Skip to content

STS inline policy includes KMS actions even when KMS is not configured #3440

@netapp-acheng

Description

@netapp-acheng

Describe the bug

I asked the question in #3434 and Dmitri B suggested me to report it as a bug.

When creating a Polaris S3 catalog that uses STS/AssumeRole against a non‑AWS S3‑compatible platform, table creation fails with:
Invalid action: kms:GenerateDataKeyWithoutPlaintext

Debug logs show that Polaris generates an inline STS policy that:

Contains KMS actions (e.g., kms:DescribeKey, kms:Decrypt, kms:GenerateDataKey, kms:GenerateDataKeyWithoutPlaintext) even when KMS is not configured for the catalog (i.e., allowedKmsKeys is empty). This appears to be a bug: if KMS is not configured, the IAM policy should not include KMS permissions.

Polaris Version
Server: 1.4.0-incubating-SNAPSHOT (local build under test)
CLI: matching snapshot
Quarkus: 3.28.2

Environment
Catalog type: INTERNAL
Storage type: S3
Endpoint: https://sgdemo.example.com
Region: us-east-1 (dummy value for S3‑compatible)
STS endpoint: https://sgdemo.example.com
Auth: STS/AssumeRole

Note: Creating catalog and tables work with --no-sts option in this same environment

To Reproduce

Start Polaris server and authenticate the CLI.
Create an S3 catalog with STS enabled:
./polaris --host localhost --port 8181 --realm POLARIS --client-id root --client-secret catalogs create sts_catalog --type INTERNAL --storage-type s3 --default-base-location s3://sts-polaris --endpoint https://sgdemo.example.com --region us-east-1 --allowed-location s3://sts-polaris --sts-endpoint https://sgdemo.example.com \ --role-arn arn:aws:iam:::role/assumerole

The catalog created:
{
"type": "INTERNAL",
"name": "sts_catalog",
"properties": {
"default-base-location": "s3://sts-polaris"
},
"createTimestamp": 1766095794668,
"lastUpdateTimestamp": 1766095794668,
"entityVersion": 1,
"storageConfigInfo": {
"roleArn": "arn:aws:iam::123456789101112:role/assumerole",
"allowedKmsKeys": [],
"region": "us-east-1",
"endpoint": "https://sgdemo.example.com/",
"stsEndpoint": "https://sgdemo.example.com/",
"stsUnavailable": false,
"pathStyleAccess": false,
"storageType": "S3",
"allowedLocations": [
"s3://sts-polaris"
]
}

When attempted to create a table in this catalog, got this error:
"SenderMalformedPolicyDocumentInvalid action: kms:GenerateDataKeyWithoutPlaintext1766170445858521"

Polaris debug on, I saw it sent a AssumeRole request with inline policy
{ "Effect": "Allow", "Action": [ "kms:GenerateDataKeyWithoutPlaintext", "kms:DescribeKey", "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "arn:aws:kms:us-east-1:123456789101112:key/*" }

Actual Behavior

Polaris debug log shows it a AssumeRole request with inline policy
{ "Effect": "Allow", "Action": [ "kms:GenerateDataKeyWithoutPlaintext", "kms:DescribeKey", "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "arn:aws:kms:us-east-1:123456789101112:key/*" }

Blocks table creation when using STS with S3‑compatible platforms lacking support for kms:GenerateDataKeyWithoutPlaintext.
Creates unnecessary coupling to KMS even when KMS is not configured for the catalog.

Expected Behavior

If the catalog does not configure KMS (no allowedKmsKeys / no KMS settings), the generated STS inline policy should not include any kms:* actions.
For S3‑compatible deployments, generated policies should avoid non‑portable KMS actions (or gate them strictly behind explicit KMS configuration), to prevent hard failures.

Additional context

No response

System information

Linux: Debian 12
Polaris Version
Server: 1.4.0-incubating-SNAPSHOT (local build under test)
CLI: matching snapshot
Quarkus: 3.28.2

Metadata

Metadata

Assignees

Labels

bugSomething isn't working

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions