Skip to content

[Feature] Add AWS STS Session Tags to Credential Vending for CloudTrail Correlation #3325

@obelix74

Description

@obelix74

Is your feature request related to a problem? Please describe.

Description:

Add support for AWS STS Session Tags when vending S3 credentials via AssumeRole. This enables deterministic correlation between Polaris catalog operations and downstream S3 access events in AWS CloudTrail.

Motivation:

Currently, the only correlation mechanism between catalog credential vending and S3 access is the role session name. This provides principal-level attribution but lacks granularity for:

  • Fine-grained audit trails (table → S3 reads)
  • Cost allocation by catalog/namespace/table
  • Security forensics
  • Compliance reporting

Describe the solution you'd like

Proposed Solution:

Add session tags (polaris:catalog, polaris:namespace, polaris:table, polaris:principal, polaris:request-id) to AssumeRoleRequest. Controlled by a new feature flag INCLUDE_SESSION_TAGS_IN_SUBSCOPED_CREDENTIAL (default: false).

Acceptance Criteria:

  • New feature flag INCLUDE_SESSION_TAGS_IN_SUBSCOPED_CREDENTIAL added
  • Session tags added to AssumeRoleRequest when feature enabled
  • Tags marked as transitive for role chaining scenarios
  • Values truncated to AWS limits (256 chars)
  • Documentation updated with IAM policy requirements
  • Unit and integration tests added

Describe alternatives you've considered

1. Use sts:SourceIdentity

Pros: Immutable, appears in CloudTrail
Cons: Single value only, cannot convey structured data

2. Encode metadata in role session name
Pros: No IAM policy changes needed
Cons: 64-char limit insufficient; parsing complexity; potential collisions

3. External correlation via timestamp
Current approach: Join audit logs and CloudTrail by time window
Cons: Non-deterministic; fails with concurrent requests; complex queries

Additional context

Dependencies:

  • Requires IAM role trust policy update to allow sts:TagSession

Related:

INCLUDE_PRINCIPAL_NAME_IN_SUBSCOPED_CREDENTIAL feature flag

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions