Skip to content

Credential Vending

Credential Vending provides temporary, down-scoped credentials for secure access to the following Unity Catalog securables:

Credential Vending uses CredentialOperations to vend credentials to get temporary access to assets (data) stored in the following cloud object storages:

Privileges

Credential Vending supports the following privileges:

  • SELECT
  • UPDATE
Permissions

Privileges is a synonym of Permissions.

Path Operations

There are the following path operations supported in Unity Catalog:

  • PATH_CREATE_TABLE
  • PATH_READ
  • PATH_READ_WRITE
  • UNKNOWN_PATH_OPERATION

The path operations are used for TemporaryPathCredentialsService to determine the privileges for a path operation (while generating temporary path credentials).

OpenAPI Generator

Path operations are defined in PathOperation enum in Unity Catalog's OpenAPI specification.

Model Version Operations

There are the following model version operations supported in Unity Catalog:

  • READ_MODEL_VERSION
  • READ_WRITE_MODEL_VERSION
  • UNKNOWN_MODEL_VERSION_OPERATION

The path operations are used for TemporaryModelVersionCredentialsService to determine the privileges for a model version operation (while generating temporary model version credentials).

OpenAPI Generator

Path operations are defined in ModelVersionOperation enum in Unity Catalog's OpenAPI specification.

Amazon S3

Alex Reid once wrote:

For UC OSS to work with S3, you need a role (you give the arn of that role in the properties) that has access to the bucket (also set in the properties) and you also need a user that can assume that role (and you provide the creds for that user in the properties)

In order to properly downscope vended credentials (when asking for creds to a specific table, etc.), we need to be able to assume a role that has broader bucket access.

UC OSS doesn't yet support more advanced AWS access-like identity federation, etc.

And later Alex wrote:

you need to set a roleArn in the server.properties that has access to the bucket AND which the instance profile attached to the server can assume.

This is how scoped AWS credentials work (you need to assume a role that has access to the bucket in order to give scoped temporary credentials)

Learning Resources

  1. AWS Lake Formation