docs: add Lakekeeper Iceberg catalog runbook#601
Merged
Conversation
Documents the per-org Lakekeeper Iceberg REST catalog backend: the operator-provisioned architecture, the no-vending credential model (worker reads/writes S3 with its own creds; Lakekeeper serves metadata only), tenant activation via the admin API, end-to-end verification, and troubleshooting. Captures the load-bearing lesson from bringing it up: DuckDB's iceberg extension defaults ACCESS_DELEGATION_MODE to 'vended_credentials', so omitting the option does not disable vending — with server-side vending off, the client gets an empty path-scoped S3 secret that shadows iceberg_sigv4 and every data write 403s. The attach must set ACCESS_DELEGATION_MODE 'none' explicitly. Sanitized for the public repo: placeholders only, no environment-specific identifiers. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a runbook for the per-org Lakekeeper Iceberg REST catalog backend (
docs/runbooks/lakekeeper-iceberg-catalog.md), linked from the README:lakekeepernamespace.iceberg_sigv4credentials. Vending is disabled.ACCESS_DELEGATION_MODEto'vended_credentials', so omitting the option does not disable vending. With server-side vending off, the client gets an empty path-scoped S3 secret that shadowsiceberg_sigv4, and every data write 403s (while metadata ops still succeed). The attach must setACCESS_DELEGATION_MODE 'none'explicitly (fix(lakekeeper): set ACCESS_DELEGATION_MODE 'none' on Iceberg ATTACH #600).duckdb_secrets()check, and the failure modes hit during turn-up.Docs only. Sanitized for the public repo — placeholders (
<org>,<bucket>,$ADMIN_API) only, no environment-specific identifiers (account IDs, cluster names, real org UUIDs live in the private ops runbook instead).🤖 Generated with Claude Code