Iceberg: use sts for Iceberg credentials source with Glue + Cloud

[kbatuigas]

Update the Cloud variant of the Iceberg + AWS Glue page to use sts instead of aws_instance_metadata for
iceberg_rest_catalog_credentials_source when reusing the cluster's IAM role. On Redpanda Cloud, the cluster IAM role is reached via IRSA (STS AssumeRoleWithWebIdentity), and cloudv2#26411 re-points the Glue IAM policy attachment to fire on sts. The previous value is accepted at the API but no longer attaches Glue permissions on Cloud.

Description

Resolves https://redpandadata.atlassian.net/browse/
Review deadline:

Page previews

Checks

• New feature
• Content gap
• Support Follow-up
• Small fix (typos, links, copyedits, etc)

[netlify]

✅ Deploy Preview for redpanda-docs-preview ready!

Name	Link
🔨 Latest commit	67b4496
🔍 Latest deploy log	https://app.netlify.com/projects/redpanda-docs-preview/deploys/6a17a4bee7cb9f0008954b09
😎 Deploy Preview	https://deploy-preview-1714--redpanda-docs-preview.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: bf52f2fb-03f5-4570-ab21-82eca47901c6

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

This PR updates the AWS Glue IAM credential source documentation for Iceberg REST catalog authentication. The iceberg_rest_catalog_credentials_source option value has been changed from aws_instance_metadata to sts in two locations: the configuration guidance section and the corresponding rpk cluster config set example command in the Iceberg AWS Glue documentation.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Possibly related PRs

• redpanda-data/docs#1336: Updates the AWS Glue Iceberg REST catalog credential source documentation and examples for iceberg_rest_catalog_credentials_source in the same file.
• redpanda-data/docs#1633: Updates iceberg-topics-aws-glue.adoc guidance and examples for Iceberg REST catalog AWS Glue credential sourcing with related credential source configuration changes.
• redpanda-data/docs#1183: Updates Iceberg REST catalog documentation around authentication-related configuration in the same documentation area.

Suggested reviewers

• simon0191
• wdberkeley
• mattschumpert

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The description includes detailed context about why the change is needed (IRSA/STS mechanism on Cloud, cloudv2#26411), but lacks complete template sections including the Jira ticket link, review deadline, page preview link, and checked checklist items.	Complete the description template by adding the resolved Jira ticket number, review deadline, page preview link from Netlify, and selecting the appropriate 'Small fix' checkbox.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately reflects the main change: updating Iceberg documentation to use 'sts' instead of 'aws_instance_metadata' for AWS Glue credentials source on Cloud.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch DOC-2209-update-iceberg-aws-glue-cloud-doc-to-recommend

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@modules/manage/pages/iceberg/iceberg-topics-aws-glue.adoc`:
- Line 138: The docs add guidance to set iceberg_rest_catalog_credentials_source
to `sts` but don't state the minimum Redpanda version required; update the
iceberg-topics-aws-glue.adoc text near the
iceberg_rest_catalog_credentials_source description and the example around the
`sts` usage to include an explicit caveat that `sts` requires Redpanda v26.1.9+
(mention the exact version string v26.1.9+), and add a short note preventing
users on earlier versions from following the `sts` flow without upgrading.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 725e2eec-332a-47a7-be88-13e2a0a793ee

📥 Commits

Reviewing files that changed from the base of the PR and between f959a8e and a70ead6.

📒 Files selected for processing (1)

• modules/manage/pages/iceberg/iceberg-topics-aws-glue.adoc

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add an explicit minimum-version caveat for sts guidance.

The new recommendation at Line 138 and example at Line 220 introduce sts, but this page does not state that this behavior requires Redpanda v26.1.9+ (per PR objective/commit context). Without that guardrail, users on earlier versions can follow these steps and hit Glue auth/policy mismatch.

Suggested doc patch

-** config_ref:iceberg_rest_catalog_credentials_source,true,properties/cluster-properties[`iceberg_rest_catalog_credentials_source`]. To use the cluster's IAM role, set the property to `sts`. To use static credentials, set to `config_file`.
+** config_ref:iceberg_rest_catalog_credentials_source,true,properties/cluster-properties[`iceberg_rest_catalog_credentials_source`]. To use the cluster's IAM role, set the property to `sts` (Redpanda v26.1.9 or later). To use static credentials, set to `config_file`.

 rpk cluster config set \
@@
-  iceberg_rest_catalog_credentials_source=sts \
+  iceberg_rest_catalog_credentials_source=sts \  # Redpanda v26.1.9+

Also applies to: 220-220

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@modules/manage/pages/iceberg/iceberg-topics-aws-glue.adoc` at line 138, The
docs add guidance to set iceberg_rest_catalog_credentials_source to `sts` but
don't state the minimum Redpanda version required; update the
iceberg-topics-aws-glue.adoc text near the
iceberg_rest_catalog_credentials_source description and the example around the
`sts` usage to include an explicit caveat that `sts` requires Redpanda v26.1.9+
(mention the exact version string v26.1.9+), and add a short note preventing
users on earlier versions from following the `sts` flow without upgrading.

[jacekseligarp]

@kbatuigas lgtm but I think it will be worth adding that config_file option allows user/customer to create custom IAM if they don't like our default scope for some reason.

[micheleRP]

Claude PR review: no critical issues or required updates. The PR fulfills DOC-2209 — it replaces aws_instance_metadata with sts in both the Configure authentication and credentials description and the Use cluster's IAM credentials rpk example, matching the cloudv2#26411 Glue IAM policy attachment. Bonus fix: corrects four broken cloud_storage_* xrefs from properties/cluster-properties to properties/object-storage-properties in the self-managed section.

CodeRabbit's suggestion to add a Redpanda v26.1.9+ version callout was intentionally skipped — the change is inside ifdef::env-cloud[] and renders only on the cloud-docs site, where Cloud is always on the latest broker.

LGTM from a docs-team-standards perspective.