Add Cloud version of recommended IAM policy for Glue integration

kbatuigas · kbatuigas · commit 3df97b1e7be0 · 2025-08-26T19:10:35.000-07:00
diff --git a/modules/manage/pages/iceberg/iceberg-topics-aws-glue.adoc b/modules/manage/pages/iceberg/iceberg-topics-aws-glue.adoc
@@ -46,7 +46,7 @@ If you want to use partitioning, you must specify a custom partition specificati
 
 === Manual deletion of Iceberg tables
 
-The AWS Glue catalog integration requires Redpanda Iceberg tables to be manually deleted. To manually delete Iceberg tables, you must first set the cluster property config_ref:iceberg_delete,true,properties/cluster-properties[`iceberg_delete`] to `false` when you configure the catalog integration. 
+The AWS Glue catalog integration does not support automatic deletion of Iceberg tables from Redpanda. To manually delete Iceberg tables in AWS Glue, you must first set the cluster property config_ref:iceberg_delete,true,properties/cluster-properties[`iceberg_delete`] to `false` when you configure the catalog integration. 
 
 When `iceberg_delete` is set to `false`, you can delete the Redpanda topic, and then delete the table in AWS Glue and the Iceberg data and metadata files in the S3 bucket. If your intent is to recreate the topic after deleting it, you are required to delete the table data entirely before recreating the topic.
 
@@ -56,11 +56,36 @@ ifndef::env-cloud[]
 You must allow Redpanda access to AWS Glue services in your AWS account. You can use the same access credentials that you configured for S3 (IAM role, access keys, and KMS key), as long as you have also added read and write access to AWS Glue Data Catalog.
 
 For example, you could create a separate IAM policy that manages access to AWS Glue, and attach it to the IAM role that Redpanda also uses to access S3. It is recommended to add all AWS Glue API actions in the policy (`"glue:*"`) on the following resources:
+
+- Root catalog (`catalog`)
+- All databases (`database/*`)
+- All tables (`table/\*/*`)
+
+Your IAM policy should include a statement similar to the following:
+
+[,json]
+----
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "glue:*"
+      ],
+      "Resource": [
+        "arn:aws:glue:<aws-region>:<aws-account-id>:catalog",
+        "arn:aws:glue:<aws-region>:<aws-account-id>:database/*",
+        "arn:aws:glue:<aws-region>:<aws-account-id>:table/*/*"
+        ]
+    }
+  ]
+}
+----
 endif::[]
 
 ifdef::env-cloud[]
 You must allow Redpanda access to AWS Glue services in your AWS account. It is recommended to create a new IAM policy or role that manages access to AWS Glue, allowing all AWS Glue API actions (`"glue:*"`) on the following resources:
-endif::[]
 
 - Root catalog (`catalog`)
 - All databases (`database/*`)
@@ -83,10 +108,38 @@ Your IAM policy should include a statement similar to the following:
         "arn:aws:glue:<aws-region>:<aws-account-id>:database/*",
         "arn:aws:glue:<aws-region>:<aws-account-id>:table/*/*"
         ]
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "s3:PutObject",
+        "s3:PutObjectAcl",
+        "s3:DeleteObject"
+      ],
+      "Resource": [
+        "arn:aws:s3:::redpanda-cloud-storage-<redpanda-cluster-id>/redpanda-iceberg-catalog/*"
+      ]
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "s3:ListBucket"
+      ],
+      "Resource": [
+        "arn:aws:s3:::redpanda-cloud-storage-<redpanda-cluster-id>"
+      ],
+      "Condition": {
+        "StringLike": {
+          "s3:prefix": [
+            "redpanda-iceberg-catalog/*"
+          ]
+        }
+      }
     }
   ]
 }
 ----
+endif::[]
 
 For more information on configuring IAM permissions, see the https://docs.aws.amazon.com/glue/latest/dg/configure-iam-for-glue.html[AWS Glue documentation^].
 
@@ -125,13 +178,13 @@ Run `rpk cluster config edit` to update these properties:
 ----
 iceberg_enabled: true
 # Glue requires Redpanda Iceberg tables to be manually deleted
-iceberg_delete: false 
+iceberg_delete: false
 iceberg_catalog_type: rest
 iceberg_rest_catalog_endpoint: https://glue.<glue-region>.amazonaws.com/iceberg
 iceberg_rest_catalog_authentication_mode: aws_sigv4
 iceberg_rest_catalog_base_location: s3://<bucket-name>/<warehouse-path>
 # Use the iceberg_rest_catalog_aws_* properties if you want to 
-# use separate AWS credentials for the catalog, or delete to reuse S3 
+# use separate AWS credentials for the catalog, or omit these lines to reuse S3 
 # (cloud_storage_*) credentials.
 # For access using access keys only, use iceberg_rest_catalog_aws_access_key
 # and iceberg_rest_catalog_aws_secret_key. For access with an IAM role, use 
diff --git a/modules/reference/pages/properties/cluster-properties.adoc b/modules/reference/pages/properties/cluster-properties.adoc
@@ -2265,7 +2265,7 @@ Source of AWS credentials for Iceberg REST catalog SigV4 authentication. If not
 endif::[]
 
 ifdef::env-cloud[]
-Source of AWS credentials for Iceberg REST catalog SigV4 authentication. If using `iceberg_rest_catalog_aws_access_key` and `iceberg_rest_catalog_aws_secret_key` for Glue catalog authentication, you must set this property to `config_file`.
+Source of AWS credentials for Iceberg REST catalog SigV4 authentication. If providing explicit credentials using `iceberg_rest_catalog_aws_access_key` and `iceberg_rest_catalog_aws_secret_key` for Glue catalog authentication, you must set this property to `config_file`.
 endif::[]
 
 *Accepted values*: `aws_instance_metadata`, `azure_aks_oidc_federation`, `azure_vm_instance_metadata`, `config_file`, `gcp_instance_metadata`, `sts`.
