Delayed IAM Role Policy Updates When Using aws_role_arn with DataLakeCatalog

[alsugiliazova]

@antonio2368 I am validating a PR related to DataLakeCatalog with aws_role_arn and would like confirmation that I understand the intended behavior correctly.

Setup

• ClickHouse database created with ENGINE = DataLakeCatalog, catalog_type = 'glue'
• Access via IAM user that can only sts:AssumeRole
• Actual permissions come from the assumed role

Expected behavior

When aws_role_arn is specified, all Glue and S3 access should be evaluated strictly using the policies attached to that role, and permission changes on the role should be reflected promptly.

Observed behavior

• When Glue and S3 permissions are removed from the role, ClickHouse continues to successfully execute SHOW TABLES and queries for several minutes.
• Permission changes on the role (add/remove Glue or S3 policies) take 3–5 minutes to take effect unless the ClickHouse server is restarted.
• Restarting the server applies role permission changes immediately.
• Dropping/recreating the DataLake database does not force permission refresh.
• In contrast, modifying permissions directly on an IAM user is reflected by ClickHouse in under ~10 seconds.

Questions

1. Is this delay expected when using aws_role_arn (STS assumed roles)?
2. Does ClickHouse cache STS credentials or Glue metadata in a way that delays IAM role policy updates?
3. Is there a recommended way to force permission refresh without restarting the server?

Any guidance on expected behavior or configuration options would be appreciated.

[antonio2368]

ClickHouse does cache credentials, including the STS credentials.
Credentials are refreshed once they are close to their expiration time which should be 1 hour AFAIK
So not sure why it takes effect after 3-5 minutes, maybe it's something internal to AWS.
Restart helps because it forces ClickHouse to refetch new temporary credentials.

[alsugiliazova]

@antonio2368 , thank you for the answer. I have one more question to ask. Is the CredentialsProviderCache reuse on database DROP + CREATE intentional? When a database is explicitly recreated with the same settings, the same cached provider (and STS session) is returned, so no new AssumeRole call is made. I'd expect a database recreate to force a fresh AssumeRole. Is there a reason it shouldn't?

I can work around this by specifying a different aws_role_session_name each time to force cache miss, but that feels like a hack.

[antonio2368]

I have one more question to ask. Is the CredentialsProviderCache reuse on database DROP + CREATE intentional?

Yes, since 25.11 we cache credentials globally to minimize STS interactions. I didn't add any explicit way to avoid or drop cache.
Main motivation was the case of multiple table functions doing AssumeRole which are temporary.

[alsugiliazova]

Thank you, @antonio2368

I have one more question.
Using a one-character aws_role_session_name (e.g. 'b') causes AWS STS role assumption to silently fail, so ClickHouse cannot read Glue metadata and SHOW TABLES returns no rows. Is that expected?

CREATE DATABASE glue
ENGINE = DataLakeCatalog
SETTINGS catalog_type = 'glue', region = 'eu-central-1', aws_access_key_id = '***', aws_secret_access_key = '***', aws_role_arn = 'arn:aws:iam::***:role/glue-reader', aws_role_session_name = 'ab';


SHOW TABLES FROM glue

Query id: 281c510e-7537-4c79-a6d9-cdd4b2166fbc

   ┌─name──────────────────────────────┐
1. │ clickhouse_regression_db_1.table1 │
2. │ clickhouse_regression_db_1.table2 │
   └───────────────────────────────────┘

2 rows in set. Elapsed: 1.736 sec. 

DROP DATABASE glue

SET allow_database_glue_catalog = 1
CREATE DATABASE glue
ENGINE = DataLakeCatalog
SETTINGS catalog_type = 'glue', region = 'eu-central-1', aws_access_key_id = '***', aws_secret_access_key = '***', aws_role_arn = 'arn:aws:iam::***:role/glue-reader', aws_role_session_name = 'b'

SHOW TABLES FROM glue

Ok.

0 rows in set. Elapsed: 1.021 sec. 

In error log:

2026.03.02 13:12:47.309257 [ 703 ] {645c3a65-9b21-4a4c-8303-5371d856bdef} <Error> AWSClient: Response status: 400, Bad Request
2026.03.02 13:12:47.309385 [ 703 ] {645c3a65-9b21-4a4c-8303-5371d856bdef} <Error> virtual std::vector<LightWeightTableDetails> DB::DatabaseDataLake::getLightweightTablesIterator(ContextPtr, const FilterByNameFunction &, bool) const: Code: 736. DB::Exception: Exception calling GetTables Missing Authentication Token. (DATALAKE_DATABASE_ERROR), Stack trace (when copying this message, always include the lines below):

0. DB::Exception::Exception(DB::Exception::MessageMasked&&, int, bool) @ 0x00000000135887d0
1. DB::Exception::Exception(String&&, int, String, bool) @ 0x000000000cf03f58
2. DB::Exception::Exception(PreformattedMessage&&, int) @ 0x000000000cf0384c
3. DB::Exception::Exception<String const&>(int, FormatStringHelperImpl<std::type_identity<String const&>::type>, String const&) @ 0x000000000cf15c18
4. DataLake::GlueCatalog::getDatabases(String const&, unsigned long) const @ 0x00000000169b6318
5. DataLake::GlueCatalog::getTables() const @ 0x00000000169b8a1c
6. DB::DatabaseDataLake::getLightweightTablesIterator(std::shared_ptr<DB::Context const>, std::function<bool (String const&)> const&, bool) const @ 0x000000001720d6f0
7. DB::TablesBlockSource::generate() @ 0x0000000015be1eb8
8. DB::ISource::tryGenerate() @ 0x00000000197b9d4c
9. DB::ISource::work() @ 0x00000000197b98e0
10. DB::ExecutionThreadContext::executeTask() @ 0x00000000197d3c94
11. DB::PipelineExecutor::executeStepImpl(unsigned long, DB::IAcquiredSlot*, std::atomic<bool>*) @ 0x00000000197c6eb4
12. DB::PipelineExecutor::execute(unsigned long, bool) @ 0x00000000197c559c
13. void std::__function::__policy_func<void ()>::__call_func[abi:fe210105]<ThreadFromGlobalPoolImpl<true, true>::ThreadFromGlobalPoolImpl<DB::PullingAsyncPipelineExecutor::pull(DB::Chunk&, unsigned long)::$_0>(DB::PullingAsyncPipelineExecutor::pull(DB::Chunk&, unsigned long)::$_0&&)::'lambda'()>(std::__function::__policy_storage const*) @ 0x00000000197dce88
14. ThreadPoolImpl<std::thread>::ThreadFromThreadPool::worker() @ 0x00000000136f6084
15. void* std::__thread_proxy[abi:fe210105]<std::tuple<std::unique_ptr<std::__thread_struct, std::default_delete<std::__thread_struct>>, void (ThreadPoolImpl<std::thread>::ThreadFromThreadPool::*)(), ThreadPoolImpl<std::thread>::ThreadFromThreadPool*>>(void*) @ 0x00000000136fd1dc
16. ? @ 0x0000000000080398
17. ? @ 0x00000000000e9e9c
 (version 26.2.2.9 (official build))

[antonio2368]

RoleSessionName: Length Constraints: Minimum length of 2. Maximum length of 64.
https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html

[alsugiliazova]

Thank you!

[alexey-milovidov]

@alsugiliazova, we received an alert about a token posted in the comments here. If it's active, please rotate it.