Which issue does this PR close?

Closes #2911

Rationale

Production environments prefer the default credential provider chain over static keys, which the Iceberg Sink connector currently lacks support for.

What changed?

The Iceberg Sink connector previously failed to initialize if store_access_key_id and store_secret_access_key were missing from the config, blocking the use of standard identity-based auth. This fix makes these config fields optional, allowing the underlying OpenDAL seamlessly fall back to the default credential provider chain. An isolated integration test was also added to verify this fallback behavior using environment variables.

Local Execution

• Passed
• Pre-commit hooks ran

E2E Validation Results

The fallback mechanism has been verified through:

1. Automated Integration Test
Added a new test fixture: IcebergEnvAuthFixture and a corresponding integration test case: iceberg_sink_uses_default_credential_chain. It simulates the environment by omitting config credentials, injecting AWS_ environment variables, and validating whether the test data successfully flushes to MinIO using the fallback chain.

2. Manual Local Verification
I also successfully verified this end-to-end. Providing credentials exclusively via the environment triggered the fallback correctly and successfully routed Iggy messages to the catalog:

# 1. The connector initializes and successfully falls back to default credentials:

2026-04-04T11:28:28.680638Z  INFO connector: connector_target="iggy_connector_iceberg_sink::sink" Opened Iceberg sink connector with ID: 1 for URL: http://rest:8181. No explicit credentials provided, falling back to default credential provider chain
2026-04-04T11:28:28.680661Z  INFO connector: connector_target="iggy_connector_iceberg_sink::sink" Configuring Iceberg catalog with the following config:
-region: us-east-1
-url: http://minio:9000
-store class: S3
-catalog type: REST

2026-04-04T11:28:28.692411Z  INFO connector: connector_target="iggy_connector_iceberg_sink::router::static_router" Static router found 1 tables on iceberg catalog from 1 tables declared
2026-04-04T11:28:28.692612Z  INFO iggy_connectors::sink: Sink container with name: Iceberg sink (iceberg), initialized successfully with ID: 1.

# 2. Sending a test message via CLI to the running server:

$ cargo run --bin iggy -- -u iggy -p password message send test_stream test_topic "{\"id\": 1, \"name\": \"hello_iggy\"}"
Sent messages to topic with ID: test_topic and stream with ID: test_stream

# 3. The connector immediately processes and routes it to Iceberg:

2026-04-04T11:29:54.643126Z  INFO connector: connector_target="iggy_connector_iceberg_sink::router::static_router" Routed 1 messages to iceberg table messages successfully

AI Usage

1. Which tools? Gemini 3.1 Pro
2. Scope of usage? Paired to implement the iceberg_sink_uses_default_credential_chain integration test.
3. How did you verify the generated code works correctly? Verified the test logic and ensured it correctly polls Iceberg snapshots without explicit static access key config.
4. Can you explain every line of the code if asked? yes