Destination Iceberg V2: support aws instance profile auth

airbyte-cdk/bulk/core/load/src/main/kotlin/io/airbyte/cdk/load/check/CheckOperation.kt

@@ -13,9 +13,12 @@ import io.airbyte.cdk.output.ExceptionHandler
 import io.airbyte.cdk.output.OutputConsumer
 import io.airbyte.protocol.models.v0.AirbyteConnectionStatus
 import io.airbyte.protocol.models.v0.AirbyteMessage
+import io.github.oshai.kotlinlogging.KotlinLogging
 import io.micronaut.context.annotation.Requires
 import jakarta.inject.Singleton
 
+private val logger = KotlinLogging.logger {}
+
 @Singleton
 @Requires(property = Operation.PROPERTY, value = "check")
 @Requires(env = ["destination"])
@@ -40,6 +43,7 @@ class CheckOperation<T : ConfigurationSpecification, C : DestinationConfiguratio
                     )
             outputConsumer.accept(successMessage)
         } catch (t: Throwable) {
+            logger.warn(t) { "Caught throwable during CHECK" }
             val (traceMessage, statusMessage) = exceptionHandler.handleCheckFailure(t)
             outputConsumer.accept(traceMessage)
             outputConsumer.accept(statusMessage)

airbyte-integrations/connectors/destination-s3-data-lake/metadata.yaml

@@ -26,7 +26,7 @@ data:
             alias: airbyte-connector-testing-secret-store
   connectorType: destination
   definitionId: 716ca874-520b-4902-9f80-9fad66754b89
-  dockerImageTag: 0.2.7
+  dockerImageTag: 0.2.8
   dockerRepository: airbyte/destination-s3-data-lake
   documentationUrl: https://docs.airbyte.com/integrations/destinations/s3-data-lake
   githubIssueLabel: destination-s3-data-lake

airbyte-integrations/connectors/destination-s3-data-lake/src/main/kotlin/io/airbyte/integrations/destination/iceberg/v2/GlueCredentialsProvider.kt

@@ -7,11 +7,12 @@ package io.airbyte.integrations.destination.iceberg.v2
 import software.amazon.awssdk.auth.credentials.AwsBasicCredentials
 import software.amazon.awssdk.auth.credentials.AwsCredentials
 import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider
+import software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider
 
 const val ACCESS_KEY_ID = "access-key-id"
 const val SECRET_ACCESS_KEY = "secret-access-key"
 
-class GlueCredentialsProvider private constructor(private val credentials: AwsBasicCredentials) :
+class GlueCredentialsProvider private constructor(private val credentials: AwsCredentials) :
     AwsCredentialsProvider {
     override fun resolveCredentials(): AwsCredentials {
         return this.credentials
@@ -20,13 +21,15 @@ class GlueCredentialsProvider private constructor(private val credentials: AwsBa
     companion object {
         @JvmStatic
         fun create(properties: Map<String, String>): GlueCredentialsProvider {
-            val accessKey =
-                properties[ACCESS_KEY_ID]
-                    ?: throw IllegalArgumentException("Missing property: access-key-id")
-            val secretKey =
-                properties[SECRET_ACCESS_KEY]
-                    ?: throw IllegalArgumentException("Missing property: secret-access-key")
-            return GlueCredentialsProvider(AwsBasicCredentials.create(accessKey, secretKey))
+            val accessKey = properties[ACCESS_KEY_ID]
+            val secretKey = properties[SECRET_ACCESS_KEY]
+            val creds =
+                if (accessKey != null && secretKey != null) {
+                    AwsBasicCredentials.create(accessKey, secretKey)
+                } else {
+                    DefaultCredentialsProvider.create().resolveCredentials()
+                }
+            return GlueCredentialsProvider(creds)
         }
     }
 }

airbyte-integrations/connectors/destination-s3-data-lake/src/main/kotlin/io/airbyte/integrations/destination/iceberg/v2/io/IcebergUtil.kt

