Spec: Add SigV4 Auth Support for Catalog Federation

spec/polaris-management-service.yml

@@ -868,6 +868,8 @@ components:
           description: URI to the remote catalog service
         authenticationParameters:
           $ref: "#/components/schemas/AuthenticationParameters"
+        serviceIdentity:
+          $ref: '#/components/schemas/ServiceIdentityInfo'
       required:
         - connectionType
       discriminator:
@@ -889,13 +891,14 @@ components:
 
     AuthenticationParameters:
       type: object
-      description: Authentication-specific information for a REST connection
+      description: Authentication-specific information for a connection
       properties:
         authenticationType:
           type: string
           enum:
             - OAUTH
             - BEARER
+            - SIGV4
           description: The type of authentication to use when connecting to the remote rest service
       required:
         - authenticationType
@@ -904,6 +907,7 @@ components:
         mapping:
           OAUTH: "#/components/schemas/OAuthClientCredentialsParameters"
           BEARER: "#/components/schemas/BearerAuthenticationParameters"
+          SIGV4: "#/components/schemas/SigV4AuthenticationParameters"
 
     OAuthClientCredentialsParameters:
       type: object
@@ -938,6 +942,36 @@ components:
           format: password
           description: Bearer token (input-only)
 
+    SigV4AuthenticationParameters:
+      type: object
+      description: AWS Signature Version 4 authentication
+      allOf:
+        - $ref: '#/components/schemas/AuthenticationParameters'
+      properties:
+        roleArn:
+          type: string
+          description: The aws IAM role arn assumed by polaris userArn when signing requests
+          example: "arn:aws:iam::123456789001:role/role-that-has-remote-catalog-access"
+        roleSessionName:
+          type: string
+          description: The role session name to be used by the SigV4 protocol for signing requests
+          example: "polaris-remote-catalog-access"
+        externalId:
+          type: string
+          description: An optional external id used to establish a trust relationship with AWS in the trust policy
+          example: "external-id-1234"
+        signingRegion:
+          type: string
+          description: Region to be used by the SigV4 protocol for signing requests
+          example: "us-west-2"
+        signingName:
+          type: string
+          description: The service name to be used by the SigV4 protocol for signing requests, the default signing name is "execute-api" is if not provided
+          example: "glue"
+      required:
+        - roleArn
+        - signingRegion
+
     StorageConfigInfo:
       type: object
       description: A storage configuration used by catalogs
@@ -1023,6 +1057,35 @@ components:
       allOf:
         - $ref: '#/components/schemas/StorageConfigInfo'
 
+    ServiceIdentityInfo:
+      type: object
+      description: Identity metadata for the Polaris service used to access external resources.
+      readOnly: true
+      properties:
+        identityType:
+          type: string
+          enum:
+            - AWS_IAM
+          description: The type of identity used to access external resources
+      required:
+        - identityType
+      discriminator:
+        propertyName: identityType
+        mapping:
+          AWS_IAM: "#/components/schemas/AwsIamServiceIdentityInfo"
+
+    AwsIamServiceIdentityInfo:
+      type: object
+      allOf:
+        - $ref: '#/components/schemas/ServiceIdentityInfo'
+      properties:
+        iamArn:
+          type: string
+          description: The ARN of the IAM user or IAM role Polaris uses to assume roles and then access external resources.
+          example: "arn:aws:iam::111122223333:user/polaris-service-user"
+      required:
+        - iamArn
+
     UpdateCatalogRequest:
       description: Updates to apply to a Catalog. Any fields which are required in the Catalog
         will remain unaltered if omitted from the contents of this Update request.