fix(connectors): support default credential provider chain for iceberg sink

[gomnitrix]

Which issue does this PR close?

Closes #2911

Rationale

Production environments prefer the default credential provider chain over static keys, which the Iceberg Sink connector currently lacks support for.

What changed?

The Iceberg Sink connector previously failed to initialize if store_access_key_id and store_secret_access_key were missing from the config, blocking the use of standard identity-based auth. This fix makes these config fields optional, allowing the underlying OpenDAL seamlessly fall back to the default credential provider chain. An isolated integration test was also added to verify this fallback behavior using environment variables.

Local Execution

• Passed
• Pre-commit hooks ran

E2E Validation Results

The fallback mechanism has been verified through:

1. Automated Integration Test
Added a new test fixture: IcebergEnvAuthFixture and a corresponding integration test case: iceberg_sink_uses_default_credential_chain. It simulates the environment by omitting config credentials, injecting AWS_ environment variables, and validating whether the test data successfully flushes to MinIO using the fallback chain.

2. Manual Local Verification
I also successfully verified this end-to-end. Providing credentials exclusively via the environment triggered the fallback correctly and successfully routed Iggy messages to the catalog:

Click to view the local verification logs

# 1. The connector initializes and successfully falls back to default credentials:

2026-04-04T11:28:28.680638Z  INFO connector: connector_target="iggy_connector_iceberg_sink::sink" Opened Iceberg sink connector with ID: 1 for URL: http://rest:8181. No explicit credentials provided, falling back to default credential provider chain
2026-04-04T11:28:28.680661Z  INFO connector: connector_target="iggy_connector_iceberg_sink::sink" Configuring Iceberg catalog with the following config:
-region: us-east-1
-url: http://minio:9000
-store class: S3
-catalog type: REST

2026-04-04T11:28:28.692411Z  INFO connector: connector_target="iggy_connector_iceberg_sink::router::static_router" Static router found 1 tables on iceberg catalog from 1 tables declared
2026-04-04T11:28:28.692612Z  INFO iggy_connectors::sink: Sink container with name: Iceberg sink (iceberg), initialized successfully with ID: 1.

# 2. Sending a test message via CLI to the running server:

$ cargo run --bin iggy -- -u iggy -p password message send test_stream test_topic "{\"id\": 1, \"name\": \"hello_iggy\"}"
Sent messages to topic with ID: test_topic and stream with ID: test_stream

# 3. The connector immediately processes and routes it to Iceberg:

2026-04-04T11:29:54.643126Z  INFO connector: connector_target="iggy_connector_iceberg_sink::router::static_router" Routed 1 messages to iceberg table messages successfully

AI Usage

1. Which tools? Gemini 3.1 Pro
2. Scope of usage? Paired to implement the iceberg_sink_uses_default_credential_chain integration test.
3. How did you verify the generated code works correctly? Verified the test logic and ensured it correctly polls Iceberg snapshots without explicit static access key config.
4. Can you explain every line of the code if asked? yes

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 72.69%. Comparing base (27f0f11) to head (0d8df6c).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files

@@             Coverage Diff              @@
##             master    #3045      +/-   ##
============================================
- Coverage     72.71%   72.69%   -0.03%     
  Complexity      943      943              
============================================
  Files          1117     1117              
  Lines         96285    96342      +57     
  Branches      73485    73541      +56     
============================================
+ Hits          70014    70035      +21     
- Misses        23725    23753      +28     
- Partials       2546     2554       +8     

Components	Coverage Δ
Rust Core	73.45% <100.00%> (-0.01%)	⬇️
Java SDK	62.30% <ø> (ø)
C# SDK	69.40% <ø> (ø)
Python SDK	81.43% <ø> (ø)
Node SDK	91.31% <ø> (-0.22%)	⬇️
Go SDK	38.97% <ø> (ø)

Files with missing lines	Coverage Δ
core/connectors/sinks/iceberg_sink/src/lib.rs	100.00% <ø> (ø)
core/connectors/sinks/iceberg_sink/src/props.rs	97.29% <100.00%> (+9.06%)	⬆️
core/connectors/sinks/iceberg_sink/src/sink.rs	100.00% <ø> (ø)

... and 11 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[hubcio]

@EdgarModesto23 would you mind checking this?

[EdgarModesto23]

@hubcio sure!