apache
diff --git a/‎aws/src/main/java/org/apache/iceberg/aws/s3/S3FileIO.java
+41-2 b/‎aws/src/main/java/org/apache/iceberg/aws/s3/S3FileIO.java
+41-2
diff --git a/‎aws/src/test/java/org/apache/iceberg/aws/s3/TestS3FileIO.java
+113 b/‎aws/src/test/java/org/apache/iceberg/aws/s3/TestS3FileIO.java
+113
diff --git a/‎core/src/main/java/org/apache/iceberg/CatalogUtil.java
+33 b/‎core/src/main/java/org/apache/iceberg/CatalogUtil.java
+33
diff --git a/‎core/src/main/java/org/apache/iceberg/io/StorageCredential.java
+36 b/‎core/src/main/java/org/apache/iceberg/io/StorageCredential.java
+36
diff --git a/‎core/src/main/java/org/apache/iceberg/io/SupportsStorageCredentials.java
+28 b/‎core/src/main/java/org/apache/iceberg/io/SupportsStorageCredentials.java
+28
@@ -39,9 +39,14 @@
 import org.apache.iceberg.io.FileInfo;
 import org.apache.iceberg.io.InputFile;
 import org.apache.iceberg.io.OutputFile;
+import org.apache.iceberg.io.StorageCredential;
 import org.apache.iceberg.io.SupportsRecoveryOperations;
+import org.apache.iceberg.io.SupportsStorageCredentials;
 import org.apache.iceberg.metrics.MetricsContext;
 import org.apache.iceberg.relocated.com.google.common.base.Joiner;
+import org.apache.iceberg.relocated.com.google.common.base.Preconditions;
+import org.apache.iceberg.relocated.com.google.common.collect.ImmutableList;
+import org.apache.iceberg.relocated.com.google.common.collect.ImmutableMap;
 import org.apache.iceberg.relocated.com.google.common.collect.Lists;
 import org.apache.iceberg.relocated.com.google.common.collect.Maps;
 import org.apache.iceberg.relocated.com.google.common.collect.Multimaps;
@@ -80,7 +85,11 @@
  * schemes s3a, s3n, https are also treated as s3 file paths. Using this FileIO with other schemes
  * will result in {@link org.apache.iceberg.exceptions.ValidationException}.
  */
-public class S3FileIO implements CredentialSupplier, DelegateFileIO, SupportsRecoveryOperations {
+public class S3FileIO
+    implements CredentialSupplier,
+        DelegateFileIO,
+        SupportsRecoveryOperations,
+        SupportsStorageCredentials {
   private static final Logger LOG = LoggerFactory.getLogger(S3FileIO.class);
   private static final String DEFAULT_METRICS_IMPL =
       "org.apache.iceberg.hadoop.HadoopMetricsContext";
@@ -96,6 +105,7 @@ public class S3FileIO implements CredentialSupplier, DelegateFileIO, SupportsRec
   private MetricsContext metrics = MetricsContext.nullMetrics();
   private final AtomicBoolean isResourceClosed = new AtomicBoolean(false);
   private transient StackTraceElement[] createStack;
+  private List<? extends StorageCredential> storageCredentials = ImmutableList.of();
 
   /**
    * No-arg constructor to load the FileIO dynamically.
@@ -422,7 +432,13 @@ public String getCredential() {
   @Override
   public void initialize(Map<String, String> props) {
     this.properties = SerializableMap.copyOf(props);
-    this.s3FileIOProperties = new S3FileIOProperties(properties);
+    Map<String, String> propertiesWithCredentials =
+        ImmutableMap.<String, String>builder()
+            .putAll(properties)
+            .putAll(storageCredentialConfig())
+            .buildKeepingLast();
+
+    this.s3FileIOProperties = new S3FileIOProperties(propertiesWithCredentials);
     this.createStack =
         PropertyUtil.propertyAsBoolean(props, "init-creation-stacktrace", true)
             ? Thread.currentThread().getStackTrace()
@@ -547,4 +563,27 @@ private boolean recoverObject(ObjectVersion version, String bucket) {
 
