Query Iceberg Topics using AWS Glue

beta

This feature requires an enterprise license. To get a trial license key or extend your trial period, generate a new trial license key. To purchase a license, contact Redpanda Sales.

If Redpanda has enterprise features enabled and it cannot find a valid license, restrictions apply.

This guide walks you through querying Redpanda topics as Iceberg tables stored in AWS S3, using a catalog integration with AWS Glue. For general information about Iceberg catalog integrations in Redpanda, see Use Iceberg Catalogs.

Prerequisites

Redpanda version 25.1.7 or later.
rpk installed or updated to the latest version.
Object storage configured for your cluster and Tiered Storage enabled for the topics for which you want to generate Iceberg tables.

You also use the S3 bucket URI to set the base location for AWS Glue Data Catalog.
Admin permissions to create IAM policies and roles in AWS.

Limitations

Nested partition spec support

AWS Glue does not support partitioning on nested fields. If Redpanda detects that the default partitioning (hour(redpanda.timestamp)) is in use, it will instead apply an empty partition spec (), which means the table will not be partitioned.

If you want to use partitioning, you must specify a custom partition specification using your own partition columns (columns that are not nested).

Authorize access to AWS Glue

You must allow Redpanda access to AWS Glue services in your AWS account. You can use the same access credentials that you configured for S3 (IAM role, access keys, and KMS key), as long as you have also added read and write access to AWS Glue Data Catalog.

For example, you could create a separate IAM policy that manages access to AWS Glue, and attach it to the IAM role that Redpanda also uses to access S3. It is recommended to add all AWS Glue API actions in the policy ("glue:*") on the following resources:

Root catalog (catalog)
All databases (database/*)
All tables (table/*/*)

Your IAM policy should include a statement similar to the following:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "glue:*"
      ],
      "Resource": [
        "arn:aws:glue:<aws-region>:<aws-account-id>:catalog",
        "arn:aws:glue:<aws-region>:<aws-account-id>:database/*",
        "arn:aws:glue:<aws-region>:<aws-account-id>:table/*/*"
        ]
    }
  ]
}

For more information on configuring IAM permissions, see the AWS Glue documentation.

Configure authentication and credentials

You must configure credentials for the AWS Glue Data Catalog integration in either of the following ways:

Allow Redpanda to use the same cloud_storage_* credential properties configured for S3. If you do not configure the overrides listed below, Redpanda uses the same credentials for both S3 and AWS Glue. This is the recommended approach.
If you want to configure authentication to AWS Glue separately from authentication to S3, there are equivalent credential configuration properties named iceberg_rest_catalog_aws_* that override the object storage credentials. These properties only apply to REST catalog authentication, and never to S3 authentication:
- iceberg_rest_catalog_aws_access_key overrides cloud_storage_access_key
- iceberg_rest_catalog_aws_secret_key overrides cloud_storage_secret_key
- iceberg_rest_catalog_aws_region overrides cloud_storage_region
- iceberg_rest_catalog_credentials_source overrides cloud_storage_credentials_source

Update cluster configuration

To configure your Redpanda cluster to enable Iceberg on a topic and integrate with the AWS Glue Data Catalog:

Edit your cluster configuration to set the iceberg_enabled property to true, and set the catalog integration properties listed in the example below.

Run rpk cluster config edit to update these properties:

iceberg_enabled: true
iceberg_catalog_type: rest
iceberg_rest_catalog_endpoint: https://glue.<glue-region>.amazonaws.com/iceberg
iceberg_rest_catalog_authentication_mode: aws_sigv4
iceberg_rest_catalog_base_location: s3://<bucket-name>/<warehouse-path>
# Use the iceberg_rest_catalog_aws_* properties if you want to
# use separate AWS credentials for the catalog, or delete to reuse S3
# (cloud_storage_*) credentials.
# For access using access keys only, use iceberg_rest_catalog_aws_access_key
# and iceberg_rest_catalog_aws_secret_key. For access with an IAM role, use
# iceberg_rest_catalog_credentials_source only.
# iceberg_rest_catalog_aws_region:
# iceberg_rest_catalog_aws_access_key:
# iceberg_rest_catalog_aws_secret_key:
# iceberg_rest_catalog_credentials_source:

Use your own values for the following placeholders:

<glue-region>: The AWS region where your Data Catalog is located. The region in the AWS Glue endpoint must match the region specified in either your cloud_storage_region or iceberg_rest_catalog_aws_region property.
<bucket-name> and <warehouse-path>: AWS Glue requires you to specify the base location where Redpanda stores Iceberg data and metadata files. You must use an S3 URI; for example, s3://<bucket-name>/iceberg. As a security best practice, Redpanda Data recommends specifying a subfolder (using prefixes) rather than the root of the bucket.

Successfully updated configuration. New configuration version is 2.

If you change the configuration for a running cluster, you must restart that cluster now.
Enable the integration for a topic by configuring the topic property redpanda.iceberg.mode. The following examples show how to use rpk to either create a new topic or alter the configuration for an existing topic and set the Iceberg mode to key_value. The key_value mode creates a two-column Iceberg table for the topic, with one column for the record metadata including the key, and another binary column for the record’s value. See Specify Iceberg Schema for more details on Iceberg modes.
Create a new topic and set redpanda.iceberg.mode:
```
rpk topic create <topic-name> --topic-config=redpanda.iceberg.mode=key_value
```
Set redpanda.iceberg.mode for an existing topic:
```
rpk topic alter-config <topic-name> --set redpanda.iceberg.mode=key_value
```

Produce to the topic. For example,

echo "hello world\nfoo bar\nbaz qux" | rpk topic produce <topic-name> --format='%k %v\n'

You should see the topic as a table with data in AWS Glue Data Catalog. The data may take some time to become visible, depending on your iceberg_target_lag_ms setting.

In AWS Glue Studio, go to Databases.
Select the redpanda database. The redpanda database and the table within are automatically added for you. The table name is the same as the topic name.

Query Iceberg table

You can query the Iceberg table using different engines, such as Amazon Athena, PyIceberg, or Apache Spark. To query the table or view the table data in AWS Glue, ensure that your account has the necessary permissions to access the catalog, database, and table.

To query the table in Amazon Athena:

On the list of tables in AWS Glue Studio, click "Table data" under the View data column.
Click "Proceed" to be redirected to the Athena query editor.
In the query editor, select AwsDataCatalog as the data source, and select the redpanda database.

The SQL query editor should be pre-populated with a query that selects 10 rows from the Iceberg table. Run the query to see a preview of the table data.

SELECT * FROM "AwsDataCatalog"."redpanda"."<table-name>" limit 1;

Your query results should look like the following:

+-----------------------------------------------------+----------------+
| redpanda                                            | value          |
+-----------------------------------------------------+----------------+
| {partition=0, offset=0, timestamp=2025-07-21        | 77 6f 72 6c 64 |
| 18:11:25.070000, headers=null, key=[B@1900af31}     |                |
+-----------------------------------------------------+----------------+

Suggested labs

Search all labs

Was this helpful?

group Ask in the community

mail Share your feedback

group_add Make a contribution

What do you think of this page?

Let us know more:

Let us contact you about your feedback: