diff --git a/spec/polaris-management-service.yml b/spec/polaris-management-service.yml index 318f17a6c..09d19b56f 100644 --- a/spec/polaris-management-service.yml +++ b/spec/polaris-management-service.yml @@ -868,6 +868,8 @@ components: description: URI to the remote catalog service authenticationParameters: $ref: "#/components/schemas/AuthenticationParameters" + serviceIdentity: + $ref: '#/components/schemas/ServiceIdentityInfo' required: - connectionType discriminator: @@ -889,13 +891,14 @@ components: AuthenticationParameters: type: object - description: Authentication-specific information for a REST connection + description: Authentication-specific information for a connection properties: authenticationType: type: string enum: - OAUTH - BEARER + - SIGV4 description: The type of authentication to use when connecting to the remote rest service required: - authenticationType @@ -904,6 +907,7 @@ components: mapping: OAUTH: "#/components/schemas/OAuthClientCredentialsParameters" BEARER: "#/components/schemas/BearerAuthenticationParameters" + SIGV4: "#/components/schemas/SigV4AuthenticationParameters" OAuthClientCredentialsParameters: type: object @@ -938,6 +942,36 @@ components: format: password description: Bearer token (input-only) + SigV4AuthenticationParameters: + type: object + description: AWS Signature Version 4 authentication + allOf: + - $ref: '#/components/schemas/AuthenticationParameters' + properties: + roleArn: + type: string + description: The aws IAM role arn assumed by polaris userArn when signing requests + example: "arn:aws:iam::123456789001:role/role-that-has-remote-catalog-access" + roleSessionName: + type: string + description: The role session name to be used by the SigV4 protocol for signing requests + example: "polaris-remote-catalog-access" + externalId: + type: string + description: An optional external id used to establish a trust relationship with AWS in the trust policy + example: "external-id-1234" + signingRegion: + type: string + description: Region to be used by the SigV4 protocol for signing requests + example: "us-west-2" + signingName: + type: string + description: The service name to be used by the SigV4 protocol for signing requests, the default signing name is "execute-api" is if not provided + example: "glue" + required: + - roleArn + - signingRegion + StorageConfigInfo: type: object description: A storage configuration used by catalogs @@ -1023,6 +1057,35 @@ components: allOf: - $ref: '#/components/schemas/StorageConfigInfo' + ServiceIdentityInfo: + type: object + description: Identity metadata for the Polaris service used to access external resources. + readOnly: true + properties: + identityType: + type: string + enum: + - AWS_IAM + description: The type of identity used to access external resources + required: + - identityType + discriminator: + propertyName: identityType + mapping: + AWS_IAM: "#/components/schemas/AwsIamServiceIdentityInfo" + + AwsIamServiceIdentityInfo: + type: object + allOf: + - $ref: '#/components/schemas/ServiceIdentityInfo' + properties: + iamArn: + type: string + description: The ARN of the IAM user or IAM role Polaris uses to assume roles and then access external resources. + example: "arn:aws:iam::111122223333:user/polaris-service-user" + required: + - iamArn + UpdateCatalogRequest: description: Updates to apply to a Catalog. Any fields which are required in the Catalog will remain unaltered if omitted from the contents of this Update request.