Smallrye nessie catalog s3 buckets
Per-bucket configurations. The effective value for a bucket is taken from the per-bucket setting. If no per-bucket setting is present, uses the values from top-level S3 settings.
| Property | Default Value | Type | Description |
|---|---|---|---|
nessie.catalog.service.s3.buckets.<bucket-name>.name | string | The name of the bucket. If unset, the name of the bucket will be extracted from the configuration option, e.g. if nessie.catalog.service.s3.bucket1.name=my-bucket is set, the bucket name will be my-bucket; otherwise, it will be bucket1. This should only be defined if the bucket name contains non-alphanumeric characters, such as dots or dashes. | |
nessie.catalog.service.s3.buckets.<bucket-name>.endpoint | uri | Endpoint URI, required for private (non-AWS) clouds, specified either per bucket or in the top-level S3 settings. If the endpoint URIs for the Nessie server and clients differ, this one defines the endpoint used for the Nessie server. | |
nessie.catalog.service.s3.buckets.<bucket-name>.external-endpoint | uri | When using a specific endpoint (endpoint) and the endpoint URIs for the Nessie server differ, you can specify the URI passed down to clients using this setting. Otherwise, clients will receive the value from the endpoint setting. | |
nessie.catalog.service.s3.buckets.<bucket-name>.path-style-access | boolean | Whether to use path-style access. If true, path-style access will be used, as in: https://<domain>/<bucket> . If false, a virtual-hosted style will be used instead, as in: https://<bucket>.<domain>. If unspecified, the default will depend on the cloud provider. | |
nessie.catalog.service.s3.buckets.<bucket-name>.access-point | string | AWS Access point for this bucket. Access points can be used to perform S3 operations by specifying a mapping of bucket to access points. This is useful for multi-region access, cross-region access, disaster recovery, etc. See: Access Points | |
nessie.catalog.service.s3.buckets.<bucket-name>.allow-cross-region-access-point | boolean | Authorize cross-region calls when contacting an access-point. By default, attempting to use an access point in a different region will throw an exception. When enabled, this property allows using access points in other regions. | |
nessie.catalog.service.s3.buckets.<bucket-name>.region | string | DNS name of the region, required for AWS. The region must be specified for AWS, either per bucket or in the top-level S3 settings. | |
nessie.catalog.service.s3.buckets.<bucket-name>.auth-type | APPLICATION_GLOBAL, STATIC | The authentication mode to use by the Catalog server. If not set, the default is STATIC . Depending on the authentication mode, other properties may be required. Valid values are: * APPLICATION_GLOBAL: Use the AWSSDK default credentials provider . * STATIC: Static credentials provided through the access-key option. | |
nessie.catalog.service.s3.buckets.<bucket-name>.access-key | uri | Name of the basic-credentials secret containing the access-key-id and secret-access-key, either per bucket or in the top-level S3 settings. Required when auth-type is STATIC. For STS, this defines the Access Key ID and Secret Key ID to be used as a basic credential for obtaining temporary session credentials. | |
nessie.catalog.service.s3.buckets.<bucket-name>.request-signing-enabled | boolean | Optional parameter to disable S3 request signing. Default is to enable S3 request signing. | |
nessie.catalog.service.s3.buckets.<bucket-name>.sts-endpoint | uri | The Security Token Service endpoint. This parameter must be set when running in a private (non-AWS) cloud and the catalog is configured to use S3 sessions (e.g. to use the “assume role” functionality). | |
nessie.catalog.service.s3.buckets.<bucket-name>.server-iam.enabled | boolean | Optional parameter to enable assume role (vended credentials). Default is to disable assume role. | |
nessie.catalog.service.s3.buckets.<bucket-name>.server-iam.policy | string | IAM policy in JSON format to be used as an inline session policy (optional). If specified, this policy will be used for all clients for all locations. Related docs: S3 with IAM and about actions, resources, conditions and policy reference . | |
nessie.catalog.service.s3.buckets.<bucket-name>.server-iam.assume-role | string | The ARN of the role to assume for accessing S3 data. This parameter is required for Amazon S3, but may not be required for other storage providers (e.g. Minio does not use it at all). If this option is defined, the server will attempt to assume the role at startup and cache the returned session credentials. | |
nessie.catalog.service.s3.buckets.<bucket-name>.server-iam.role-session-name | string | An identifier for the assumed role session. This parameter is most important in cases when the same role is assumed by different principals in different use cases. | |
nessie.catalog.service.s3.buckets.<bucket-name>.server-iam.external-id | string | An identifier for the party assuming the role. This parameter must match the external ID configured in IAM rules that govern the assume role process for the specified role-arn. This parameter is essential in preventing the Confused Deputy problem. | |
nessie.catalog.service.s3.buckets.<bucket-name>.server-iam.session-duration | duration | A higher bound estimate of the expected duration of client “sessions” working with data in this bucket. A session, for example, is the lifetime of an Iceberg REST catalog object on the client side. This value is used for validating expiration times of credentials associated with the warehouse. Must be >= 1 second. | |
nessie.catalog.service.s3.buckets.<bucket-name>.client-iam.statements | list of string | Additional IAM policy statements to be inserted after the automatically generated S3 location dependent Allow policy statement. Example: ...client-iam.statements[0]={"Effect":"Allow", "Action":"s3:*", "Resource":"arn:aws:s3:::* /alwaysAllowed/*"} ...client-iam.statements[1]={"Effect":"Deny", "Action":"s3:*", "Resource":"arn:aws:s3:::* /blocked/*"} Related docs: S3 with IAM and about actions, resources, conditions and policy reference . | |
nessie.catalog.service.s3.buckets.<bucket-name>.client-iam.enabled | boolean | Optional parameter to enable assume role (vended credentials). Default is to disable assume role. | |
nessie.catalog.service.s3.buckets.<bucket-name>.client-iam.policy | string | IAM policy in JSON format to be used as an inline session policy (optional). If specified, this policy will be used for all clients for all locations. Related docs: S3 with IAM and about actions, resources, conditions and policy reference . | |
nessie.catalog.service.s3.buckets.<bucket-name>.client-iam.assume-role | string | The ARN of the role to assume for accessing S3 data. This parameter is required for Amazon S3, but may not be required for other storage providers (e.g. Minio does not use it at all). If this option is defined, the server will attempt to assume the role at startup and cache the returned session credentials. | |
nessie.catalog.service.s3.buckets.<bucket-name>.client-iam.role-session-name | string | An identifier for the assumed role session. This parameter is most important in cases when the same role is assumed by different principals in different use cases. | |
nessie.catalog.service.s3.buckets.<bucket-name>.client-iam.external-id | string | An identifier for the party assuming the role. This parameter must match the external ID configured in IAM rules that govern the assume role process for the specified role-arn. This parameter is essential in preventing the Confused Deputy problem. | |
nessie.catalog.service.s3.buckets.<bucket-name>.client-iam.session-duration | duration | A higher bound estimate of the expected duration of client “sessions” working with data in this bucket. A session, for example, is the lifetime of an Iceberg REST catalog object on the client side. This value is used for validating expiration times of credentials associated with the warehouse. Must be >= 1 second. |