chore(docs): Improve S3 CORS guide

Author: c-thiel

docs/docs/engines.md

@@ -26,7 +26,7 @@ DuckDB WASM allows you to query Lakekeeper directly from your browser. If you ar
 **Requirements:**
 
 1. **Same-Origin Access**: The S3 endpoint must be accessible from your browser at the same URL/origin that Lakekeeper uses to access it. For example, if Lakekeeper accesses S3 at `http://my-s3-endpoint:9000`, your browser must also be able to reach it at `http://my-s3-endpoint:9000`. This means the Docker Compose examples won't work with DuckDB WASM out of the box, as the S3 endpoint is typically only accessible within the Docker network, while your browser is not in this network.
-2. **CORS Policy**: Your S3 storage must be configured with a CORS policy that allows requests from the Lakekeeper origin.
+2. **CORS Policy**: Your S3 storage must be configured with a CORS policy that allows requests from the Lakekeeper origin. See the [CORS Configuration guide](storage.md#cors-configuration) for setup instructions.
 
 ## <img src="/assets/duckdb.svg" width="30"> DuckDB
 

docs/docs/storage.md

@@ -278,6 +278,43 @@ We are now ready to create the Warehouse using the system identity:
 
 The specified `assume-role-arn` is used for Lakekeeper's reads and writes of the object store. It is also used as a default for `sts-role-arn`, which is the role that is assumed when generating vended credentials for clients (with an attached policy for the accessed table).
 
+##### CORS Configuration
+
+For browser-based access to S3 buckets (required for [DuckDB WASM](engines.md#-duckdb-wasm)), you need to configure CORS (Cross-Origin Resource Sharing) on your S3 bucket.
+
+To configure CORS for your S3 bucket:
+
+3. In the AWS S3 Configuration Menu, klick on the name of your bucket
+4. Choose **Permissions** Tab
+5. In the **Cross-origin resource sharing (CORS)** section, choose **Edit**
+6. In the CORS configuration editor text box, type or copy and paste a new CORS configuration, or edit an existing configuration. The CORS configuration is a JSON file. The text that you type in the editor must be valid JSON. See below for an example.
+7. Choose **Save changes**
+
+Example CORS policy:
+
+```json
+[
+    {
+        "AllowedHeaders": [
+            "*"
+        ],
+        "AllowedMethods": [
+            "GET",
+            "POST",
+            "PUT",
+            "DELETE",
+            "HEAD"
+        ],
+        "AllowedOrigins": [
+            "https://lakekeeper.example.com"
+        ],
+        "ExposeHeaders": []
+    }
+]
+```
+
+Replace `https://lakekeeper.example.com` with the origin where your Lakekeeper instance is hosted.
+
 ##### STS Session Tags
 The optional `sts-session-tags` setting can be used to provide Session Tags when assuming roles via STS. Doing so requires that the IAM Role's Trust Relationship also allow `sts:TagSession`. Here's the above example with this addition: