joyhaldar opened a new issue, #14446: URL: https://github.com/apache/iceberg/issues/14446
### Feature Request / Improvement _**Description:**_ **Problem:** [BigQueryMetastoreCatalog](https://github.com/apache/iceberg/blob/main/bigquery/src/main/java/org/apache/iceberg/gcp/bigquery/BigQueryMetastoreCatalog.java) only supports Application Default Credentials with no mechanism for service account impersonation. This prevents identity separation between cluster operations and data access. **Current Behavior:** ``` Dataproc cluster (cluster-sa) ↓ BigQuery Metastore operations: Always uses cluster-sa ``` No way to configure impersonation. This forces cluster service accounts to have both infrastructure and data permissions, preventing multi-tenancy and proper audit trails. **Example Failure:** ``` Runtime: Spark on Dataproc as [email protected] Desired: Access tables as [email protected] Result: All BigQuery Metastore calls use dataproc-sa Cannot separate operational permissions from data access ``` **Impact:** Without impersonation support, organizations cannot implement least-privilege security or run multi-tenant workloads on shared clusters, which are standard requirements for production deployments. **AWS Comparison:** Iceberg already supports this for AWS via [AssumeRoleAwsClientFactory](https://github.com/apache/iceberg/blob/main/aws/src/main/java/org/apache/iceberg/aws/AssumeRoleAwsClientFactory.java). This creates consistent identity for both Glue Metastore access and S3 data access. **Proposed Solution:** Add pluggable factory pattern (like AwsClientFactory) for BigQuery client creation with impersonation support using Google's ImpersonatedCredentials API. **References:** - [AssumeRoleAwsClientFactory](https://github.com/apache/iceberg/blob/main/aws/src/main/java/org/apache/iceberg/aws/AssumeRoleAwsClientFactory.java) - [GCP ImpersonatedCredentials](https://cloud.google.com/iam/docs/impersonating-service-accounts) ### Query engine None ### Willingness to contribute - [x] I can contribute this improvement/feature independently - [ ] I would be willing to contribute this improvement/feature with guidance from the Iceberg community - [ ] I cannot contribute this improvement/feature at this time -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
