Iceberg metadata files are now always accessible cross-account (#303)

* Iceberg metadata files are always readable cross account * changelog * typo
ExpediaGroup · Mar 4, 2025 · dc15ea7 · dc15ea7
1 parent b2f361a
commit dc15ea7
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,10 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## [7.10.1] - 2025-03-04
+### Added
+- Iceberg metadata files are now always accessible cross-account.
+
 ## [7.10.0] - 2025-03-03
 ### Added
 - AWS Lake Formation resources created per database if `create_lf_resource` enabled.

diff --git a/templates/apiary-bucket-policy.json b/templates/apiary-bucket-policy.json
@@ -202,6 +202,23 @@
             ]
         },
 %{endif}
+%{if customer_principal != ""}
+        {
+            "Sid": "Customer account read access Iceberg metadata files",
+            "Effect": "Allow",
+            "Principal": {
+            "AWS": [ "${customer_principal}" ]
+            },
+            "Action": [
+                "s3:GetObject",
+                "s3:GetObjectAcl"
+            ],
+            "Resource": [
+                "arn:aws:s3:::${bucket_name}/*/metadata/*.json",
+                "arn:aws:s3:::${bucket_name}/*/metadata/*.avro"
+            ]
+        },
+%{endif}
 %{if deny_exception_iamroles == "" && common_producer_iamroles != ""}
         {
             "Sid": "General read-write iamrole permissions",