     return true;
   }
+
+  @Override
+  public void setCredentials(List<? extends StorageCredential> credentials) {
+    Preconditions.checkArgument(credentials != null, "Invalid storage credentials: null");
+    this.storageCredentials = credentials;
+  }
+
+  @Override
+  public List<? extends StorageCredential> credentials() {
+    return ImmutableList.copyOf(storageCredentials);
+  }
+
+  private Map<String, String> storageCredentialConfig() {
+    List<StorageCredential> s3Credentials =
+        storageCredentials.stream()
+            .filter(c -> c.prefix().startsWith("s3"))
+            .collect(Collectors.toList());
+
+    Preconditions.checkState(
+        s3Credentials.size() <= 1, "Invalid S3 Credentials: only one S3 credential should exist");
+
+    return s3Credentials.isEmpty() ? ImmutableMap.of() : s3Credentials.get(0).config();
+  }
 }
@@ -66,9 +66,11 @@
 import org.apache.iceberg.io.FileIOParser;
 import org.apache.iceberg.io.FileInfo;
 import org.apache.iceberg.io.IOUtil;
+import org.apache.iceberg.io.ImmutableStorageCredential;
 import org.apache.iceberg.io.InputFile;
 import org.apache.iceberg.io.OutputFile;
 import org.apache.iceberg.io.ResolvingFileIO;
+import org.apache.iceberg.io.StorageCredential;
 import org.apache.iceberg.jdbc.JdbcCatalog;
 import org.apache.iceberg.relocated.com.google.common.collect.ImmutableList;
 import org.apache.iceberg.relocated.com.google.common.collect.ImmutableMap;
@@ -77,6 +79,8 @@
 import org.apache.iceberg.relocated.com.google.common.collect.Streams;
 import org.apache.iceberg.types.Types;
 import org.apache.iceberg.util.SerializableSupplier;
+import org.assertj.core.api.InstanceOfAssertFactories;
+import org.assertj.core.api.ObjectAssert;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Disabled;
@@ -539,6 +543,115 @@ public void testInputFileWithManifest() throws IOException {
     verify(s3mock, never()).headObject(any(HeadObjectRequest.class));
   }
 
+  @Test
+  public void noStorageCredentialConfigured() {
+    S3FileIO fileIO = new S3FileIO();
+    fileIO.setCredentials(ImmutableList.of());
+    fileIO.initialize(
+        ImmutableMap.of(
+            "s3.access-key-id",
+            "keyIdFromProperties",
+            "s3.secret-access-key",
+            "accessKeyFromProperties",
+            "s3.session-token",
+            "sessionTokenFromProperties"));
+
+    ObjectAssert<S3FileIOProperties> s3FileIOProperties =
+        assertThat(fileIO)
+            .extracting("s3FileIOProperties")
+            .asInstanceOf(InstanceOfAssertFactories.type(S3FileIOProperties.class));
+    s3FileIOProperties.extracting(S3FileIOProperties::accessKeyId).isEqualTo("keyIdFromProperties");
+    s3FileIOProperties
+        .extracting(S3FileIOProperties::secretAccessKey)
+        .isEqualTo("accessKeyFromProperties");
+    s3FileIOProperties
+        .extracting(S3FileIOProperties::sessionToken)
+        .isEqualTo("sessionTokenFromProperties");
+  }
+
+  @Test
+  public void singleStorageCredentialConfigured() {
+    StorageCredential s3Credential =
+        ImmutableStorageCredential.builder()
+            .prefix("s3://custom-uri")
+            .config(
+                ImmutableMap.of(
+                    "s3.access-key-id",
+                    "keyIdFromCredential",
+                    "s3.secret-access-key",
+                    "accessKeyFromCredential",
+                    "s3.session-token",
+                    "sessionTokenFromCredential"))
+            .build();
+
+    S3FileIO fileIO = new S3FileIO();
+    fileIO.setCredentials(ImmutableList.of(s3Credential));
+    fileIO.initialize(
+        ImmutableMap.of(
+            "s3.access-key-id",
+            "keyIdFromProperties",
+            "s3.secret-access-key",
+            "accessKeyFromProperties",
+            "s3.session-token",
+            "sessionTokenFromProperties"));
+
+    ObjectAssert<S3FileIOProperties> s3FileIOProperties =
+        assertThat(fileIO)
+            .extracting("s3FileIOProperties")
+            .asInstanceOf(InstanceOfAssertFactories.type(S3FileIOProperties.class));
+    s3FileIOProperties.extracting(S3FileIOProperties::accessKeyId).isEqualTo("keyIdFromCredential");
+    s3FileIOProperties
+        .extracting(S3FileIOProperties::secretAccessKey)
+        .isEqualTo("accessKeyFromCredential");
+    s3FileIOProperties
+        .extracting(S3FileIOProperties::sessionToken)
+        .isEqualTo("sessionTokenFromCredential");
+  }
+
+  @Test
+  public void multipleStorageCredentialsConfigured() {
+    StorageCredential s3Credential1 =
+        ImmutableStorageCredential.builder()
+            .prefix("s3://custom-uri/1")
+            .config(
+                ImmutableMap.of(
+                    "s3.access-key-id",
+                    "keyIdFromCredential1",
+                    "s3.secret-access-key",
+                    "accessKeyFromCredential1",
+                    "s3.session-token",
+                    "sessionTokenFromCredential1"))
+            .build();
+
+    StorageCredential s3Credential2 =
+        ImmutableStorageCredential.builder()
+            .prefix("s3://custom-uri/2")
+            .config(
+                ImmutableMap.of(
+                    "s3.access-key-id",
+                    "keyIdFromCredential2",
+                    "s3.secret-access-key",
+                    "accessKeyFromCredential2",
+                    "s3.session-token",
+                    "sessionTokenFromCredential2"))
+            .build();
+
+    S3FileIO fileIO = new S3FileIO();
+    fileIO.setCredentials(ImmutableList.of(s3Credential1, s3Credential2));
+    assertThatThrownBy(
+            () ->
+                fileIO.initialize(
+                    ImmutableMap.of(
+                        "s3.access-key-id",
+                        "keyIdFromProperties",
+                        "s3.secret-access-key",
+                        "accessKeyFromProperties",
+                        "s3.session-token",
+                        "sessionTokenFromProperties")))
+        .isInstanceOf(IllegalStateException.class)
+        .hasMessage("Invalid S3 Credentials: only one S3 credential should exist");
+  }
+
   private void createRandomObjects(String prefix, int count) {
     S3URI s3URI = new S3URI(prefix);
 
