Martozar opened a new pull request, #16687:
URL: https://github.com/apache/iceberg/pull/16687
### Motivation
When `client.assume-role.arn` is set, AWS clients created by
`AssumeRoleAwsClientFactory` (S3, Glue, DynamoDB, KMS) assume the configured
role, but the REST catalog SigV4 signer keeps signing requests with the base
credentials. Catalog requests and data access are therefore performed as two
different identities, which breaks credential-less setups (instance profile /
IRSA base credentials + a cross-account role) against SigV4-signed REST
catalogs.
### Changes
- `AwsProperties.restCredentialsProvider()` wraps the base credentials in
an auto-refreshing `StsAssumeRoleCredentialsProvider` when
`client.assume-role.arn` is set, reusing the existing `client.assume-role.*`
properties (session name, external-id, timeout, tags) consistently with
`AssumeRoleAwsClientFactory`.
- The returned provider is `SdkAutoCloseable` and closes the underlying
STS client and therefore performed as two different identities, which breaks
credential-less setups (instance profile / IRSA base credentials + a
cross-account role) against SigV4-signed REST catalogs.
### Changes
- `AwsProperties.restCredentialsProvider()` wraps the base credentials in
an auto-refreshing `StsAssumeRoleCredentialsProvider` when
`client.assume-role.arn` is set, auto-refreshing
`StsAssumeRoleCredentialsProvider` when `client.assume-role.arn` is set,
reusing the existing `client.assume-role.*` properties (session name,
external-id, timeout, tags) consistently with `AssumeRoleAwsClientFactory`.
- The returned provider is `SdkAutoCloseable` and closes the underlying
STS client and base provider; `RESTSigV4AuthSession` already closes closeable
providers since #<PR of f2ed6a9db>.
### Behavior change
Users who set `client.assume-role.arn` for data access while SigV4-signing
with base credentials will now sign catalog requests with the assumed role.
This is the intended consistency fix, but it changes the signing identity for
that configuration.
### Alternatives considered
`client.credentials-provider` with a custom provider class: requires every
user to ship a wrapper class, since the SDK's
`StsAssumeRoleCredentialsProvider` has no static `create()`/`create(Map)`
factory.
### Testing
New unit tests in `TestAwsProperties` and `TestRESTSigV4AuthSession`;
`./gradlew :iceberg-aws:check` passes.
### AI disclosure
Drafted with AI assistance (Claude Code) based on a patch we run in
production against StarRocks-bundled Iceberg; design, tests and verification
reviewed by the author. Reviewer attention welcome on the STS client
lifecycle/closing in `AssumeRoleRestCredentialsProvider`.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
