[feat](Iceberg)Rest & S3Table Support Iam-role (apache#60498)

FYI apache#59893

The initial implementation was contributed by https://github.com/Sbaia .
Many thanks for his contributions.

Author: CalvinKirs

fe/fe-core/src/main/java/org/apache/doris/datasource/iceberg/s3tables/CustomAwsCredentialsProvider.java

@@ -177,4 +177,32 @@ public static String getV2ClassName(AwsCredentialsProviderMode mode, boolean inc
                         "AWS SDK V2 does not support credentials provider mode: " + mode);
         }
     }
+
+    /**
+     * Get the AWS credentials provider class name.
+     * For DEFAULT mode, returns AWS SDK native DefaultCredentialsProvider.
+     * For other modes, returns the specific provider class name.
+     */
+    public static String getV2ClassName(AwsCredentialsProviderMode mode) {
+        switch (mode) {
+            case ENV:
+                return EnvironmentVariableCredentialsProvider.class.getName();
+            case SYSTEM_PROPERTIES:
+                return SystemPropertyCredentialsProvider.class.getName();
+            case WEB_IDENTITY:
+                return WebIdentityTokenFileCredentialsProvider.class.getName();
+            case CONTAINER:
+                return ContainerCredentialsProvider.class.getName();
+            case INSTANCE_PROFILE:
+                return InstanceProfileCredentialsProvider.class.getName();
+            case ANONYMOUS:
+                return AnonymousCredentialsProvider.class.getName();
+            case DEFAULT:
+                // For Iceberg REST, use AWS SDK native DefaultCredentialsProvider
+                return "software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider";
+            default:
+                throw new UnsupportedOperationException(
+                        "AWS SDK V2 does not support credentials provider mode: " + mode);
+        }
+    }
 }

fe/fe-core/src/main/java/org/apache/doris/datasource/property/common/AwsCredentialsProviderFactory.java

@@ -0,0 +1,52 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.doris.datasource.property.common;
+
+import org.apache.doris.datasource.property.storage.S3Properties;
+
+import org.apache.commons.lang3.StringUtils;
+import org.apache.iceberg.aws.AssumeRoleAwsClientFactory;
+import org.apache.iceberg.aws.AwsProperties;
+
+import java.util.Map;
+
+/**
+ * Shared util for putting Iceberg AWS assume-role properties into a map.
+ * Used by Iceberg REST (glue/s3tables signing), S3 Tables catalog, and S3 FileIO.
+ */
+public final class IcebergAwsAssumeRoleProperties {
+
+    private IcebergAwsAssumeRoleProperties() {}
+
+    /**
+     * Puts assume-role related Iceberg client properties into the target map when roleArn is present.
+     * No-op if roleArn is blank.
+     */
+    public static void putAssumeRoleProperties(Map<String, String> target, S3Properties s3Properties) {
+        if (StringUtils.isBlank(s3Properties.getS3IAMRole())) {
+            return;
+        }
+        target.put(AwsProperties.CLIENT_FACTORY, AssumeRoleAwsClientFactory.class.getName());
+        target.put("aws.region", s3Properties.getRegion());
+        target.put(AwsProperties.CLIENT_ASSUME_ROLE_REGION, s3Properties.getRegion());
+        target.put(AwsProperties.CLIENT_ASSUME_ROLE_ARN, s3Properties.getS3IAMRole());
+        if (StringUtils.isNotBlank(s3Properties.getS3ExternalId())) {
+            target.put(AwsProperties.CLIENT_ASSUME_ROLE_EXTERNAL_ID, s3Properties.getS3ExternalId());
+        }
+    }
+}

fe/fe-core/src/main/java/org/apache/doris/datasource/property/common/IcebergAwsAssumeRoleProperties.java

