Re: [PR] Glue: Allow for assuming role for Glue [iceberg-python]

Wed, 06 Nov 2024 07:25:22 -0800 


Fokko commented on code in PR #1299:
URL: https://github.com/apache/iceberg-python/pull/1299#discussion_r1831238850


##########
pyiceberg/catalog/glue.py:
##########
@@ -296,13 +306,48 @@ class GlueCatalog(MetastoreCatalog):
     def __init__(self, name: str, **properties: Any):
         super().__init__(name, **properties)
 
+        credentials = Credentials(
+            access_key=get_first_property_value(properties, 
GLUE_ACCESS_KEY_ID, AWS_ACCESS_KEY_ID),
+            secret_key=get_first_property_value(properties, 
GLUE_SECRET_ACCESS_KEY, AWS_SECRET_ACCESS_KEY),
+            token=get_first_property_value(properties, GLUE_SESSION_TOKEN, 
AWS_SESSION_TOKEN),
+        )
+
         session = boto3.Session(
             profile_name=properties.get(GLUE_PROFILE_NAME),
             region_name=get_first_property_value(properties, GLUE_REGION, 
AWS_REGION),
-            aws_access_key_id=get_first_property_value(properties, 
GLUE_ACCESS_KEY_ID, AWS_ACCESS_KEY_ID),
-            aws_secret_access_key=get_first_property_value(properties, 
GLUE_SECRET_ACCESS_KEY, AWS_SECRET_ACCESS_KEY),
-            aws_session_token=get_first_property_value(properties, 
GLUE_SESSION_TOKEN, AWS_SESSION_TOKEN),
+            aws_access_key_id=credentials.access_key,
+            aws_secret_access_key=credentials.secret_key,
+            aws_session_token=credentials.token,
         )
+
+        if role_arn := get_first_property_value(properties, GLUE_ROLE_ARN, 
AWS_ROLE_ARN):
+            extra_args = {}
+            if role_session_name := get_first_property_value(properties, 
GLUE_ROLE_SESSION_NAME, AWS_ROLE_SESSION_NAME):
+                extra_args["RoleSessionName"] = role_session_name
+
+            fetcher = AssumeRoleCredentialFetcher(
+                client_creator=session.client,
+                source_credentials=credentials,
+                role_arn=role_arn,
+                extra_args=extra_args,
+            )
+            refreshable_credentials = DeferredRefreshableCredentials(
+                method="assume-role",
+                refresh_using=fetcher.fetch_credentials,
+            )
+            from botocore.session import Session as BotoSession
+
+            botocore_session = BotoSession()

Review Comment:
   I think we could do both, so you can also configure the Glue client similar 
to the S3 one (it uses similar properties). 
   
   @HonahX @kevinjqliu How strong are we on only passing `str`'s? Otherwise, I 
think we might start jumping through hoops to get it working (eg. do something 
similar as when loading a custom FileIO).



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org
For additional commands, e-mail: issues-h...@iceberg.apache.org

Reply via email to