[BUG] Polaris can't use S3 when KMS is enabled

[jbonofre]

Is this a possible security vulnerability?

• This is NOT a possible security vulnerability

Describe the bug

When using Polaris with S3 (without KMS), everything is working fine (I can create Iceberg table from spark-sql on Polaris).

However, when I enable S3 KMS, I get:

ServerError: S3Exception: User: arn:aws:sts::601864557682:assumed-role/cep-analytics-platform-role-dev-polaris-catalog/snowflake is not authorized to perform: kms:GenerateDataKey on resource: arn:aws:kms:eu-west-1:601864557682:key/401edca7-d545-4907-9c9f-2695305beb5e because no session policy

allows the kms:GenerateDataKey action (Service: S3, Status Code: 403, Request ID: C0MA61C4VYNS88CP, Extended Request ID: ZboVDdn8eh4YBIjMUbG8X6fDT4oq6OFFqDcq/dKbVsrNDGW3IIhojELznwkyWhMDmSxO376I5o0=)

It seems that we have a missing security configuration to use with KMS.

To Reproduce

Just use S3 KMS with Polaris.

Actual Behavior

It works fine without KMW, but fails with S3 KMS enabled:

ServerError: S3Exception: User: arn:aws:sts::601864557682:assumed-role/cep-analytics-platform-role-dev-polaris-catalog/snowflake is not authorized to perform: kms:GenerateDataKey on resource: arn:aws:kms:eu-west-1:601864557682:key/401edca7-d545-4907-9c9f-2695305beb5e because no session policy

allows the kms:GenerateDataKey action (Service: S3, Status Code: 403, Request ID: C0MA61C4VYNS88CP, Extended Request ID: ZboVDdn8eh4YBIjMUbG8X6fDT4oq6OFFqDcq/dKbVsrNDGW3IIhojELznwkyWhMDmSxO376I5o0=)

Expected Behavior

No response

Additional context

No response

System information

No response

[MonkeyCanCode]

In my setup, I am using S3 with KMS. To get it working, the IAM role needed to include additional IAM policy (for my setup, i have kms:GenerateDataKey, kms:Decrypt, and kms:DescribeKey added to the IAM role used by Polaris).