@@ -0,0 +1,144 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.doris.datasource.property.common;
+
+import org.apache.doris.datasource.property.storage.S3Properties;
+
+import org.apache.commons.lang3.StringUtils;
+import org.apache.iceberg.aws.AwsClientProperties;
+import org.apache.iceberg.aws.AwsProperties;
+import org.apache.iceberg.aws.s3.S3FileIOProperties;
+import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
+
+import java.util.Map;
+
+public final class IcebergAwsClientCredentialsProperties {
+
+    private IcebergAwsClientCredentialsProperties() {}
+
+    public static void putCredentialProviderProperties(Map<String, String> target, S3Properties s3Properties) {
+        switch (getCredentialType(s3Properties)) {
+            case EXPLICIT:
+                putExplicitRestCredentials(target, s3Properties.getAccessKey(), s3Properties.getSecretKey(),
+                        s3Properties.getSessionToken());
+                return;
+            case ASSUME_ROLE:
+                IcebergAwsAssumeRoleProperties.putAssumeRoleProperties(target, s3Properties);
+                return;
+            case PROVIDER_CHAIN:
+                putCredentialsProvider(target, s3Properties.getAwsCredentialsProviderMode());
+                return;
+            default:
+                throw new IllegalStateException("Unsupported Iceberg AWS credential type");
+        }
+    }
+
+    public static void putCredentialProviderProperties(Map<String, String> target,
+            String accessKey, String secretKey, String sessionToken, AwsCredentialsProviderMode providerMode) {
+        if (StringUtils.isNotBlank(accessKey) && StringUtils.isNotBlank(secretKey)) {
+            putExplicitRestCredentials(target, accessKey, secretKey, sessionToken);
+            return;
+        }
+        putCredentialsProvider(target, providerMode);
+    }
+
+    public static void putS3FileIOCredentialProperties(Map<String, String> target,
+            S3Properties s3Properties) {
+        putS3FileIOProperties(target, s3Properties);
+        switch (getCredentialType(s3Properties)) {
+            case EXPLICIT:
+                return;
+            case ASSUME_ROLE:
+                IcebergAwsAssumeRoleProperties.putAssumeRoleProperties(target, s3Properties);
+                return;
+            case PROVIDER_CHAIN:
+                putCredentialsProvider(target, s3Properties.getAwsCredentialsProviderMode());
+                return;
+            default:
+                throw new IllegalStateException("Unsupported Iceberg AWS credential type");
+        }
+    }
+
+    public static AwsCredentialsProvider createAwsCredentialsProvider(S3Properties s3Properties,
+            boolean includeAnonymousInDefault) {
+        switch (getCredentialType(s3Properties)) {
+            case EXPLICIT:
+            case ASSUME_ROLE:
+                return s3Properties.getAwsCredentialsProvider();
+            case PROVIDER_CHAIN:
+                return AwsCredentialsProviderFactory.createV2(
+                        s3Properties.getAwsCredentialsProviderMode(), includeAnonymousInDefault);
+            default:
+                throw new IllegalStateException("Unsupported Iceberg AWS credential type");
+        }
+    }
+
+    private static CredentialType getCredentialType(S3Properties s3Properties) {
+        if (StringUtils.isNotBlank(s3Properties.getAccessKey())
+                && StringUtils.isNotBlank(s3Properties.getSecretKey())) {
+            return CredentialType.EXPLICIT;
+        }
+        if (StringUtils.isNotBlank(s3Properties.getS3IAMRole())) {
+            return CredentialType.ASSUME_ROLE;
+        }
+        return CredentialType.PROVIDER_CHAIN;
+    }
+
+    private static void putExplicitRestCredentials(Map<String, String> target,
+            String accessKey, String secretKey, String sessionToken) {
+        target.put(AwsProperties.REST_ACCESS_KEY_ID, accessKey);
+        target.put(AwsProperties.REST_SECRET_ACCESS_KEY, secretKey);
+        if (StringUtils.isNotBlank(sessionToken)) {
+            target.put(AwsProperties.REST_SESSION_TOKEN, sessionToken);
+        }
+    }
+
+    private static void putS3FileIOProperties(Map<String, String> target,
+            S3Properties s3Properties) {
+        if (StringUtils.isNotBlank(s3Properties.getEndpoint())) {
+            target.put(S3FileIOProperties.ENDPOINT, s3Properties.getEndpoint());
+        }
+        if (StringUtils.isNotBlank(s3Properties.getUsePathStyle())) {
+            target.put(S3FileIOProperties.PATH_STYLE_ACCESS, s3Properties.getUsePathStyle());
+        }
+        if (StringUtils.isNotBlank(s3Properties.getAccessKey())) {
+            target.put(S3FileIOProperties.ACCESS_KEY_ID, s3Properties.getAccessKey());
+        }
+        if (StringUtils.isNotBlank(s3Properties.getSecretKey())) {
+            target.put(S3FileIOProperties.SECRET_ACCESS_KEY, s3Properties.getSecretKey());
+        }
+        if (StringUtils.isNotBlank(s3Properties.getSessionToken())) {
+            target.put(S3FileIOProperties.SESSION_TOKEN, s3Properties.getSessionToken());
+        }
+    }
+
+    private static void putCredentialsProvider(Map<String, String> target,
+            AwsCredentialsProviderMode providerMode) {
+        if (providerMode == null || providerMode == AwsCredentialsProviderMode.DEFAULT) {
+            return;
+        }
+        target.put(AwsClientProperties.CLIENT_CREDENTIALS_PROVIDER,
+                AwsCredentialsProviderFactory.getV2ClassName(providerMode));
+    }
+
+    private enum CredentialType {
+        EXPLICIT,
+        ASSUME_ROLE,
+        PROVIDER_CHAIN
+    }
+}

fe/fe-core/src/main/java/org/apache/doris/datasource/property/common/IcebergAwsClientCredentialsProperties.java

@@ -20,6 +20,7 @@
 import org.apache.doris.common.security.authentication.ExecutionAuthenticator;
 import org.apache.doris.datasource.iceberg.IcebergExternalCatalog;
 import org.apache.doris.datasource.metacache.CacheSpec;
+import org.apache.doris.datasource.property.common.IcebergAwsAssumeRoleProperties;
 import org.apache.doris.datasource.property.storage.AbstractS3CompatibleProperties;
 import org.apache.doris.datasource.property.storage.S3Properties;
 import org.apache.doris.datasource.property.storage.StorageProperties;
@@ -266,6 +267,10 @@ private void toS3FileIOProperties(AbstractS3CompatibleProperties s3Properties, M
         if (StringUtils.isNotBlank(s3Properties.getSessionToken())) {
             options.put(S3FileIOProperties.SESSION_TOKEN, s3Properties.getSessionToken());
         }
+        if (s3Properties instanceof S3Properties) {
+            S3Properties awsProperties = (S3Properties) s3Properties;
+            IcebergAwsAssumeRoleProperties.putAssumeRoleProperties(options, awsProperties);
+        }
     }
 
     protected Catalog buildIcebergCatalog(String catalogName, Map<String, String> options, Configuration conf) {