jasonf20 opened a new issue, #2177: URL: https://github.com/apache/polaris/issues/2177
### Describe the bug When connecting to s3 with vended credentials the Iceberg SDK configures the credentials based on the response from the server which includes the properties: "s3.access-key-id" "s3.secret-access-key" "s3.session-token" These credentials work fine however they expire after an hour by default. In order to refresh the S3 credentials the Iceberg SDK supports a dedicated credentials provider: VendedCredentialsProvider.java (https://github.com/apache/iceberg/blob/main/aws/src/main/java/org/apache/iceberg/aws/s3/VendedCredentialsProvider.java). This credential provider will get created if (and only if) the configuration value `AwsClientProperties.REFRESH_CREDENTIALS_ENDPOINT` is set. If not it will not use this provider and thus not refresh the credentials. The client side user can't configure this endpoint manually when configuring the catalog since each table may have a different endpoint and the typical pattern is of the structure: `/v1/{prefix}/namespaces/{namespace}/tables/{table}/credentials`. I have debugged the returned properties from the Polaris server when loading vended credentials and I have noticed it **does not** include the required "client.refresh-credentials-endpoint" setting. Below is a stack trace of the error received after the credentials expire: ``` software.amazon.awssdk.services.s3.model.S3Exception: The provided token has expired. (Service: S3, Status Code: 400, Request ID: CZRQCEYY50XY7FK0, Extended Request ID: gJPo7OfiUI/h8/GDFAe7Ddz0UC1VVO6F1cCrSoDSVRZgyZ8o5thxd4fPRPvV0F/pb5Y/g2JwdDJmzStRbGxTB3p0FVnha+PX) at software.amazon.awssdk.core.internal.http.CombinedResponseHandler.handleErrorResponse(CombinedResponseHandler.java:125) at software.amazon.awssdk.core.internal.http.CombinedResponseHandler.handleResponse(CombinedResponseHandler.java:82) at software.amazon.awssdk.core.internal.http.CombinedResponseHandler.handle(CombinedResponseHandler.java:60) at software.amazon.awssdk.core.internal.http.CombinedResponseHandler.handle(CombinedResponseHandler.java:41) at software.amazon.awssdk.core.internal.http.pipeline.stages.HandleResponseStage.execute(HandleResponseStage.java:50) at software.amazon.awssdk.core.internal.http.pipeline.stages.HandleResponseStage.execute(HandleResponseStage.java:38) at software.amazon.awssdk.core.internal.http.pipeline.RequestPipelineBuilder$ComposingRequestPipelineStage.execute(RequestPipelineBuilder.java:206) at software.amazon.awssdk.core.internal.http.pipeline.stages.ApiCallAttemptTimeoutTrackingStage.execute(ApiCallAttemptTimeoutTrackingStage.java:72) ``` ### To Reproduce _No response_ ### Actual Behavior _No response_ ### Expected Behavior _No response_ ### Additional context _No response_ ### System information _No response_ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@polaris.apache.org.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
