Open Data Infrastructure
Apache Polaris Credential Vending and Governance
Why credential vending belongs in the governance boundary between catalogs, identities, storage, and audit evidence.
A catalog that can hand out storage credentials is no longer just a place to find tables. It is sitting directly in the trust path between identity, policy, storage, and every engine that wants to touch the data.
The practical problem
Apache Polaris uses role-based access control across principals, principal roles, catalog roles, privileges, and securable objects. The Polaris access-control docs also make the important table privilege boundary visible: read and write data privileges can involve receiving short-lived storage credentials from the catalog.
That one detail changes the governance conversation. Credential vending is not only an implementation detail. It decides whether the catalog can translate identity and table policy into the storage-level access an engine actually uses.
The credential boundary has to be explicit
A clean design separates three questions. Who is asking? What catalog object are they allowed to use? Which storage credential is safe to vend for that operation? If those questions blur together, the platform quietly recreates the same access mess it was trying to escape.
The catalog should emit evidence for each decision: principal, role, table, namespace, privilege, credential scope, expiration, and policy result. Without that evidence, teams can say a request was allowed, but they cannot explain why it was allowed at the storage boundary.
Core idea: Credential vending turns the catalog into a runtime control plane. Treat it like one.
The Open Data Infrastructure angle
Open Data Infrastructure depends on engine choice. Spark, Flink, Trino, StarRocks, Doris, and other tools should be able to participate without each one owning a separate credential model. That is the promise. The risk is that every engine receives powerful credentials with weak policy context.
Polaris gives teams a catalog-centered place to make that boundary visible. External policy decision points can extend that model when local RBAC is not enough, but the same governance principle holds. The decision and the credential need to be connected.
What breaks first
- The catalog grants table access, but storage credentials are broader than the table operation.
- Credential lifetime is tracked by the cloud account, not by the data product or catalog decision.
- Audit logs show a table read but not the credential boundary used to perform it.
- Engines bypass the catalog for performance or convenience and turn governance into a side channel.
Questions to ask
Ask whether credential vending is scoped by catalog object, namespace, table, action, principal, and time. Ask where denial reasons are recorded. Ask whether a second engine receives the same policy treatment as the first engine.
For adjacent context, read Apache Polaris RBAC for open catalog governance, catalogs as the ODI control plane, and catalog-neutral governance controls.
Sources to start with
These primary sources anchor the technical claims in this guide.
- Apache Polaris role-based access control
- Apache Polaris external policy decision point
- Apache Iceberg REST Catalog specification
- Apache Iceberg catalog configuration
Credential vending is where open catalog governance either becomes real infrastructure or becomes another permission spreadsheet with better branding.