalable and insufficient.
What We Are Looking For
We want to understand:
Any input from the maintainers or organizations running Polaris in production at scale would be greatly appreciated. Happy to contribute to a design discussion if there is community interest in tackling this more formally.
#security #compliance #credentials #vended #STS #token
Beta Was this translation helpful? Give feedback.
All reactions