Skip to content

Reduce permissions on historical KMS keys #3338

New issue
New issue
Open
Open
Reduce permissions on historical KMS keys#3338
Labels
enhancementNew feature or request
@dimas-b

Description

@dimas-b
dimas-b
opened on Dec 30, 2025

Is your feature request related to a problem? Please describe.

Currently (discussed under #3330) Polaris supports the "current" KMS keys ARN and a list of "allowed" keys ARNs. The same encrypt / decrypt access is granted to all of those ARNs in vended credential policies (STS session policies).

However, historical keys do not need the "encrypt" permission. Polaris and its clients normally need only the "decrypt" permission to read older data files.

Describe the solution you'd like

  • Add new storage config property: legacy-kms-keys
  • Grant only "decrypt" access to legacy-kms-keys
  • Grant both "decrypt" and "encrypt" access to allowed-kms-keys (current behaviour)
  • Deprecate the current-kms-key property (forward existing values to allowed-kms-keys)

During manual KMS key rotation, the admin user will add all keys that may be used for encryption to allowed-kms-keys. Then, the admin user will adjust AWS configuration, then move the decommissioned KMS key to the legacy-kms-keys list.

Describe alternatives you've considered

No response

Additional context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions