<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Configuring Polaris for Production on Apache Polaris</title><link>https://polaris.apache.org/releases/1.6.0/configuration/configuring-polaris-for-production/</link><description>Recent content in Configuring Polaris for Production on Apache Polaris</description><generator>Hugo</generator><language>en-us</language><copyright>&lt;a href="https://www.apache.org/"&gt;Copyright © 2026 The Apache Software Foundation&lt;/a&gt;.&lt;br&gt;Licensed under the &lt;a href="https://www.apache.org/licenses/LICENSE-2.0"&gt;Apache License, Version 2.0&lt;/a&gt;.</copyright><atom:link href="https://polaris.apache.org/releases/1.6.0/configuration/configuring-polaris-for-production/index.xml" rel="self" type="application/rss+xml"/><item><title>Configuring GCS Cloud Storage</title><link>https://polaris.apache.org/releases/1.6.0/configuration/configuring-polaris-for-production/configuring-gcs-cloud-storage-specific/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://polaris.apache.org/releases/1.6.0/configuration/configuring-polaris-for-production/configuring-gcs-cloud-storage-specific/</guid><description>&lt;p&gt;This page provides guidance for configuring GCS Cloud Storage provider for use with Polaris. It covers credential vending, IAM roles, ACL requirements, and best practices to ensure secure and reliable integration.&lt;/p&gt;
&lt;p&gt;All catalog operations in Polaris for Google Cloud Storage (GCS)—including listing, reading, and writing objects—are performed using credential vending, which issues scoped (vended) tokens for secure access.&lt;/p&gt;
&lt;p&gt;Polaris requires both IAM roles and &lt;a href="https://docs.cloud.google.com/storage/docs/hns-overview"&gt;Hierarchical Namespace (HNS)&lt;/a&gt; ACLs (if HNS is enabled) to be properly configured. Even with the correct IAM role (e.g., &lt;code&gt;roles/storage.objectAdmin&lt;/code&gt;), access to paths such as &lt;code&gt;gs://&amp;lt;bucket&amp;gt;/idsp_ns/sample_table4/&lt;/code&gt; may fail with 403 errors if HNS ACLs are missing for scoped tokens. The original access token may work, but scoped (vended) tokens require HNS ACLs on the base path or relevant subpath.&lt;/p&gt;</description></item><item><title>Configuring S3 Storage</title><link>https://polaris.apache.org/releases/1.6.0/configuration/configuring-polaris-for-production/configuring-aws-s3-cloud-storage-specific/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://polaris.apache.org/releases/1.6.0/configuration/configuring-polaris-for-production/configuring-aws-s3-cloud-storage-specific/</guid><description>&lt;p&gt;This page covers configuring AWS S3, and S3-compatible object stores (MinIO, Apache Ozone S3
gateway, Ceph RGW, and similar), as the storage backend for a Polaris catalog. On AWS S3, all read
and write operations are performed using credential vending: Polaris assumes a customer IAM role
via STS and returns scoped, short-lived credentials to the client. The IAM role, its trust policy,
and the bucket itself must be set up before the catalog is created.&lt;/p&gt;</description></item><item><title>Configuring Azure Blob Cloud Storage</title><link>https://polaris.apache.org/releases/1.6.0/configuration/configuring-polaris-for-production/configuring-azure-blob-cloud-storage-specific/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://polaris.apache.org/releases/1.6.0/configuration/configuring-polaris-for-production/configuring-azure-blob-cloud-storage-specific/</guid><description>&lt;p&gt;This page covers configuring Azure Blob Storage and Azure Data Lake Storage Gen2 (ADLS Gen2) as
the storage backend for a Polaris catalog. Polaris authenticates against Azure with the credentials
of a service principal that has data-plane access to the target storage account, and then vends
short-lived SAS tokens to clients on each table-load request.&lt;/p&gt;
&lt;h2 id="service-principal-and-polaris-credentials" id="service-principal-and-polaris-credentials"&gt;Service principal and Polaris credentials&lt;a class="heading-anchor" href="#service-principal-and-polaris-credentials" aria-label="Anchor"&gt;🔗&lt;/a&gt;
&lt;/h2&gt;
&lt;p&gt;Polaris uses the Azure SDK&amp;rsquo;s &lt;code&gt;DefaultAzureCredential&lt;/code&gt; chain, which by default reads the
service-principal credentials from environment variables. Create a service principal with data
access to the storage account and pass its credentials to the Polaris process:&lt;/p&gt;</description></item></channel></rss>