jlambatl opened a new issue, #2394: URL: https://github.com/apache/iceberg-rust/issues/2394
### Is your feature request related to a problem or challenge? Users operating in multi-account AWS environments, or following AWS security best practices, need to access the AWS Glue Data Catalog using temporary IAM credentials obtained via STS AssumeRole rather than long-term static access keys. Currently the Glue catalog only supports static credentials (aws_access_key_id / aws_secret_access_key), named profiles, and the default credential chain — none of which cover the AssumeRole flow directly. This makes it impossible to support common patterns such as cross-account Glue catalog access or workloads where an application assumes a scoped-down IAM role to interact with Glue. ### Describe the solution you'd like Add three new configuration properties to the Glue catalog, mirroring the naming convention already used by the S3 storage layer. | Property | Description | |---------|---------| | client.assume-role.arn | ARN of the IAM role to assume | | client.assume-role.external-id | (Optional) External ID for cross-account role assumption | | client.assume-role.session-name | (Optional) STS session name (default: iceberg-glue-catalog) | When client.assume-role.arn is set, the catalog should use the existing base credentials (static keys, profile, or default chain) to call AWS STS AssumeRole, then use the resulting temporary credentials for all Glue API calls. These temporary credentials should also be propagated to the S3 FileIO layer so that both metadata reads/writes and Glue API calls operate under the same assumed role. ### Willingness to contribute None -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
