Replies: 3 comments
-
|
@madhusudancs — thanks for the helpful advice in our meeting! Would love to get your thoughts when you get a chance. |
Beta Was this translation helpful? Give feedback.
-
|
+1 for supporting assuming a role from an instance profile. AsterixDB uses this preferentially when using S3 as a backing object store when running in "cloud" mode. It makes life easy when it's possible. |
Beta Was this translation helpful? Give feedback.
-
|
Rollout plan We split the implementation into three phases. Phase 1 delivers the model end-to-end; Phases 2–3 harden it. (local/MinIO keeps the static-key path).
|
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Summary
A per-user warehouse (#5293) needs a storage credential to reach the user's S3. This is about which credential model to use:
LakekeeperClientregisters the warehouse withcredential-type: access-key, STS off). The key is a long-lived secret held in Lakekeeper's DB.#5293 already vends short-lived credentials per request on the data path; with a stored key those are still derived from a long-lived root secret. The assumed-role model removes that root secret entirely — nothing long-lived in Texera or Lakekeeper.
This handshake is not new — it's the standard cross-account access pattern (an IAM role assumed via STS, gated by an external ID) that the major managed data platforms use for bring-your-own storage. We'd be adopting the proven mechanism, not inventing one.
Background / Motivation
Storing a static access key means a long-lived secret in Lakekeeper's encrypted DB:
It works, but a stored long-lived secret isn't what we want to ship.
Proposed change
Make the warehouse's storage credential an assumed role, not a stored key: at registration the user provides an IAM role ARN (no key), and Texera stores only the role ARN + external ID (non-secret config). At runtime, per execution, the deployment's system identity assumes the role → short-lived creds → vend.
{system identity ARN + external ID}, so the role's trust policy is set in one step (no reveal round-trip).Sequence diagram:
Scope
Same as #5293 — per-user warehouses are scoped to the Kubernetes deployment. The assumed-role model applies to real AWS S3 + IAM. Local / dev deployments could be backed by MinIO keep the static access-key path
Why this is secure
Beta Was this translation helpful? Give feedback.
All reactions