From b604191afa220ad0cc179bed25b99a7b272ff36d Mon Sep 17 00:00:00 2001 From: osipovartem Date: Mon, 29 Dec 2025 17:41:56 +0300 Subject: [PATCH 1/3] Add tracing for env volume loading --- Cargo.lock | 10 +++++----- Cargo.toml | 10 +++++----- .../src/metastore_bootstrap_config.rs | 2 ++ 3 files changed, 12 insertions(+), 10 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index e5454a71..38d32ef3 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -3007,7 +3007,7 @@ dependencies = [ [[package]] name = "datafusion_iceberg" version = "0.9.0" -source = "git+https://github.com/Embucket/iceberg-rust.git?rev=f76b73573267304d2f866ed0dba91587f928caa6#f76b73573267304d2f866ed0dba91587f928caa6" +source = "git+https://github.com/Embucket/iceberg-rust.git?rev=c1c8152ed67dc6ebf06bddf9c5e87bbf3de3b83d#c1c8152ed67dc6ebf06bddf9c5e87bbf3de3b83d" dependencies = [ "async-trait", "chrono", @@ -4465,7 +4465,7 @@ dependencies = [ [[package]] name = "iceberg-rest-catalog" version = "0.9.0" -source = "git+https://github.com/Embucket/iceberg-rust.git?rev=f76b73573267304d2f866ed0dba91587f928caa6#f76b73573267304d2f866ed0dba91587f928caa6" +source = "git+https://github.com/Embucket/iceberg-rust.git?rev=c1c8152ed67dc6ebf06bddf9c5e87bbf3de3b83d#c1c8152ed67dc6ebf06bddf9c5e87bbf3de3b83d" dependencies = [ "async-trait", "aws-sigv4 0.3.1", @@ -4490,7 +4490,7 @@ dependencies = [ [[package]] name = "iceberg-rust" version = "0.9.0" -source = "git+https://github.com/Embucket/iceberg-rust.git?rev=f76b73573267304d2f866ed0dba91587f928caa6#f76b73573267304d2f866ed0dba91587f928caa6" +source = "git+https://github.com/Embucket/iceberg-rust.git?rev=c1c8152ed67dc6ebf06bddf9c5e87bbf3de3b83d#c1c8152ed67dc6ebf06bddf9c5e87bbf3de3b83d" dependencies = [ "apache-avro", "arrow 56.2.0", @@ -4526,7 +4526,7 @@ dependencies = [ [[package]] name = "iceberg-rust-spec" version = "0.9.0" -source = "git+https://github.com/Embucket/iceberg-rust.git?rev=f76b73573267304d2f866ed0dba91587f928caa6#f76b73573267304d2f866ed0dba91587f928caa6" +source = "git+https://github.com/Embucket/iceberg-rust.git?rev=c1c8152ed67dc6ebf06bddf9c5e87bbf3de3b83d#c1c8152ed67dc6ebf06bddf9c5e87bbf3de3b83d" dependencies = [ "apache-avro", "arrow-schema 56.2.0", @@ -4551,7 +4551,7 @@ dependencies = [ [[package]] name = "iceberg-s3tables-catalog" version = "0.9.0" -source = "git+https://github.com/Embucket/iceberg-rust.git?rev=f76b73573267304d2f866ed0dba91587f928caa6#f76b73573267304d2f866ed0dba91587f928caa6" +source = "git+https://github.com/Embucket/iceberg-rust.git?rev=c1c8152ed67dc6ebf06bddf9c5e87bbf3de3b83d#c1c8152ed67dc6ebf06bddf9c5e87bbf3de3b83d" dependencies = [ "async-trait", "aws-config", diff --git a/Cargo.toml b/Cargo.toml index c99ac89d..04448372 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -49,15 +49,15 @@ datafusion-expr = { version = "50.0.0" } datafusion-functions-json = { git = "https://github.com/Embucket/datafusion-functions-json.git", rev = "439cbd2282504c3ffaf262f1ffdb530a0fb1a151" } datafusion-macros = { version = "50.0.0" } datafusion-physical-plan = { version = "50.0.0" } -datafusion_iceberg = { git = "https://github.com/Embucket/iceberg-rust.git", rev = "f76b73573267304d2f866ed0dba91587f928caa6" } +datafusion_iceberg = { git = "https://github.com/Embucket/iceberg-rust.git", rev = "c1c8152ed67dc6ebf06bddf9c5e87bbf3de3b83d" } futures = { version = "0.3" } http = "1.2" http-body-util = "0.1.0" iceberg = { git = "https://github.com/apache/iceberg-rust.git", rev="7a5ad1fcaf00d4638857812bab788105f6c60573"} -iceberg-rest-catalog = { git = "https://github.com/Embucket/iceberg-rust.git", rev = "f76b73573267304d2f866ed0dba91587f928caa6" } -iceberg-rust = { git = "https://github.com/Embucket/iceberg-rust.git", rev = "f76b73573267304d2f866ed0dba91587f928caa6" } -iceberg-rust-spec = { git = "https://github.com/Embucket/iceberg-rust.git", rev = "f76b73573267304d2f866ed0dba91587f928caa6" } -iceberg-s3tables-catalog = { git = "https://github.com/Embucket/iceberg-rust.git", rev = "f76b73573267304d2f866ed0dba91587f928caa6" } +iceberg-rest-catalog = { git = "https://github.com/Embucket/iceberg-rust.git", rev = "c1c8152ed67dc6ebf06bddf9c5e87bbf3de3b83d" } +iceberg-rust = { git = "https://github.com/Embucket/iceberg-rust.git", rev = "c1c8152ed67dc6ebf06bddf9c5e87bbf3de3b83d" } +iceberg-rust-spec = { git = "https://github.com/Embucket/iceberg-rust.git", rev = "c1c8152ed67dc6ebf06bddf9c5e87bbf3de3b83d" } +iceberg-s3tables-catalog = { git = "https://github.com/Embucket/iceberg-rust.git", rev = "c1c8152ed67dc6ebf06bddf9c5e87bbf3de3b83d" } indexmap = "2.7.1" jsonwebtoken = "9.3.1" lazy_static = { version = "1.5" } diff --git a/crates/catalog-metastore/src/metastore_bootstrap_config.rs b/crates/catalog-metastore/src/metastore_bootstrap_config.rs index ae6f2579..9fb16762 100644 --- a/crates/catalog-metastore/src/metastore_bootstrap_config.rs +++ b/crates/catalog-metastore/src/metastore_bootstrap_config.rs @@ -166,6 +166,7 @@ impl MetastoreBootstrapConfig { pub async fn load_from_env() -> Result { let mut config = Self::default(); if let Some(volume) = load_volume_from_env().await? { + tracing::info!("Loading volume from environment"); config.volumes.push(volume); } Ok(config) @@ -437,6 +438,7 @@ async fn load_volume_from_env() -> Result, ConfigError> { .await?; validate_s3tables_credentials(&arn, &credentials).await?; + tracing::info!("Loaded volume has been validated"); VolumeType::S3Tables(S3TablesVolume { endpoint: None, From 14544c5304e11953b12e445e70b2c7a3e72f7247 Mon Sep 17 00:00:00 2001 From: osipovartem Date: Mon, 29 Dec 2025 19:40:35 +0300 Subject: [PATCH 2/3] Load DDB creds from env with additional token --- Cargo.lock | 10 +++++----- Cargo.toml | 10 +++++----- crates/state-store/README.md | 4 ++++ crates/state-store/src/config.rs | 32 +++++++++++++++++++++++++------- crates/state-store/src/error.rs | 7 +++++++ 5 files changed, 46 insertions(+), 17 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 38d32ef3..68459a5c 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -3007,7 +3007,7 @@ dependencies = [ [[package]] name = "datafusion_iceberg" version = "0.9.0" -source = "git+https://github.com/Embucket/iceberg-rust.git?rev=c1c8152ed67dc6ebf06bddf9c5e87bbf3de3b83d#c1c8152ed67dc6ebf06bddf9c5e87bbf3de3b83d" +source = "git+https://github.com/Embucket/iceberg-rust.git?rev=026041479f2af9d1565373693be640716e3f1770#026041479f2af9d1565373693be640716e3f1770" dependencies = [ "async-trait", "chrono", @@ -4465,7 +4465,7 @@ dependencies = [ [[package]] name = "iceberg-rest-catalog" version = "0.9.0" -source = "git+https://github.com/Embucket/iceberg-rust.git?rev=c1c8152ed67dc6ebf06bddf9c5e87bbf3de3b83d#c1c8152ed67dc6ebf06bddf9c5e87bbf3de3b83d" +source = "git+https://github.com/Embucket/iceberg-rust.git?rev=026041479f2af9d1565373693be640716e3f1770#026041479f2af9d1565373693be640716e3f1770" dependencies = [ "async-trait", "aws-sigv4 0.3.1", @@ -4490,7 +4490,7 @@ dependencies = [ [[package]] name = "iceberg-rust" version = "0.9.0" -source = "git+https://github.com/Embucket/iceberg-rust.git?rev=c1c8152ed67dc6ebf06bddf9c5e87bbf3de3b83d#c1c8152ed67dc6ebf06bddf9c5e87bbf3de3b83d" +source = "git+https://github.com/Embucket/iceberg-rust.git?rev=026041479f2af9d1565373693be640716e3f1770#026041479f2af9d1565373693be640716e3f1770" dependencies = [ "apache-avro", "arrow 56.2.0", @@ -4526,7 +4526,7 @@ dependencies = [ [[package]] name = "iceberg-rust-spec" version = "0.9.0" -source = "git+https://github.com/Embucket/iceberg-rust.git?rev=c1c8152ed67dc6ebf06bddf9c5e87bbf3de3b83d#c1c8152ed67dc6ebf06bddf9c5e87bbf3de3b83d" +source = "git+https://github.com/Embucket/iceberg-rust.git?rev=026041479f2af9d1565373693be640716e3f1770#026041479f2af9d1565373693be640716e3f1770" dependencies = [ "apache-avro", "arrow-schema 56.2.0", @@ -4551,7 +4551,7 @@ dependencies = [ [[package]] name = "iceberg-s3tables-catalog" version = "0.9.0" -source = "git+https://github.com/Embucket/iceberg-rust.git?rev=c1c8152ed67dc6ebf06bddf9c5e87bbf3de3b83d#c1c8152ed67dc6ebf06bddf9c5e87bbf3de3b83d" +source = "git+https://github.com/Embucket/iceberg-rust.git?rev=026041479f2af9d1565373693be640716e3f1770#026041479f2af9d1565373693be640716e3f1770" dependencies = [ "async-trait", "aws-config", diff --git a/Cargo.toml b/Cargo.toml index 04448372..7dba1e0d 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -49,15 +49,15 @@ datafusion-expr = { version = "50.0.0" } datafusion-functions-json = { git = "https://github.com/Embucket/datafusion-functions-json.git", rev = "439cbd2282504c3ffaf262f1ffdb530a0fb1a151" } datafusion-macros = { version = "50.0.0" } datafusion-physical-plan = { version = "50.0.0" } -datafusion_iceberg = { git = "https://github.com/Embucket/iceberg-rust.git", rev = "c1c8152ed67dc6ebf06bddf9c5e87bbf3de3b83d" } +datafusion_iceberg = { git = "https://github.com/Embucket/iceberg-rust.git", rev = "026041479f2af9d1565373693be640716e3f1770" } futures = { version = "0.3" } http = "1.2" http-body-util = "0.1.0" iceberg = { git = "https://github.com/apache/iceberg-rust.git", rev="7a5ad1fcaf00d4638857812bab788105f6c60573"} -iceberg-rest-catalog = { git = "https://github.com/Embucket/iceberg-rust.git", rev = "c1c8152ed67dc6ebf06bddf9c5e87bbf3de3b83d" } -iceberg-rust = { git = "https://github.com/Embucket/iceberg-rust.git", rev = "c1c8152ed67dc6ebf06bddf9c5e87bbf3de3b83d" } -iceberg-rust-spec = { git = "https://github.com/Embucket/iceberg-rust.git", rev = "c1c8152ed67dc6ebf06bddf9c5e87bbf3de3b83d" } -iceberg-s3tables-catalog = { git = "https://github.com/Embucket/iceberg-rust.git", rev = "c1c8152ed67dc6ebf06bddf9c5e87bbf3de3b83d" } +iceberg-rest-catalog = { git = "https://github.com/Embucket/iceberg-rust.git", rev = "026041479f2af9d1565373693be640716e3f1770" } +iceberg-rust = { git = "https://github.com/Embucket/iceberg-rust.git", rev = "026041479f2af9d1565373693be640716e3f1770" } +iceberg-rust-spec = { git = "https://github.com/Embucket/iceberg-rust.git", rev = "026041479f2af9d1565373693be640716e3f1770" } +iceberg-s3tables-catalog = { git = "https://github.com/Embucket/iceberg-rust.git", rev = "026041479f2af9d1565373693be640716e3f1770" } indexmap = "2.7.1" jsonwebtoken = "9.3.1" lazy_static = { version = "1.5" } diff --git a/crates/state-store/README.md b/crates/state-store/README.md index 1148a69a..f8eaf332 100644 --- a/crates/state-store/README.md +++ b/crates/state-store/README.md @@ -67,4 +67,8 @@ AWS_REGION=us-east-2 AWS_ACCESS_KEY_ID=local AWS_SECRET_ACCESS_KEY=local dynamod ```bash STATESTORE_TABLE_NAME=embucket-statestore STATESTORE_DYNAMODB_ENDPOINT=http://localhost:8000 +AWS_DDB_ACCESS_KEY_ID=key +AWS_DDB_SECRET_ACCESS_KEY=secret +# For temporary credentials +AWS_DDB_SESSION_TOKEN=token ``` diff --git a/crates/state-store/src/config.rs b/crates/state-store/src/config.rs index 