assumerole inline policy kms:GenerateDataKey

[netapp-acheng]

I am testing Polaris with on premise S3 compatible storage. I understand I can use --no-sts option to create catalog without AWS Assumerole. I want to create a Polaris catalog with AWS AssumeRole.
This is the catalog details:
{
"type": "INTERNAL",
"name": "sts_catalog",
"properties": {
"default-base-location": "s3://sts-polaris"
},
"createTimestamp": 1766095794668,
"lastUpdateTimestamp": 1766095794668,
"entityVersion": 1,
"storageConfigInfo": {
"roleArn": "arn:aws:iam::123456789101112:role/assumerole",
"allowedKmsKeys": [],
"region": "us-east-1",
"endpoint": "https://sgdemo.example.com",
"stsEndpoint": "https://sgdemo.example.com",
"stsUnavailable": false,
"pathStyleAccess": false,
"storageType": "S3",
"allowedLocations": [
"s3://sts-polaris"
]
}

When attempted to create a table in this catalog, I got this error:
"SenderMalformedPolicyDocumentInvalid action: kms:GenerateDataKeyWithoutPlaintext1766170445858521"

Turning Polaris log debug on, I saw it sent a AssumeRole request with inline policy
{ "Effect": "Allow", "Action": [ "kms:GenerateDataKeyWithoutPlaintext", "kms:DescribeKey", "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "arn:aws:kms:us-east-1:123456789101112:key/*" }

Is there any option to skip the above inline policy as the s3 compatible storage I am testing does not support encryption using kms key. Or I must use --no-sts when creating the catalog?

Thank you.

[dimas-b]

Thanks for bringing this up, @netapp-acheng !

It looks like a bug to me. If KMS is not configured (allowedKmsKeys) in the catalog, it should not be in the IAM policy.

@netapp-acheng : would you mind converting this to an issue?

[netapp-acheng]

Hi Dimas, Thank you for your feedback. I will create a issue for this.

[netapp-acheng]

Created this issue:
#3440