apache
diff --git a/‎polaris-core/src/main/java/org/apache/polaris/core/storage/aws/AwsCredentialsStorageIntegration.java‎
Lines changed: 35 additions & 13 deletions b/‎polaris-core/src/main/java/org/apache/polaris/core/storage/aws/AwsCredentialsStorageIntegration.java‎
Lines changed: 35 additions & 13 deletions
diff --git a/‎polaris-core/src/main/java/org/apache/polaris/core/storage/aws/StsResponseCapture.java‎
Lines changed: 42 additions & 0 deletions b/‎polaris-core/src/main/java/org/apache/polaris/core/storage/aws/StsResponseCapture.java‎
Lines changed: 42 additions & 0 deletions
diff --git a/‎polaris-core/src/main/java/org/apache/polaris/core/storage/aws/StsResponseCaptureInterceptor.java‎
Lines changed: 95 additions & 0 deletions b/‎polaris-core/src/main/java/org/apache/polaris/core/storage/aws/StsResponseCaptureInterceptor.java‎
Lines changed: 95 additions & 0 deletions
diff --git a/‎polaris-core/src/main/java/org/apache/polaris/core/storage/aws/StsXmlParser.java‎
Lines changed: 104 additions & 0 deletions b/‎polaris-core/src/main/java/org/apache/polaris/core/storage/aws/StsXmlParser.java‎
Lines changed: 104 additions & 0 deletions
diff --git a/‎polaris-core/src/test/java/org/apache/polaris/core/storage/aws/StsResponseCaptureInterceptorTest.java‎
Lines changed: 96 additions & 0 deletions b/‎polaris-core/src/test/java/org/apache/polaris/core/storage/aws/StsResponseCaptureInterceptorTest.java‎
Lines changed: 96 additions & 0 deletions
@@ -109,19 +109,41 @@ public AccessConfig getSubscopedCreds(
                   storageConfig.getIgnoreSSLVerification()));
 
       AssumeRoleResponse response = stsClient.assumeRole(request.build());
-      accessConfig.put(StorageAccessProperty.AWS_KEY_ID, response.credentials().accessKeyId());
-      accessConfig.put(
-          StorageAccessProperty.AWS_SECRET_KEY, response.credentials().secretAccessKey());
-      accessConfig.put(StorageAccessProperty.AWS_TOKEN, response.credentials().sessionToken());
-      Optional.ofNullable(response.credentials().expiration())
-          .ifPresent(
-              i -> {
-                accessConfig.put(
-                    StorageAccessProperty.EXPIRATION_TIME, String.valueOf(i.toEpochMilli()));
-                accessConfig.put(
-                    StorageAccessProperty.AWS_SESSION_TOKEN_EXPIRES_AT_MS,
-                    String.valueOf(i.toEpochMilli()));
-              });
+      if (response != null && response.credentials() != null) {
+        accessConfig.put(StorageAccessProperty.AWS_KEY_ID, response.credentials().accessKeyId());
+        accessConfig.put(
+            StorageAccessProperty.AWS_SECRET_KEY, response.credentials().secretAccessKey());
+        accessConfig.put(StorageAccessProperty.AWS_TOKEN, response.credentials().sessionToken());
+        Optional.ofNullable(response.credentials().expiration())
+            .ifPresent(
+                i -> {
+                  accessConfig.put(
+                      StorageAccessProperty.EXPIRATION_TIME, String.valueOf(i.toEpochMilli()));
+                  accessConfig.put(
+                      StorageAccessProperty.AWS_SESSION_TOKEN_EXPIRES_AT_MS,
+                      String.valueOf(i.toEpochMilli()));
+                });
+      } else {
+        // Try to recover by reading raw STS body captured by interceptor
+        try {
+          String raw = org.apache.polaris.core.storage.aws.StsResponseCapture.getLastBody();
+          if (raw != null && !raw.isBlank()) {
+            try {
+              var parsed =
+                  org.apache.polaris.core.storage.aws.StsXmlParser.parseToAccessConfig(raw);
+              // merge parsed credentials into accessConfig builder
+              parsed.credentials().forEach((k, v) -> accessConfig.putCredential(k, v));
+              parsed.internalProperties().forEach((k, v) -> accessConfig.putInternalProperty(k, v));
+              parsed.extraProperties().forEach((k, v) -> accessConfig.putExtraProperty(k, v));
+              parsed.expiresAt().ifPresent(accessConfig::expiresAt);
+            } catch (Exception ignore) {
+              // parsing failed - ignore and fallthrough
+            }
+          }
+        } finally {
+          org.apache.polaris.core.storage.aws.StsResponseCapture.clear();
+        }
+      }
     }
 
     if (region != null) {
 
@@ -0,0 +1,42 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.polaris.core.storage.aws;
+
+/**
+ * Simple thread-local holder for the last raw STS HTTP response body captured by an
+ * ExecutionInterceptor. This is intended as a pragmatic bridge so synchronous SDK calls can consult
+ * the raw response body when unmarshalling produced an unexpected null result.
