Add support for specifying session policy in S3 Security Mapping

[dpark3542]

Unless I'm mistaken it appears the custom credentials provider is only supported for legacy s3 and not native s3.

[nineinchnick]

Please describe your use case.

[dpark3542]

We have a custom credentials provider that scopes down permissions in a session policy based on the URI and the calling user.

[nineinchnick]

Could you use the security mapping feature for this?

[dpark3542]

Doesn't seem like the security mapping allows specifying the session policy. Think it needs to be exposed in the AssumeRole request here:

StsAssumeRoleCredentialsProvider.builder()
                    .refreshRequest(request -> request
                            .roleArn(staticIamRole.get())
                            .roleSessionName(staticRoleSessionName)
                            .externalId(externalId))
                    .stsClient(createStsClient(config, staticCredentialsProvider))
                    .asyncCredentialUpdateEnabled(true)
                    .build()

We would also like to check the S3 URI dynamically. Does the security mapping only take static URI's?

[nineinchnick]

Security mapping supports URL prefixes: https://trino.io/docs/current/object-storage/file-system-s3.html#security-mapping

If the security mapping allowed specifying session policy, would that solve your issue? If yes, can you adjust the issue title?

[dpark3542]

We want to modify the session policy based on what's in the S3 URI too though. I see there's currently support for replacing ${USER} in just the role session name. If there was a way to replace captured regex groups from the user or S3 prefix into the session policy, then that would solve our issue. Does that sound ok?