S3 security via query interception #46
Labels
enhancement
New feature or request
Comments
|
Realted to #45 |
|
Apparently with DuckDB you can use query params the same as the settings to query buckets in-line like: |
|
Because of the above, we could also achieve security by injecting AWS credentials into the final query, rather than having them within the session, so that |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Since relying on IAM only works with solutions like minio, we can intercept S3 read conditions.
For example if our IAM allows reading of all objects in a bucket (path), but we have the tenant ID as the prefix for an object path, we can intercept the reads to that S3 bucket and ensures that only valid files would be read (otherwise cancel the query).
DuckDB has an inherent issue here that we'd be looking at only allowing S3 querying to a single bucket at a time, unlike clickhouse which can use the s3 table engine and read from multiple private buckets per-query.
For example a tenant would not be able to join data on their own private s3 bucket.
The text was updated successfully, but these errors were encountered: