jlambatl opened a new pull request, #2396: URL: https://github.com/apache/iceberg-rust/pull/2396
Adds support for authenticating to the AWS Glue Data Catalog using temporary IAM credentials obtained via AWS STS AssumeRole. This enables cross-account Glue catalog access and aligns with AWS security best practices, which recommend temporary credentials over long-term static access keys. Three new configuration properties are introduced, mirroring the naming convention already used by the S3 storage layer ## Which issue does this PR close? - Closes #2394 ## What changes are included in this PR? * crates/catalog/glue/src/utils.rs — Added three new public constants and extended create_sdk_config() to build an AssumeRoleProvider from aws_config::sts when a role ARN is configured. The base credential chain (static keys, profile, or default chain) is used to call STS, and the resulting temporary credentials are used for all Glue SDK calls. * crates/catalog/glue/src/catalog.rs — Propagates the three STS role properties into the S3 FileIO property map in GlueCatalog::new(), so that both Glue API calls and S3 file I/O operate under the same assumed role. * crates/catalog/glue/src/lib.rs — Exports the three new constants as part of the public API. * crates/catalog/glue/Cargo.toml — Added explicit aws-sdk-sts dependency (already present transitively) with a [package.metadata.cargo-machete] ignore entry to suppress the expected false positive from cargo-machete (the crate is consumed via aws_config::sts re-exports). * Cargo.toml — Added aws-sdk-sts to workspace dependencies. * crates/catalog/loader/tests/common/mod.rs — Added glue_catalog_assume_role() integration test helper, driven by environment variables, for use in #[ignore]-gated integration tests requiring a live AWS environment. * bump the aws-sdk-glue dependency version to the latest. ## Are these changes tested? * 4 new unit tests in crates/catalog/glue/src/utils.rs covering: ARN-only configuration, custom session name, all optional fields with a custom endpoint, and a regression guard confirming the existing static-credential path is unaffected. * All 18 tests in iceberg-catalog-glue pass. * cargo fmt, cargo clippy -D warnings, and cargo machete all pass. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
