Warehouses in Pangolin define storage configurations and credential management strategies for your Iceberg tables. Each warehouse represents a storage backend (S3, Azure Blob, GCS) and controls how clients access data.
Key Concepts:
- Warehouse: Storage configuration and credential vending settings
- Catalog: References a warehouse and defines a storage location
- Credential Vending: Automatic provisioning of temporary credentials to clients
curl -X POST http://localhost:8080/api/v1/warehouses \
-H "X-Pangolin-Tenant: <tenant-id>" \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{
"name": "dev_warehouse",
"use_sts": false,
"storage_config": {
"type": "s3",
"bucket": "my-dev-bucket",
"region": "us-east-1"
}
}'Configuration:
use_sts: false- Clients use static credentials from their environment- Suitable for development and testing
curl -X POST http://localhost:8080/api/v1/warehouses \
-H "X-Pangolin-Tenant: <tenant-id>" \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{
"name": "production_warehouse",
"vending_strategy": {
"type": "AwsSts",
"role_arn": "arn:aws:iam::123456789012:role/PangolinDataAccess"
},
"storage_config": {
"s3.bucket": "my-prod-bucket",
"s3.region": "us-east-1"
}
}'Configuration:
vending_strategy: Defines how Pangolin provisions temporary credentials (STS, SAS, OAuth).- Required for production environments where direct IAM access is prohibited.
{
"type": "s3",
"bucket": "my-bucket",
"region": "us-east-1",
"role_arn": "arn:aws:iam::123456789012:role/DataAccess"
}{
"type": "azure",
"account_name": "mystorageaccount",
"container": "data"
}{
"type": "gcs",
"bucket": "my-gcs-bucket",
"project_id": "my-project"
} "type": "s3",
"bucket": "minio-bucket",
"endpoint": "http://minio:9000",
"allow_http": true,
"s3.path-style-access": "true"
}GET /api/v1/warehouses
Headers:
Authorization:Bearer <token>X-Pangolin-Tenant:<Tenant-ID>
POST /api/v1/warehouses
Body (with STS):
{
"name": "main_warehouse",
"use_sts": true,
"storage_config": {
"type": "s3",
"bucket": "my-bucket",
"region": "us-east-1",
"role_arn": "arn:aws:iam::123456789012:role/PangolinRole"
}
}GET /api/v1/warehouses/{name}
After creating a warehouse, create catalogs that reference it:
curl -X POST http://localhost:8080/api/v1/catalogs \
-H "X-Pangolin-Tenant: <tenant-id>" \
-H "Content-Type: application/json" \
-d '{
"name": "analytics",
"warehouse_name": "main_warehouse",
"storage_location": "s3://my-bucket/analytics"
}'- Use STS in Production: Set
use_sts: truefor production warehouses - Static Credentials for Development: Use
use_sts: falsefor local development - Separate Warehouses by Environment: Create different warehouses for dev, staging, production
- Scope Storage Locations: Use catalog's
storage_locationto organize data
- Security & Credential Vending - Detailed credential vending guide
- AWS S3 Storage - S3 backend configuration
- Client Configuration - PyIceberg, Spark, Trino setup