Any example of working configs of trino+nessie with vended credentials?

[mironovich]

Hello! I've spent a lot of time trying to setup trino 477 and nessie 0.105.5 with usage of vended credentials.
Everything works fine, if i provide s3 key and secret to trino.
Search for similar repos also didn't bring results.
Can somebody please look at my setups and say whats wrong?

nessie in docker

environment:
    - nessie.catalog.default-warehouse=yandex
    - nessie.catalog.warehouses.yandex.location=s3://lakehouse
    - nessie.catalog.service.s3.buckets.lakehouse.endpoint=${S3_YANDEX_ENDPOINT}
    - nessie.catalog.service.s3.buckets.lakehouse.region=${S3_YANDEX_REGION}
    - nessie.catalog.service.s3.buckets.lakehouse.path-style-access=false
    
    - nessie.catalog.service.s3.buckets.lakehouse.request-signing-enabled=false
    - nessie.catalog.service.s3.buckets.lakehouse.sts-endpoint=https://sts.yandexcloud.net/
    - nessie.catalog.service.s3.buckets.lakehouse.client-iam.enabled=true
    - nessie.catalog.service.s3.buckets.lakehouse.client-iam.assume-role=a1234567891234567890
    - nessie.catalog.service.s3.buckets.lakehouse.client-iam.role-session-name=project_id
    - nessie.catalog.service.s3.buckets.lakehouse.client-iam.session-duration=3600
    - nessie.catalog.service.s3.buckets.lakehouse.client-iam.policy={"Version":"2025-10-17","Statement":{"Sid":"all","Effect":"Allow","Principal":"*","Action":"*","Resource":"arn:aws:s3:::lakehouse/*"}}

trino catalog.properties

connector.name=iceberg
fs.native-s3.enabled=true
iceberg.catalog.type=rest
iceberg.rest-catalog.uri=http://catalog:19120/iceberg
iceberg.rest-catalog.warehouse=yandex
s3.endpoint=${ENV:S3_YANDEX_ENDPOINT}
s3.region=${ENV:S3_YANDEX_REGION}
s3.path-style-access=false
iceberg.rest-catalog.vended-credentials-enabled=true

I have tried same settings with aws cli and received tokens

aws --endpoint https://sts.yandexcloud.net/ sts assume-role \
  --role-arn a1234567891234567890 \
  --role-session-name project_id \
  --duration-seconds 3600 \
  --policy file://policy.json

[mironovich]

Upon trying to create a table i get this error

Failed to commit during create table: Failed to write manifest list file

request in nessie

2025-10-21 21:09:01,674 INFO [io.qua.htt.access-log] (executor-thread-1) 172.18.0.2 - - [21/Oct/2025:21:09:01 +0000] "POST /iceberg/v1/main%7Cyandex/namespaces/dmpkit/tables HTTP/1.1" 200 12478

log in trino

2025-10-21T21:09:02.051Z INFO dispatcher-query-13 io.trino.event.QueryMonitor TIMELINE: Query 20251021_210900_00006_kq6t9 :: FAILED (ICEBERG_COMMIT_ERROR) :: elapsed 1333ms :: planning 0ms :: waiting 0ms :: scheduling 1333ms :: running 0ms :: finishing 1333ms :: begin 2025-10-21T21:09:00.717Z :: end 2025-10-21T21:09:02.050Z

[mironovich]

it worked with "Version":"2012-10-17" in policy
thought, its just some random date and changed it to recent 😅

discovered this through mounting

volumes:
  - "./log.properties:/etc/trino/log.properties"

with io.trino=DEBUG