AnatolyPopov commented on PR #12695: URL: https://github.com/apache/iceberg/pull/12695#issuecomment-3977033743
I'm +1 on supporting static credentials for all clients since in cloud environments it's not always possible to provide environment variable and especially in case of Kafka connect with multiple connectors it will lead to rolling restart of the whole connect cluster. The use case is pretty simple: We are running Kafka Connect and the configuration of the connectors is user's responsibility. We can not rely on default credentials provider chain since the connect might run in other cloud, e.g. google, or it can discover wrong credentials - e.g. credentials of the cloud where connect is running, not the ones that user needs. On top of that there are solutions like for example Lenses secret providers for Kafka connect that allow to hide the actual credentials from connector configuration but they would still require static credentials support to inject them after fetching from Vault or AWS Secrets Manager. Also note that the same gap exists in AssumeRoleAwsClientFactory — even if this PR merges, users who need cross-account access via assume-role still cannot provide base credentials for the STS bootstrap client from connector config. @danielcweeks could this be reconsidered? I already adapted the default implementation of StaticCredentialsProvider in our fork to work with current code https://github.com/aiven/iceberg/pull/1 and can make a PR for that. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
