[I] Support for Reading Bearer Token from File in Iceberg Catalog Configuration [iceberg]

Sun, 13 Jul 2025 23:58:31 -0700 


d0mitoridesu opened a new issue, #13550:
URL: https://github.com/apache/iceberg/issues/13550

   ### Feature Request / Improvement
   
   Hello,
   
   In my current setup, I'm using Strimzi Kafka Connect and Lakekeeper, with 
Apache Iceberg for catalog management.
   
   I am currently authenticating via OAuth2, and my configuration looks roughly 
like this:
   ```
   iceberg.catalog.security: "OAUTH2"
   iceberg.catalog.rest.auth.type: "OAUTH2"
   iceberg.catalog.scope: "lakekeeper"
   iceberg.catalog.catalog: "lakekeeper"
   iceberg.catalog.credential: "env:ICEBERG_CATALOG_CREDENTIAL"
   iceberg.catalog.oauth2-server-uri: "{{ $catalog.oauth2.uri }}"
   ```
   
   Apache Iceberg supports TOKEN-based authentication, and Lakekeeper supports 
Kubernetes token-based authentication, which essentially works as a standard 
Bearer token, delegated by Kubernetes.
   
   I can mount a ServiceAccount token into the Strimzi Kafka Connect pods 
(e.g., at `/var/run/secrets/kubernetes.io/serviceaccount/token`), but there is 
currently no way to instruct Iceberg to read the token directly from that file.
   
   Technically, I could create a secret of type 
`kubernetes.io/service-account-token` and inject it via environment variable, 
but this token will not rotate automatically and will expire after the first 
certificate rotation.
   
   Would it be possible to support a configuration option like the following?
   ```
   iceberg.catalog.token: 
"file:/var/run/secrets/kubernetes.io/serviceaccount/token"
   ```
   
   This way, the token could be read from the file at task start time, allowing 
us to use Kubernetes-native authentication without needing environment 
variables, external IdP, and also with proper support for token rotation.
   
   Thanks in advance for considering this feature!
   
   ### Query engine
   
   Kafka Connect
   
   ### Willingness to contribute
   
   - [ ] I can contribute this improvement/feature independently
   - [ ] I would be willing to contribute this improvement/feature with 
guidance from the Iceberg community
   - [x] I cannot contribute this improvement/feature at this time


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to