@@ -340,25 +340,29 @@ class IcebergUtil(
     }
 
     private fun buildKeyBasedClientProperties(config: IcebergV2Configuration): Map<String, String> {
-        val awsAccessKeyId =
-            requireNotNull(config.awsAccessKeyConfiguration.accessKeyId) {
-                "AWS Access Key ID is required for key-based authentication"
-            }
-        val awsSecretAccessKey =
-            requireNotNull(config.awsAccessKeyConfiguration.secretAccessKey) {
-                "AWS Secret Access Key is required for key-based authentication"
-            }
         val clientCredentialsProviderPrefix = "${AwsClientProperties.CLIENT_CREDENTIALS_PROVIDER}."
 
-        return mapOf(
-            S3FileIOProperties.ACCESS_KEY_ID to awsAccessKeyId,
-            S3FileIOProperties.SECRET_ACCESS_KEY to awsSecretAccessKey,
-            AwsClientProperties.CLIENT_REGION to config.s3BucketConfiguration.s3BucketRegion.region,
-            AwsClientProperties.CLIENT_CREDENTIALS_PROVIDER to
-                GlueCredentialsProvider::class.java.name,
-            "${clientCredentialsProviderPrefix}${ACCESS_KEY_ID}" to awsAccessKeyId,
-            "${clientCredentialsProviderPrefix}${SECRET_ACCESS_KEY}" to awsSecretAccessKey
-        )
+        val properties =
+            mutableMapOf(
+                AwsClientProperties.CLIENT_REGION to
+                    config.s3BucketConfiguration.s3BucketRegion.region,
+                AwsClientProperties.CLIENT_CREDENTIALS_PROVIDER to
+                    GlueCredentialsProvider::class.java.name,
+            )
+
+        // If we don't have explicit S3 creds, fall back to the default creds provider chain.
+        // For example, this should allow us to use AWS instance profiles.
+        val awsAccessKeyId = config.awsAccessKeyConfiguration.accessKeyId
+        val awsSecretAccessKey = config.awsAccessKeyConfiguration.secretAccessKey
+        if (awsAccessKeyId != null && awsSecretAccessKey != null) {
+            properties[S3FileIOProperties.ACCESS_KEY_ID] = awsAccessKeyId
+            properties[S3FileIOProperties.SECRET_ACCESS_KEY] = awsSecretAccessKey
+            properties["${clientCredentialsProviderPrefix}${ACCESS_KEY_ID}"] = awsAccessKeyId
+            properties["${clientCredentialsProviderPrefix}${SECRET_ACCESS_KEY}"] =
+                awsSecretAccessKey
+        }
+
+        return properties
     }
 
     fun toIcebergSchema(stream: DestinationStream, pipeline: MapperPipeline): Schema {

docs/integrations/destinations/s3-data-lake.md

@@ -15,9 +15,10 @@ for more information.
 <details>
   <summary>Expand to review</summary>
 
-| Version | Date       | Pull Request                                               | Subject                                 |
-|:--------|:-----------|:-----------------------------------------------------------|:----------------------------------------|
-| 0.2.7   | 2025-01-00 | [\#50957](https://github.com/airbytehq/airbyte/pull/50991)      | Add support for GLUE RBAC (Assume role) |
-| 0.2.6   | 2025-01-08 | [\#50991](https://github.com/airbytehq/airbyte/pull/50991) | Initial public release.                 |
+| Version | Date       | Pull Request                                               | Subject                                   |
+|:--------|:-----------|:-----------------------------------------------------------|:------------------------------------------|
+| 0.2.8   | 2025-01-09 | [\#50876](https://github.com/airbytehq/airbyte/pull/50876) | Add support for AWS instance profile auth |
+| 0.2.7   | 2025-01-08 | [\#50957](https://github.com/airbytehq/airbyte/pull/50957) | Add support for GLUE RBAC (Assume role)   |
+| 0.2.6   | 2025-01-08 | [\#50991](https://github.com/airbytehq/airbyte/pull/50991) | Initial public release.                   |
 
 </details>