+ */
+public final class StsResponseCapture {
+  private static final ThreadLocal<String> LAST_BODY = new ThreadLocal<>();
+
+  private StsResponseCapture() {}
+
+  public static void setLastBody(String body) {
+    LAST_BODY.set(body);
+  }
+
+  public static String getLastBody() {
+    return LAST_BODY.get();
+  }
+
+  public static void clear() {
+    LAST_BODY.remove();
+  }
+}
@@ -0,0 +1,95 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.polaris.core.storage.aws;
+
+import java.io.ByteArrayOutputStream;
+import java.io.InputStream;
+import java.lang.reflect.Method;
+import java.nio.charset.StandardCharsets;
+import java.util.Optional;
+import software.amazon.awssdk.core.interceptor.Context.AfterTransmission;
+import software.amazon.awssdk.core.interceptor.ExecutionAttributes;
+import software.amazon.awssdk.core.interceptor.ExecutionInterceptor;
+
+/**
+ * ExecutionInterceptor that captures the raw HTTP response body for STS calls and saves it into
+ * StsResponseCapture (thread-local). This allows calling code to inspect the raw response when the
+ * SDK's unmarshalling yields null credentials.
+ */
+public class StsResponseCaptureInterceptor implements ExecutionInterceptor {
+
+  @Override
+  public void afterTransmission(
+      AfterTransmission context, ExecutionAttributes executionAttributes) {
+    try {
+      // Use reflection to call context.httpResponse() because SDK versions expose different
+      // types/APIs
+      Method httpRespMethod = context.getClass().getMethod("httpResponse");
+      Object httpResp = httpRespMethod.invoke(context);
+      if (httpResp != null) {
+        try {
+          Optional<InputStream> content = OptionalUtils.safeGetContent(httpResp);
+          if (content.isPresent()) {
+            try (InputStream in = content.get();
+                ByteArrayOutputStream out = new ByteArrayOutputStream()) {
+              byte[] buf = new byte[8192];
+              int r;
+              while ((r = in.read(buf)) != -1) {
+                out.write(buf, 0, r);
+              }
+              String resp = new String(out.toByteArray(), StandardCharsets.UTF_8);
+              StsResponseCapture.setLastBody(resp);
+            }
+          }
+        } catch (Exception e) {
+          // best-effort; don't fail the call because of capture problems
+        }
+      }
+    } catch (Throwable t) {
+      // swallow - capture is non-fatal
+    }
+  }
+}
+
+// Small utility to safely read content from SdkHttpResponse across SDK versions.