 
@@ -35,11 +35,14 @@
 import org.apache.iceberg.exceptions.ValidationException;
 import org.apache.iceberg.hadoop.Configurable;
 import org.apache.iceberg.io.FileIO;
+import org.apache.iceberg.io.StorageCredential;
 import org.apache.iceberg.io.SupportsBulkOperations;
+import org.apache.iceberg.io.SupportsStorageCredentials;
 import org.apache.iceberg.metrics.LoggingMetricsReporter;
 import org.apache.iceberg.metrics.MetricsReporter;
 import org.apache.iceberg.relocated.com.google.common.base.Joiner;
 import org.apache.iceberg.relocated.com.google.common.base.Preconditions;
+import org.apache.iceberg.relocated.com.google.common.collect.ImmutableList;
 import org.apache.iceberg.relocated.com.google.common.collect.Iterables;
 import org.apache.iceberg.relocated.com.google.common.collect.Lists;
 import org.apache.iceberg.relocated.com.google.common.collect.MapMaker;
@@ -343,6 +346,33 @@ public static Catalog buildIcebergCatalog(String name, Map<String, String> optio
    *     loaded class cannot be cast to the given interface type
    */
   public static FileIO loadFileIO(String impl, Map<String, String> properties, Object hadoopConf) {
+    return loadFileIO(impl, properties, hadoopConf, ImmutableList.of());
+  }
+
+  /**
+   * Load a custom {@link FileIO} implementation.
+   *
+   * <p>The implementation must have a no-arg constructor. If the class implements Configurable, a
+   * Hadoop config will be passed using Configurable.setConf. If the class implements {@link
+   * SupportsStorageCredentials}, the storage credentials will be passed using {@link
+   * SupportsStorageCredentials#setCredentials(List)}. {@link FileIO#initialize(Map properties)} is
+   * called to complete the initialization.
+   *
+   * @param impl full class name of a custom FileIO implementation
+   * @param properties used to initialize the FileIO implementation
+   * @param hadoopConf a hadoop Configuration
+   * @param storageCredentials the storage credentials to configure if the FileIO implementation
+   *     implements {@link SupportsStorageCredentials}
+   * @return FileIO class
+   * @throws IllegalArgumentException if class path not found or right constructor not found or the
+   *     loaded class cannot be cast to the given interface type
+   */
+  @SuppressWarnings("unchecked")
+  public static FileIO loadFileIO(
+      String impl,
+      Map<String, String> properties,
+      Object hadoopConf,
+      List<? extends StorageCredential> storageCredentials) {
     LOG.info("Loading custom FileIO implementation: {}", impl);
     DynConstructors.Ctor<FileIO> ctor;
     try {
@@ -365,6 +395,9 @@ public static FileIO loadFileIO(String impl, Map<String, String> properties, Obj
     }
 
     configureHadoopConf(fileIO, hadoopConf);
+    if (fileIO instanceof SupportsStorageCredentials) {
+      ((SupportsStorageCredentials) fileIO).setCredentials(storageCredentials);
+    }
 
     fileIO.initialize(properties);
     return fileIO;
 
@@ -0,0 +1,36 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.iceberg.io;
+
+import java.util.Map;
+import org.apache.iceberg.relocated.com.google.common.base.Preconditions;
+import org.immutables.value.Value;
+
+@Value.Immutable
+public interface StorageCredential {
+  String prefix();
+
+  Map<String, String> config();
+
+  @Value.Check
+  default void validate() {
+    Preconditions.checkArgument(!prefix().isEmpty(), "Invalid prefix: must be non-empty");
+    Preconditions.checkArgument(!config().isEmpty(), "Invalid config: must be non-empty");
+  }
+}
@@ -0,0 +1,28 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.iceberg.io;
+
+import java.util.List;
+
+public interface SupportsStorageCredentials {
+
+  void setCredentials(List<? extends StorageCredential> credentials);
+
+  List<? extends StorageCredential> credentials();
+}