Credential Vending: refresh-token-endpoint is not setΒ #2177
Description
Describe the bug
When connecting to s3 with vended credentials the Iceberg SDK configures the credentials based on the response from the server which includes the properties:
"s3.access-key-id"
"s3.secret-access-key"
"s3.session-token"
These credentials work fine however they expire after an hour by default. In order to refresh the S3 credentials the Iceberg SDK supports a dedicated credentials provider: VendedCredentialsProvider.java (https://github.com/apache/iceberg/blob/main/aws/src/main/java/org/apache/iceberg/aws/s3/VendedCredentialsProvider.java).
This credential provider will get created if (and only if) the configuration value AwsClientProperties.REFRESH_CREDENTIALS_ENDPOINT is set. If not it will not use this provider and thus not refresh the credentials.
The client side user can't configure this endpoint manually when configuring the catalog since each table may have a different endpoint and the typical pattern is of the structure: /v1/{prefix}/namespaces/{namespace}/tables/{table}/credentials.
I have debugged the returned properties from the Polaris server when loading vended credentials and I have noticed it does not include the required "client.refresh-credentials-endpoint" setting.
To Reproduce
Load a table via the rest catalog using the Iceberg SDK (version 1.9.1).
Perform an action that uses the S3FileIO - This intializes the s3 client and fetches the credentials.
Wait 1 hour
Perform another action that uses the io.
Actual Behavior
software.amazon.awssdk.services.s3.model.S3Exception: The provided token has expired. (Service: S3, Status Code: 400, Request ID: CZRQCEYY50XY7FK0, Extended Request ID: gJPo7OfiUI/h8/GDFAe7Ddz0UC1VVO6F1cCrSoDSVRZgyZ8o5thxd4fPRPvV0F/pb5Y/g2JwdDJmzStRbGxTB3p0FVnha+PX)
at software.amazon.awssdk.core.internal.http.CombinedResponseHandler.handleErrorResponse(CombinedResponseHandler.java:125)
at software.amazon.awssdk.core.internal.http.CombinedResponseHandler.handleResponse(CombinedResponseHandler.java:82)
at software.amazon.awssdk.core.internal.http.CombinedResponseHandler.handle(CombinedResponseHandler.java:60)
at software.amazon.awssdk.core.internal.http.CombinedResponseHandler.handle(CombinedResponseHandler.java:41)
at software.amazon.awssdk.core.internal.http.pipeline.stages.HandleResponseStage.execute(HandleResponseStage.java:50)
at software.amazon.awssdk.core.internal.http.pipeline.stages.HandleResponseStage.execute(HandleResponseStage.java:38)
at software.amazon.awssdk.core.internal.http.pipeline.RequestPipelineBuilder$ComposingRequestPipelineStage.execute(RequestPipelineBuilder.java:206)
at software.amazon.awssdk.core.internal.http.pipeline.stages.ApiCallAttemptTimeoutTrackingStage.execute(ApiCallAttemptTimeoutTrackingStage.java:72)
Expected Behavior
Credentials get refreshed automatically
Additional context
No response
System information
No response