+final class OptionalUtils {
+  static Optional<InputStream> safeGetContent(Object httpResp) {
+    try {
+      Method contentMethod = httpResp.getClass().getMethod("content");
+      Object val = contentMethod.invoke(httpResp);
+      if (val == null) return Optional.empty();
+      if (val instanceof Optional) {
+        Optional<?> anyOpt = (Optional<?>) val;
+        if (anyOpt.isPresent() && anyOpt.get() instanceof InputStream) {
+          return Optional.of((InputStream) anyOpt.get());
+        }
+        return Optional.empty();
+      }
+      // Some SDKs may return an InputStream directly
+      if (val instanceof InputStream) {
+        return Optional.of((InputStream) val);
+      }
+    } catch (NoSuchMethodException nsme) {
+      // ignore
+    } catch (Exception e) {
+      // ignore other reflection errors
+    }
+    return Optional.empty();
+  }
+}
@@ -0,0 +1,104 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.polaris.core.storage.aws;
+
+import java.time.Instant;
+import java.util.Objects;
+import org.apache.polaris.core.storage.AccessConfig;
+
+/** Utility to parse STS AssumeRoleResponse XML (namespaced or not) into an AccessConfig. */
+public final class StsXmlParser {
+  private StsXmlParser() {}
+
+  public static AccessConfig parseToAccessConfig(String xml) throws Exception {
+    Objects.requireNonNull(xml);
+    var dbf = javax.xml.parsers.DocumentBuilderFactory.newInstance();
+    dbf.setNamespaceAware(true);
+    var db = dbf.newDocumentBuilder();
+    try (java.io.ByteArrayInputStream in =
+        new java.io.ByteArrayInputStream(xml.getBytes(java.nio.charset.StandardCharsets.UTF_8))) {
+      org.w3c.dom.Document doc = db.parse(in);
+      javax.xml.xpath.XPath xPath = javax.xml.xpath.XPathFactory.newInstance().newXPath();
+
+      String accessKeyId =
+          (String)
+              xPath.evaluate(
+                  "//*[local-name() = 'Credentials']/*[local-name() = 'AccessKeyId']/text()",
+                  doc,
+                  javax.xml.xpath.XPathConstants.STRING);
+      String secretAccessKey =
+          (String)
+              xPath.evaluate(
+                  "//*[local-name() = 'Credentials']/*[local-name() = 'SecretAccessKey']/text()",
+                  doc,
+                  javax.xml.xpath.XPathConstants.STRING);
+      String sessionToken =
+          (String)
+              xPath.evaluate(
+                  "//*[local-name() = 'Credentials']/*[local-name() = 'SessionToken']/text()",
+                  doc,
+                  javax.xml.xpath.XPathConstants.STRING);
+      String expiration =
+          (String)
+              xPath.evaluate(
+                  "//*[local-name() = 'Credentials']/*[local-name() = 'Expiration']/text()",
+                  doc,
+                  javax.xml.xpath.XPathConstants.STRING);
+
+      if (accessKeyId == null || accessKeyId.isBlank()) {
+        throw new IllegalArgumentException("No AccessKeyId found in STS response XML");
+      }
+
+      AccessConfig.Builder builder = AccessConfig.builder();
+      builder.putCredential(
+          org.apache.polaris.core.storage.StorageAccessProperty.AWS_KEY_ID.getPropertyName(),
+          accessKeyId.trim());
+      if (secretAccessKey != null && !secretAccessKey.isBlank()) {
+        builder.putCredential(
+            org.apache.polaris.core.storage.StorageAccessProperty.AWS_SECRET_KEY.getPropertyName(),
+            secretAccessKey.trim());
+      }
+      if (sessionToken != null && !sessionToken.isBlank()) {
+        builder.putCredential(
+            org.apache.polaris.core.storage.StorageAccessProperty.AWS_TOKEN.getPropertyName(),
+            sessionToken.trim());
+      }
+      if (expiration != null && !expiration.isBlank()) {
+        try {
+          Instant i = Instant.parse(expiration.trim());
+          builder.putCredential(
