rchowell commented on PR #2311: URL: https://github.com/apache/iceberg-rust/pull/2311#issuecomment-4256458164
Rebased on latest main and incorporated @mdub's fixes from rchowell/iceberg-rust#1 (thanks!): - **`reqsign` Context now includes `OsEnv`** — `EnvCredentialProvider` can read `AWS_ACCESS_KEY_ID` / etc. from environment variables. - **Real SHA256 body hash instead of `UNSIGNED-PAYLOAD`** — AWS Glue rejects `UNSIGNED-PAYLOAD`; signer now computes `x-amz-content-sha256` from the actual request body. - **`update_with()` signer precedence fixed** — a `/v1/config` response containing sigv4 props no longer stomps an existing signer with a freshly-built `DefaultCredentialProvider` one. - **Application headers no longer folded into signing parts** — `content-type`, `user-agent`, etc. stay on the wire but are not included in `SignedHeaders`, preventing mismatches against servers that don't verify them identically. - **Custom credential provider API**: `SigV4Signer::with_credential_provider(...)` accepts any `impl ProvideCredential<Credential = Credential>`, and `RestCatalogBuilder::with_signer(...)` lets consumers inject a pre-built signer — useful for bridging the AWS SDK's credential chain (SSO / `credential_process` / profile auth). Verified end-to-end against the AWS Glue Iceberg REST endpoint (`https://glue.<region>.amazonaws.com/iceberg`) with SSO-issued credentials: `list_namespaces`, `list_tables`, and `load_table` all succeed. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
