Add role-based access to Glue catalog

[antonio2368]

Changelog category (leave one):

• Improvement

Changelog entry (a user-readable short description of the changes that goes into CHANGELOG.md):

Add role-based access to Glue catalog. Use settings aws_role_arn and, optionally, aws_role_session_name.

Documentation entry for user-facing changes

• Documentation is written (mandatory for new features)

[clickhouse-gh]

Workflow [PR], commit [a44cf47]

Summary: ❌

job_name	test_name	status	info	comment
Stress test (amd_msan)		failure
	Logical error: Block structure mismatch in A stream: different number of columns: (STID: 0993-38e6)	FAIL	cidb

[Copilot]

Pull request overview

This PR adds support for AWS role-based authentication in the Glue catalog integration. Users can now specify an IAM role ARN and optional session name for assuming roles when accessing AWS Glue, enabling more flexible and secure authentication patterns.

Key changes:

• Added two new settings: aws_role_arn and aws_role_session_name for role-based authentication
• Updated credential provider chain to support STS AssumeRole when role ARN is specified
• Applied settings consistently across storage and database layers

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
src/Storages/ObjectStorage/DataLakes/DataLakeStorageSettings.h	Added role ARN and session name settings declarations for storage layer
src/Storages/ObjectStorage/DataLakes/DataLakeConfiguration.h	Added extern declarations and settings initialization for role-based auth
src/Databases/DataLake/ICatalog.h	Added role ARN and session name fields to CatalogSettings struct
src/Databases/DataLake/ICatalog.cpp	Updated allChanged() to include role settings in settings changes
src/Databases/DataLake/GlueCatalog.cpp	Implemented STS AssumeRole credential provider when role ARN is specified
src/Databases/DataLake/DatabaseDataLakeSettings.cpp	Added role settings declarations at database level
src/Databases/DataLake/DatabaseDataLake.cpp	Initialized role settings from database configuration

[kssenii]

btw as we do have integration tests for glue catalog + mocks for role-bases access tests, may be it is possible to add a test?

[jessedobbelaere]

Thanks for the PR @antonio2368, we are a Clickhouse Cloud customer and our policy is against using long lived AWS credentials so we could really use this role based Glue Catalog integration 🙏

[antonio2368]

@kssenii good thing I added the test because it showed me that the implementation was a bit more complex.
Please review the changes again.

[antonio2368]

@jessedobbelaere thanks for expressing interest in this feature! Implementation should be done, I will see how soon can we get it on our Cloud.

[emaadali]

@antonio2368 Do you know when this feature will make it into a tagged release? I tried v26.1.3.52-stable which was released 3 days ago but it doesn't seem to have this feature still.

[antonio2368]

@emaadali it should be available in 26.2, which is in few days