apache · wolflex888 · Mar 12, 2025 · Mar 12, 2025 · Mar 12, 2025 · Mar 14, 2025
diff --git a/...ommon/src/main/java/org/apache/polaris/service/catalog/iceberg/IcebergCatalogAdapter.java b/...ommon/src/main/java/org/apache/polaris/service/catalog/iceberg/IcebergCatalogAdapter.java
@@ -35,6 +35,7 @@
 import java.util.Optional;
 import java.util.Set;
 import java.util.function.Function;
+import org.apache.iceberg.aws.AwsClientProperties;
 import org.apache.iceberg.catalog.Catalog;
 import org.apache.iceberg.catalog.Namespace;
 import org.apache.iceberg.catalog.TableIdentifier;
@@ -397,16 +398,38 @@ public Response loadTable(
                     .loadTableIfStale(tableIdentifier, ifNoneMatch, snapshots)
                     .orElseThrow(() -> new WebApplicationException(Response.Status.NOT_MODIFIED));
           } else {
-            response =
+            String credentialsEndpoint =
+                String.format(
+                    "/v1/%s/namespaces/%s/tables/%s/credentials",
+                    prefix, tableIdentifier.namespace().toString(), tableIdentifier.name());
+            LoadTableResponse originalResponse =
                 catalog
                     .loadTableWithAccessDelegationIfStale(tableIdentifier, ifNoneMatch, snapshots)
                     .orElseThrow(() -> new WebApplicationException(Response.Status.NOT_MODIFIED));
+            if (delegationModes.contains(VENDED_CREDENTIALS)) {
+              response =
+                  injectRefreshVendedCredentialProperties(originalResponse, credentialsEndpoint);
+            } else {
+              response = originalResponse;
+            }
           }
 
           return tryInsertETagHeader(Response.ok(response), response, namespace, table).build();
         });
   }
 
+  private LoadTableResponse injectRefreshVendedCredentialProperties(
+      LoadTableResponse originalResponse, String credentialsEndpoint) {
+    LoadTableResponse.Builder loadResponseBuilder =
+        LoadTableResponse.builder().withTableMetadata(originalResponse.tableMetadata());
+    loadResponseBuilder.addAllConfig(originalResponse.config());
+    loadResponseBuilder.addAllCredentials(originalResponse.credentials());
+    loadResponseBuilder.addConfig(
+        AwsClientProperties.REFRESH_CREDENTIALS_ENDPOINT, credentialsEndpoint);
+    loadResponseBuilder.addConfig(AwsClientProperties.REFRESH_CREDENTIALS_ENABLED, "true");
+    return loadResponseBuilder.build();
+  }
+
   @Override
   public Response tableExists(
       String prefix,