diff --git a/polaris-core/src/main/java/org/apache/polaris/core/storage/cache/StorageCredentialCache.java b/polaris-core/src/main/java/org/apache/polaris/core/storage/cache/StorageCredentialCache.java
index 4da19f0c22..b8a45be8eb 100644
--- a/polaris-core/src/main/java/org/apache/polaris/core/storage/cache/StorageCredentialCache.java
+++ b/polaris-core/src/main/java/org/apache/polaris/core/storage/cache/StorageCredentialCache.java
@@ -114,7 +114,7 @@ public AccessConfig getOrGenerateSubScopeCreds(
           .fail("entity_type_not_suppported_to_scope_creds", "type={}", polarisEntity.getType());
     }
     StorageCredentialCacheKey key =
-        new StorageCredentialCacheKey(
+        StorageCredentialCacheKey.of(
             callCtx.getRealmContext().getRealmIdentifier(),
             polarisEntity,
             allowListOperation,
@@ -127,12 +127,12 @@ public AccessConfig getOrGenerateSubScopeCreds(
           ScopedCredentialsResult scopedCredentialsResult =
               credentialVendor.getSubscopedCredsForEntity(
                   callCtx,
-                  k.getCatalogId(),
-                  k.getEntityId(),
+                  k.catalogId(),
+                  polarisEntity.getId(),
                   polarisEntity.getType(),
-                  k.isAllowedListAction(),
-                  k.getAllowedReadLocations(),
-                  k.getAllowedWriteLocations());
+                  k.allowedListAction(),
+                  k.allowedReadLocations(),
+                  k.allowedWriteLocations());
           if (scopedCredentialsResult.isSuccess()) {
             long maxCacheDurationMs = maxCacheDurationMs(callCtx.getRealmConfig());
             return new StorageCredentialCacheEntry(scopedCredentialsResult, maxCacheDurationMs);
diff --git a/polaris-core/src/main/java/org/apache/polaris/core/storage/cache/StorageCredentialCacheKey.java b/polaris-core/src/main/java/org/apache/polaris/core/storage/cache/StorageCredentialCacheKey.java
index 26c2115d9f..79eba7d1dc 100644
--- a/polaris-core/src/main/java/org/apache/polaris/core/storage/cache/StorageCredentialCacheKey.java
+++ b/polaris-core/src/main/java/org/apache/polaris/core/storage/cache/StorageCredentialCacheKey.java
@@ -18,118 +18,51 @@
  */
 package org.apache.polaris.core.storage.cache;
 
-import java.util.Objects;
+import jakarta.annotation.Nullable;
 import java.util.Set;
 import org.apache.polaris.core.entity.PolarisEntity;
 import org.apache.polaris.core.entity.PolarisEntityConstants;
+import org.apache.polaris.immutables.PolarisImmutable;
+import org.immutables.value.Value;
 
-public class StorageCredentialCacheKey {
+@PolarisImmutable
+public interface StorageCredentialCacheKey {
 
-  private final String realmId;
-  private final long catalogId;
+  @Value.Parameter(order = 1)
+  String realmId();
 
-  /** The serialized string of the storage config. */
-  private final String storageConfigSerializedStr;
+  @Value.Parameter(order = 2)
+  long catalogId();
 
-  /**
-   * The entity id is passed to be used to fetch subscoped creds, but is not used to do hash/equals
-   * as part of the cache key.
-   */
-  private final long entityId;
+  @Value.Parameter(order = 3)
+  @Nullable
+  String storageConfigSerializedStr();
 
-  private final boolean allowedListAction;
-  private final Set<String> allowedReadLocations;
+  @Value.Parameter(order = 4)
+  boolean allowedListAction();
 
-  private final Set<String> allowedWriteLocations;
+  @Value.Parameter(order = 5)
+  Set<String> allowedReadLocations();
 
-  public StorageCredentialCacheKey(
+  @Value.Parameter(order = 6)
+  Set<String> allowedWriteLocations();
+
+  static StorageCredentialCacheKey of(
       String realmId,
       PolarisEntity entity,
       boolean allowedListAction,
       Set<String> allowedReadLocations,
       Set<String> allowedWriteLocations) {
-    this.realmId = realmId;
-    this.catalogId = entity.getCatalogId();
-    this.storageConfigSerializedStr =
+    String storageConfigSerializedStr =
         entity
             .getInternalPropertiesAsMap()
             .get(PolarisEntityConstants.getStorageConfigInfoPropertyName());
-    this.entityId = entity.getId();
-    this.allowedListAction = allowedListAction;
-    this.allowedReadLocations = allowedReadLocations;
-    this.allowedWriteLocations = allowedWriteLocations;
-  }
-
-  public String getRealmId() {
-    return realmId;
-  }
-
-  public long getCatalogId() {
-    return catalogId;
-  }
-
-  public String getStorageConfigSerializedStr() {
-    return storageConfigSerializedStr;
-  }
-
-  public long getEntityId() {
-    return entityId;
-  }
-
-  public boolean isAllowedListAction() {
-    return allowedListAction;
-  }
-
-  public Set<String> getAllowedReadLocations() {
-    return allowedReadLocations;
-  }
-
-  public Set<String> getAllowedWriteLocations() {
-    return allowedWriteLocations;
-  }
-
-  @Override
-  public boolean equals(Object o) {
-    if (this == o) return true;
-    if (o == null || getClass() != o.getClass()) return false;
-    StorageCredentialCacheKey cacheKey = (StorageCredentialCacheKey) o;
-    return Objects.equals(realmId, cacheKey.getRealmId())
-        && catalogId == cacheKey.getCatalogId()
-        && Objects.equals(storageConfigSerializedStr, cacheKey.getStorageConfigSerializedStr())
-        && allowedListAction == cacheKey.allowedListAction
-        && Objects.equals(allowedReadLocations, cacheKey.allowedReadLocations)
-        && Objects.equals(allowedWriteLocations, cacheKey.allowedWriteLocations);
-  }
-
-  @Override
-  public int hashCode() {
-    return Objects.hash(
+    return ImmutableStorageCredentialCacheKey.of(
         realmId,
-        catalogId,
+        entity.getCatalogId(),
         storageConfigSerializedStr,
         allowedListAction,
         allowedReadLocations,
         allowedWriteLocations);
   }
-
-  @Override
-  public String toString() {
-    return "StorageCredentialCacheKey{"
-        + "realmId="
-        + realmId
-        + ", catalogId="
-        + catalogId
-        + ", storageConfigSerializedStr='"
-        + storageConfigSerializedStr
-        + '\''
-        + ", entityId="
-        + entityId
-        + ", allowedListAction="
-        + allowedListAction
-        + ", allowedReadLocations="
-        + allowedReadLocations
-        + ", allowedWriteLocations="
-        + allowedWriteLocations
-        + '}';
-  }
 }
diff --git a/polaris-core/src/test/java/org/apache/polaris/core/storage/cache/StorageCredentialCacheTest.java b/polaris-core/src/test/java/org/apache/polaris/core/storage/cache/StorageCredentialCacheTest.java
index 0d4bb39bb1..28feda6a5d 100644
--- a/polaris-core/src/test/java/org/apache/polaris/core/storage/cache/StorageCredentialCacheTest.java
+++ b/polaris-core/src/test/java/org/apache/polaris/core/storage/cache/StorageCredentialCacheTest.java
@@ -177,7 +177,7 @@ public void testCacheEvict() throws InterruptedException {
             1, 2, PolarisEntityType.CATALOG, PolarisEntitySubType.ICEBERG_TABLE, 0, "name");
     PolarisEntity polarisEntity = new PolarisEntity(baseEntity);
     StorageCredentialCacheKey cacheKey =
-        new StorageCredentialCacheKey(
+        StorageCredentialCacheKey.of(
             callCtx.getRealmContext().getRealmIdentifier(),
             polarisEntity,
             true,