Enable extra-credential support for Iceberg Oauth tokens or credentials so users can connect to Trino using their own OAuth tokens/credentials. This allows secure passthrough authentication from Trino to an Iceberg REST catalog (e.g., Polaris), aligning with modern security practices and user-managed token flows.
Problem of using iceberg.rest-catalog.session is described here.
Today, users need to configure credentials statically on the Trino side. With this feature, users will be able to bring their own time-limited credentials at query time.
Example session-level connection:
./trino \
--server http://localhost:8080 \
--extra-credential oauth_token="my1hrvalidtoken"
Example Connector Config
connector.name=iceberg
fs.native-s3.enabled=true
iceberg.catalog.type=rest
iceberg.rest-catalog.oauth2.credential=oauth_credential
iceberg.rest-catalog.oauth2.token=oauth_token
iceberg.rest-catalog.oauth2.scope=PRINCIPAL_ROLE\:admin
iceberg.rest-catalog.oauth2.server-uri=https://myorg/oauth/token
iceberg.rest-catalog.security=OAUTH2
iceberg.rest-catalog.uri=https://polaris/api/catalog
iceberg.rest-catalog.vended-credentials-enabled=true
iceberg.rest-catalog.warehouse=mywarehouse
Enable extra-credential support for Iceberg Oauth tokens or credentials so users can connect to Trino using their own OAuth tokens/credentials. This allows secure passthrough authentication from Trino to an Iceberg REST catalog (e.g., Polaris), aligning with modern security practices and user-managed token flows.
Problem of using
iceberg.rest-catalog.sessionis described here.Today, users need to configure credentials statically on the Trino side. With this feature, users will be able to bring their own time-limited credentials at query time.
Example session-level connection:
Example Connector Config