+              org.apache.polaris.core.storage.StorageAccessProperty.EXPIRATION_TIME
+                  .getPropertyName(),
+              String.valueOf(i.toEpochMilli()));
+          builder.putCredential(
+              org.apache.polaris.core.storage.StorageAccessProperty.AWS_SESSION_TOKEN_EXPIRES_AT_MS
+                  .getPropertyName(),
+              String.valueOf(i.toEpochMilli()));
+          builder.expiresAt(i);
+        } catch (Exception e) {
+          builder.putExtraProperty(
+              org.apache.polaris.core.storage.StorageAccessProperty.EXPIRATION_TIME
+                  .getPropertyName(),
+              expiration.trim());
+        }
+      }
+      return builder.build();
+    }
+  }
+}
@@ -0,0 +1,96 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.polaris.core.storage.aws;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+import java.io.ByteArrayInputStream;
+import java.util.Optional;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import software.amazon.awssdk.core.interceptor.ExecutionAttributes;
+
+public class StsResponseCaptureInterceptorTest {
+
+  @BeforeEach
+  public void before() {
+    StsResponseCapture.clear();
+  }
+
+  // Local interface used by the dynamic proxy to provide content()
+  @SuppressWarnings("unused")
+  private interface ContentHolder {
+    java.util.Optional<java.io.InputStream> content();
+  }
+
+  @Test
+  public void testAfterTransmissionCapturesBody() {
+    StsResponseCaptureInterceptor interceptor = new StsResponseCaptureInterceptor();
+    try {
+      Class<?> afterCls = software.amazon.awssdk.core.interceptor.Context.AfterTransmission.class;
+      Class<?> httpRespType = afterCls.getMethod("httpResponse").getReturnType();
+
+      // Build a response proxy that implements both the SDK response return type and ContentHolder
+      Object respProxy =
+          java.lang.reflect.Proxy.newProxyInstance(
+              httpRespType.getClassLoader(),
+              new Class[] {httpRespType, ContentHolder.class},
+              (proxy, method, args) -> {
+                if ("content".equals(method.getName())) {
+                  return Optional.of(
+                      new ByteArrayInputStream(
+                          "raw-body-xyz".getBytes(java.nio.charset.StandardCharsets.UTF_8)));
+                }
+                return null;
+              });
+
+      // Now build an AfterTransmission proxy that returns the respProxy from httpResponse()
+      Object ctxProxy =
+          java.lang.reflect.Proxy.newProxyInstance(
+              afterCls.getClassLoader(),
+              new Class[] {afterCls},
+              (proxy, method, args) -> {
+                if ("httpResponse".equals(method.getName())) {
+                  return respProxy;
+                }
+                return null;
+              });
+
+      interceptor.afterTransmission(
+          (software.amazon.awssdk.core.interceptor.Context.AfterTransmission) ctxProxy,
+          new ExecutionAttributes());
+    } catch (Throwable t) {
+      throw new AssertionError(t);
+    }
+    // Because we cast via reflection, ensure the captured body is set
+    assertThat(StsResponseCapture.getLastBody()).isEqualTo("raw-body-xyz");
+  }
+
+  @Test
+  public void testAfterTransmissionSilentlyIgnoresUnknownContext() {
+    StsResponseCaptureInterceptor interceptor = new StsResponseCaptureInterceptor();
+    // Create a mock AfterTransmission that returns null for httpResponse()
+    software.amazon.awssdk.core.interceptor.Context.AfterTransmission nullRespContext =
+        org.mockito.Mockito.mock(
+            software.amazon.awssdk.core.interceptor.Context.AfterTransmission.class);
+    org.mockito.Mockito.when(nullRespContext.httpResponse()).thenReturn(null);
+    interceptor.afterTransmission(nullRespContext, new ExecutionAttributes());
+    assertThat(StsResponseCapture.getLastBody()).isNull();
+  }
+}