Cloudflare R2 Data Catalog¶
Cloudflare R2 Data Catalog implements the Iceberg REST spec with vended credentials — pg2iceberg fetches per-table temporary S3 credentials from the catalog, so no static access keys are required.
Prerequisites¶
- An R2 bucket with the Data Catalog enabled (Cloudflare dashboard → R2 → your bucket → Data Catalog)
- An R2 API token with at minimum Iceberg Catalog Edit permission
Configuration¶
source:
postgres_url: "postgres://user:pass@host:5432/db?sslmode=disable"
publication: pg2iceberg
slot: pg2iceberg
sink:
catalog_uri: "https://catalog.cloudflareworkers.com/iceberg/v1/{account-id}/{bucket-name}"
catalog_auth: bearer
catalog_token: "${R2_API_TOKEN}"
credential_mode: vended
namespace: default
tables:
- name: public.orders
| Field | Value |
|---|---|
catalog_uri |
From the R2 Data Catalog dashboard for your bucket |
catalog_auth |
bearer |
catalog_token |
R2 API token with Iceberg Catalog Edit permission |
credential_mode |
vended |
Tip
Copy the catalog URI directly from the Cloudflare dashboard — it includes your account ID and bucket name.
Vended credentials¶
With credential_mode: vended, pg2iceberg does not need any S3 configuration. The catalog issues temporary credentials scoped per table on each LoadTable call. Credentials are refreshed automatically before expiry.
Note
The warehouse, s3_endpoint, s3_access_key, and s3_secret_key fields are ignored in vended mode.