52460e7e..48b54d8a 100644 --- a/crates/state-store/src/config.rs +++ b/crates/state-store/src/config.rs @@ -1,14 +1,15 @@ +use crate::error::{DynamoDbCredentialsSnafu, Error, Result}; use aws_config::Region; +use aws_config::meta::credentials::CredentialsProviderChain; use aws_config::{BehaviorVersion, defaults}; use aws_credential_types::Credentials; -use aws_credential_types::provider::SharedCredentialsProvider; +use aws_credential_types::provider::{ProvideCredentials, SharedCredentialsProvider}; use aws_sdk_dynamodb::Client; use aws_sdk_dynamodb::config::Builder as DynamoConfigBuilder; use aws_sdk_dynamodb::config::retry::RetryConfig; +use snafu::ResultExt; use std::env; -use crate::error::{Error, Result}; - #[derive(Debug, Clone)] pub struct DynamoDbConfig { pub table_name: String, @@ -40,11 +41,28 @@ impl DynamoDbConfig { loader = loader.endpoint_url(endpoint); } - let access_key = required_env("AWS_ACCESS_KEY_ID")?; - let secret_key = required_env("AWS_SECRET_ACCESS_KEY")?; - let creds = Credentials::from_keys(access_key, secret_key, None); - loader = loader.credentials_provider(SharedCredentialsProvider::new(creds)); + let creds = if let (Ok(access_key), Ok(secret_key)) = ( + env::var("AWS_DDB_ACCESS_KEY_ID"), + env::var("AWS_DDB_SECRET_ACCESS_KEY"), + ) { + let token = env::var("AWS_DDB_SESSION_TOKEN").ok(); + Credentials::from_keys(access_key, secret_key, token) + } else { + // Default AWS Credential Provider Chain + // Resolution order: + // 1. Environment variables + // 2. Shared config (`~/.aws/config`, `~/.aws/credentials`) + // 3. Web Identity Tokens + // 4. ECS (IAM Roles for Tasks) & General HTTP credentials + // 5. EC2 IMDSv2 + let provider = CredentialsProviderChain::default_provider().await; + provider + .provide_credentials() + .await + .context(DynamoDbCredentialsSnafu)? + }; + loader = loader.credentials_provider(SharedCredentialsProvider::new(creds)); let config = loader.load().await; let retry_config = RetryConfig::adaptive(); let config_builder = DynamoConfigBuilder::from(&config).retry_config(retry_config); diff --git a/crates/state-store/src/error.rs b/crates/state-store/src/error.rs index d7a075d8..43b4baae 100644 --- a/crates/state-store/src/error.rs +++ b/crates/state-store/src/error.rs @@ -50,6 +50,13 @@ pub enum Error { #[snafu(implicit)] location: Location, }, + #[snafu(display("Dynamodb query error: {error}"))] + DynamoDbCredentialsError { + #[snafu(source(from(aws_credential_types::provider::error::CredentialsError, Box::new)))] + error: Box, + #[snafu(implicit)] + location: Location, + }, #[snafu(display("item not found"))] NotFound, #[snafu(display("data attribute missing from DynamoDB item"))] From 969806b553b4ffd57741178e84cd2ccf043eca49 Mon Sep 17 00:00:00 2001 From: osipovartem Date: Mon, 29 Dec 2025 19:58:28 +0300 Subject: [PATCH 3/3] Fix toml --- Cargo.lock | 10 +++++----- Cargo.toml | 10 +++++----- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 68459a5c..fd54db32 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -3007,7 +3007,7 @@ dependencies = [ [[package]] name = "datafusion_iceberg" version = "0.9.0" -source = "git+https://github.com/Embucket/iceberg-rust.git?rev=026041479f2af9d1565373693be640716e3f1770#026041479f2af9d1565373693be640716e3f1770" +source = "git+https://github.com/Embucket/iceberg-rust.git?rev=a5fb43869d8c09d488343c24ea18db01752fb1bb#a5fb43869d8c09d488343c24ea18db01752fb1bb" dependencies = [ "async-trait", "chrono", @@ -4465,7 +4465,7 @@ dependencies = [ [[package]] name = "iceberg-rest-catalog" version = "0.9.0" -source = "git+https://github.com/Embucket/iceberg-rust.git?rev=026041479f2af9d1565373693be640716e3f1770#026041479f2af9d1565373693be640716e3f1770" +source = "git+https://github.com/Embucket/iceberg-rust.git?rev=a5fb43869d8c09d488343c24ea18db01752fb1bb#a5fb43869d8c09d488343c24ea18db01752fb1bb" dependencies = [ "async-trait", "aws-sigv4 0.3.1", @@ -4490,7 +4490,7 @@ dependencies = [ [[package]] name = "iceberg-rust" version = "0.9.0" -source = "git+https://github.com/Embucket/iceberg-rust.git?rev=026041479f2af9d1565373693be640716e3f1770#026041479f2af9d1565373693be640716e3f1770" +source = "git+https://github.com/Embucket/iceberg-rust.git?rev=a5fb43869d8c09d488343c24ea18db01752fb1bb#a5fb43869d8c09d488343c24ea18db01752fb1bb" dependencies = [ "apache-avro", "arrow 56.2.0", @@ -4526,7 +4526,7 @@ dependencies = [ [[package]] name = "iceberg-rust-spec" version = "0.9.0" -source = "git+https://github.com/Embucket/iceberg-rust.git?rev=026041479f2af9d1565373693be640716e3f1770#026041479f2af9d1565373693be640716e3f1770" +source = "git+https://github.com/Embucket/iceberg-rust.git?rev=a5fb43869d8c09d488343c24ea18db01752fb1bb#a5fb43869d8c09d488343c24ea18db01752fb1bb" dependencies = [ "apache-avro", "arrow-schema 56.2.0", @@ -4551,7 +4551,7 @@ dependencies = [ [[package]] name = "iceberg-s3tables-catalog" version = "0.9.0" -source = "git+https://github.com/Embucket/iceberg-rust.git?rev=026041479f2af9d1565373693be640716e3f1770#026041479f2af9d1565373693be640716e3f1770" +source = "git+https://github.com/Embucket/iceberg-rust.git?rev=a5fb43869d8c09d488343c24ea18db01752fb1bb#a5fb43869d8c09d488343c24ea18db01752fb1bb" dependencies = [ "async-trait", "aws-config", diff --git a/Cargo.toml b/Cargo.toml index 7dba1e0d..eddba8b6 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -49,15 +49,15 @@ datafusion-expr = { version = "50.0.0" } datafusion-functions-json = { git = "https://github.com/Embucket/datafusion-functions-json.git", rev = "439cbd2282504c3ffaf262f1ffdb530a0fb1a151" } datafusion-macros = { version = "50.0.0" } datafusion-physical-plan = { version = "50.0.0" } -datafusion_iceberg = { git = "https://github.com/Embucket/iceberg-rust.git", rev = "026041479f2af9d1565373693be640716e3f1770" } +datafusion_iceberg = { git = "https://github.com/Embucket/iceberg-rust.git", rev = "a5fb43869d8c09d488343c24ea18db01752fb1bb" } futures = { version = "0.3" } http = "1.2" http-body-util = "0.1.0" iceberg = { git = "https://github.com/apache/iceberg-rust.git", rev="7a5ad1fcaf00d4638857812bab788105f6c60573"} -iceberg-rest-catalog = { git = "https://github.com/Embucket/iceberg-rust.git", rev = "026041479f2af9d1565373693be640716e3f1770" } -iceberg-rust = { git = "https://github.com/Embucket/iceberg-rust.git", rev = "026041479f2af9d1565373693be640716e3f1770" } -iceberg-rust-spec = { git = "https://github.com/Embucket/iceberg-rust.git", rev = "026041479f2af9d1565373693be640716e3f1770" } -iceberg-s3tables-catalog = { git = "https://github.com/Embucket/iceberg-rust.git", rev = "026041479f2af9d1565373693be640716e3f1770" } +iceberg-rest-catalog = { git = "https://github.com/Embucket/iceberg-rust.git", rev = "a5fb43869d8c09d488343c24ea18db01752fb1bb" } +iceberg-rust = { git = "https://github.com/Embucket/iceberg-rust.git", rev = "a5fb43869d8c09d488343c24ea18db01752fb1bb" } +iceberg-rust-spec = { git = "https://github.com/Embucket/iceberg-rust.git", rev = "a5fb43869d8c09d488343c24ea18db01752fb1bb" } +iceberg-s3tables-catalog = { git = "https://github.com/Embucket/iceberg-rust.git", rev = "a5fb43869d8c09d488343c24ea18db01752fb1bb" } indexmap = "2.7.1" jsonwebtoken = "9.3.1" lazy_static = { version = "1.5" }