Skip to content

Spec: REST KMS credential vending for table encryption#17155

Open
szlta wants to merge 2 commits into
apache:mainfrom
szlta:kms_vending_spec
Open

Spec: REST KMS credential vending for table encryption#17155
szlta wants to merge 2 commits into
apache:mainfrom
szlta:kms_vending_spec

Conversation

@szlta

@szlta szlta commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Summary

Adds REST KMS credential vending to the spec for Iceberg table encryption.

This extends REST access delegation so catalogs can return short-lived, scoped KMS credentials alongside storage credentials. Clients match vended KMS credentials to KMS key IDs referenced by Iceberg encryption metadata and continue to call the KMS directly.

Original design doc: https://docs.google.com/document/d/1VSewbVmjukU5eTiZruCJVmUZcRZvcAsd4JOeC6Lt3fo

Changes

This PR adds:

  • kms-vended-credentials as an access-delegation mechanism
  • encryption.kms-type as a catalog-level KMS provider/type identifier
  • key-management-credentials to credential-bearing REST responses
  • KeyManagementCredential, containing:
    • kms-key-ids
    • provider-specific credential config
  • client matching rules between kms-key-ids and EncryptedKey.encrypted-by-id
  • security guidance for vended KMS credentials, including time-bounded credentials and provider-supported scoping

Credential sourcing

For encrypted table operations, credential sourcing should be consistent with REST access-delegation rules.

If a catalog honors REST access delegation for an encrypted table operation, it should provide all delegated credentials required for that operation, including storage credentials and KMS credentials.

If REST access delegation is not used or not honored, the client remains responsible for providing the required credentials locally.

Not included

This PR does not add remote KMS wrap/unwrap APIs.

Remote wrap/unwrap may be useful for some environments and can be proposed separately, but it has a different protocol shape and security model because plaintext Iceberg key material would flow through the catalog API.

This PR focuses on KMS credential vending, where the catalog returns short-lived, scoped KMS credentials and clients continue to call the KMS directly.

Change-Id: Ie0f44cf6c273c4e0a0e7a626c1541d290ef7ae20
@szlta szlta force-pushed the kms_vending_spec branch from bea5e92 to 9a2b426 Compare July 10, 2026 14:59
@szlta szlta marked this pull request as ready for review July 10, 2026 15:19
@szlta

szlta commented Jul 10, 2026

Copy link
Copy Markdown
Contributor Author

cc: @singhpk234 @ggershinsky

Comment thread open-api/rest-catalog-open-api.yaml Outdated
For encrypted table operations, delegated credential sourcing should be consistent. If a catalog
honors REST access delegation for an encrypted table operation, it should provide all delegated
credentials required for that operation, including storage credentials and KMS credentials. Clients
must not be required to combine catalog-vended storage credentials with client-local or static KMS

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: "must not be required to combine ..." I support this approach, but the exact phrase does not feel like it fits within the API "spec". Perhaps rephrasing along the lines of "catalogs should provide all credentials required for storage access...". WDYT?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed, I rewrote this section to be more clear.

enum:
- vended-credentials
- remote-signing
- kms-vended-credentials

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This value is mentioned, but not explicitly described in the doc comment (above).

Does it subsume vended-credentials?.. Or should clients declare both (in case KMS is involved)?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No it doesn't subsume. A client may support storage vended credentials while not kms vended credentials. As per spec such clients will not be given any credentials for encrypted tables, but for unencrypted ones it's still a valid scenario.
Also, in general - I'd rather avoid including extra meaning to an existing access delegation mode.

Comment thread open-api/rest-catalog-open-api.yaml Outdated
Clients should select the credential config by matching KMS key identifiers referenced by table
encryption metadata, such as `EncryptedKey.encrypted-by-id`, against `kms-key-ids`. If no
key-management credential matches a KMS key ID required by table encryption metadata, the client
must fail the operation with an authorization or missing-credential error.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"Must" is too strong here, IMHO. Why do we require the client to fail on something that is essentially a server error? If the client has other means of accessing the necessary file, why not allow it to proceed with the operation? I'd say "can" here. WDYT?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we do want the client to act like this. When vended credentials are provided by the catalog, the client should use them, and use them only.

When vended credentials are provided we don't want clients to silently bypass the catalog's KMS authorization decision by using unrelated local credentials for the same delegated operation. That could also re-introduce a hybrid consumption of credentials which we want to avoid.

I clarified this section that failing is only a requirement when vended credentials are provided by catalog side.

Comment thread docs/docs/catalog-properties.md Outdated
| `rest-page-size` | null | The page size to use when listing namespaces, tables, or other paginated resources. |
| `namespace-separator` | `%1F` | The separator character used for namespace levels when communicating with the REST server. |
| `scan-planning-mode` | `CLIENT` | Controls where scan planning is performed. Supported values: `CLIENT` (client-side planning), `SERVER` (server-side planning). Can be overridden per-table by the server in LoadTableResponse. |
| `encryption.kms-type` | null | Advertises the catalog-selected KMS provider clients should use for encrypted tables. This is independent of the table's storage provider and may be used with `key-management-credentials` to initialize or configure the KMS client. The value is an open enum with initial values `aws`, `gcp`, and `azure`; catalogs may return additional values when the catalog and client agree on KMS client resolution and credential config. |

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like there is an omission in the previous (Common properties) section - encryption.kms-impl is listed, but the encryption.kms-type is not (even though it is used in HMS, and described in the encryption.md doc). Maybe you could add a line in that section/table? Or I could send a separate patch.

In any case, we'd need to think if encryption.kms-type should be listed in both "Common properties" and "REST catalog properties" sections; if yes, what's their relationship (differences in purpose; how different values are handled; etc).

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed, we need that too, I have it included in this PR now. Also added some more context how any setting of encryption.kms-type would be overridden by server's /config response when KMS credential vending is turned on.

Change-Id: I4b02a9ef06540232493e5d503fe0a4c44717ec16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants