Open catalogs still depend on credentials. Pretending otherwise is how small access changes become large outages.

Credential rotation is catalog operations

Lakekeeper is an open catalog option for Iceberg REST catalog deployments. Like every catalog in the critical path, it sits near identity, authorization, storage configuration, audit logging, and query engine access. Credential rotation is not a background security chore in that architecture. It is a catalog operation.

A rotation event can affect service principals, warehouses, object storage paths, engines, scheduled jobs, and recovery procedures. If those boundaries are not documented, a routine security update can break production data access.

Lakekeeper exposes identity and authorization surfaces

Lakekeeper documentation describes authentication configuration, authorization mechanisms, role providers, audit logging, and trusted engines. The authorization docs also call out that some admin-list changes require redeploy because the list is read at process startup. That kind of operational detail belongs in the rotation runbook.

The runbook should say which identities rotate, which engines use them, which warehouses they can access, which tests prove access still works, and which audit events prove the rotation happened.

Core idea: credential rotation is successful only when access changes and evidence changes together.

Rotation needs a runbook

For related patterns, read Lakekeeper catalog account recovery runbooks, Lakekeeper warehouse boundaries, and catalog-neutral governance controls.

The best rotation process is boring. It has a precheck, a change window, an owner, a test query, an audit-log check, and a rollback path. It also records which data products were affected, not just which secret changed.

What breaks first

  • A credential rotates, but the engine cache still holds the old assumption.
  • A service identity has access to the catalog but not the correct warehouse path.
  • Audit logs show admin activity without tying it to the rotation ticket.
  • Break-glass access is confused with day-to-day administrator access.

Rotation questions

Ask which identities exist, which storage paths they touch, which catalog privileges they hold, and which engines must prove access after rotation. If the list is incomplete, the rotation is still a guess.

Sources to start with

These primary sources anchor the technical claims in this guide.

The credential is only the secret. The catalog boundary is the system that has to keep working.