From b791ad5c9240168864351da39b29c6e565d40c58 Mon Sep 17 00:00:00 2001
From: Eric Maynard <eric.maynard+oss@snowflake.com>
Date: Wed, 18 Jun 2025 15:23:40 -0700
Subject: [PATCH 01/11] add arguments and hints

---
 client/python/cli/constants.py           | 56 ++++++++++++++++++++++++
 client/python/cli/options/option_tree.py | 26 +++++++++--
 2 files changed, 79 insertions(+), 3 deletions(-)

diff --git a/client/python/cli/constants.py b/client/python/cli/constants.py
index c9f28ba3c3..4c57268d4b 100644
--- a/client/python/cli/constants.py
+++ b/client/python/cli/constants.py
@@ -48,6 +48,25 @@ class PrincipalType(Enum):
     SERVICE = 'service'
 
 
+class ConnectionType(Enum):
+    """
+    Represents a ConnectionType for an EXTERNAL catalog -- see ConnectionConfigInfo in the spec
+    """
+
+    HADOOP = 'hadoop'
+    HIVE = 'hive'
+
+
+class AuthenticationType(Enum):
+    """
+    Represents a AuthenticationType for an EXTERNAL catalog -- see AuthenticationParameters in the spec
+    """
+
+    OAUTH = 'oauth'
+    BEARER = 'bearer'
+    SIGV4 = 'sigv4'
+
+
 class Commands:
     """
     Represents the various commands available in the CLI
@@ -136,6 +155,18 @@ class Arguments:
     REGION = 'region'
     PROFILE = 'profile'
     PROXY = 'proxy'
+    CATALOG_CONNECTION_TYPE = 'catalog_connection_type'
+    CATALOG_AUTHENTICATION_TYPE = 'catalog_authentication_type'
+    CATALOG_TOKEN_URI = 'catalog_token_uri'
+    CATALOG_CLIENT_ID = 'catalog_client_id'
+    CATALOG_CLIENT_SECRET = 'catalog_client_secret'
+    CATALOG_CLIENT_SCOPE = 'catalog_client_scope'
+    CATALOG_BEARER_TOKEN = 'catalog_bearer_token'
+    CATALOG_ROLE_ARN = 'catalog_role_arn'
+    CATALOG_ROLE_SESSION_NAME = 'catalog_role_session_name'
+    CATALOG_EXTERNAL_ID = 'catalog_role_external_id'
+    CATALOG_SIGNING_REGION = 'catalog_signing_region'
+    CATALOG_SIGNING_NAME = 'catalog_signing_name'
 
 
 class Hints:
@@ -180,6 +211,31 @@ class Create:
         class Update:
             DEFAULT_BASE_LOCATION = 'A new default base location for the catalog'
 
+        class External:
+            CATALOG_CONNECTION_TYPE = 'The type of external catalog in [ICEBERG, HADOOP].'
+            CATALOG_AUTHENTICATION_TYPE = 'The type of authentication in [OAUTH, BEARER, SIGV4]'
+
+            CATALOG_TOKEN_URI = '(For authentication type OAUTH) Token server URI'
+            CATALOG_CLIENT_ID = '(For authentication type OAUTH) oauth client id'
+            CATALOG_CLIENT_SECRET = '(For authentication type OAUTH) oauth client secret (input-only)'
+            CATALOG_CLIENT_SCOPE = ('(For authentication type OAUTH) oauth scopes to specify when exchanging '
+                                    'for a short-lived access token. Multiple can be provided by specifying'
+                                    ' this option more than once')
+
+            CATALOG_BEARER_TOKEN = '(For authentication type BEARER) Bearer token (input-only)'
+
+            CATALOG_ROLE_ARN = ('(For authentication type SIGV4) The aws IAM role arn assumed by polaris '
+                                'userArn when signing requests')
+            CATALOG_ROLE_SESSION_NAME = ('(For authentication type SIGV4) The role session name to be used '
+                                         'by the SigV4 protocol for signing requests')
+            CATALOG_EXTERNAL_ID = ('(For authentication type SIGV4) An optional external id used to establish '
+                                   'a trust relationship with AWS in the trust policy')
+            CATALOG_SIGNING_REGION = ('(For authentication type SIGV4) Region to be used by the SigV4 protocol '
+                                      'for signing requests')
+            CATALOG_SIGNING_NAME = ('(For authentication type SIGV4) The service name to be used by the SigV4 '
+                                    'protocol for signing requests, the default signing name is "execute-api" '
+                                    'is if not provided')
+
     class Principals:
         class Create:
             TYPE = 'The type of principal to create in [SERVICE]'
diff --git a/client/python/cli/options/option_tree.py b/client/python/cli/options/option_tree.py
index f926230e19..d8c263fd4f 100644
--- a/client/python/cli/options/option_tree.py
+++ b/client/python/cli/options/option_tree.py
@@ -19,7 +19,7 @@
 from dataclasses import dataclass, field
 from typing import List
 
-from cli.constants import StorageType, CatalogType, PrincipalType, Hints, Commands, Arguments, Subcommands, Actions
+from cli.constants import StorageType, CatalogType, PrincipalType, Hints, Commands, Arguments, Subcommands, Actions, ConnectionType, AuthenticationType
 
 
 @dataclass
@@ -74,6 +74,26 @@ class OptionTree:
         Argument(Arguments.CATALOG_ROLE, str, Hints.CatalogRoles.CATALOG_ROLE)
     ]
 
+    _FEDERATION_ARGS = [
+        Argument(Arguments.CATALOG_CONNECTION_TYPE, str,
+                 Hints.Catalogs.External.CATALOG_CONNECTION_TYPE, lower=True,
+                 choices=[ct.value for ct in ConnectionType]),
+        Argument(Arguments.CATALOG_AUTHENTICATION_TYPE, str,
+                 Hints.Catalogs.External.CATALOG_AUTHENTICATION_TYPE, lower=True,
+                 choices=[at.value for at in AuthenticationType]),
+        Argument(Arguments.CATALOG_TOKEN_URI, str, Hints.Catalogs.External.CATALOG_TOKEN_URI),
+        Argument(Arguments.CATALOG_CLIENT_ID, str, Hints.Catalogs.External.CATALOG_CLIENT_ID),
+        Argument(Arguments.CATALOG_CLIENT_SECRET, str, Hints.Catalogs.External.CATALOG_CLIENT_SECRET),
+        Argument(Arguments.CATALOG_CLIENT_SCOPE, str,
+                 Hints.Catalogs.External.CATALOG_CLIENT_SCOPE, allow_repeats=True),
+        Argument(Arguments.CATALOG_BEARER_TOKEN, str, Hints.Catalogs.External.CATALOG_BEARER_TOKEN),
+        Argument(Arguments.CATALOG_ROLE_ARN, str, Hints.Catalogs.External.CATALOG_ROLE_ARN),
+        Argument(Arguments.CATALOG_ROLE_SESSION_NAME, str, Hints.Catalogs.External.CATALOG_ROLE_SESSION_NAME),
+        Argument(Arguments.CATALOG_EXTERNAL_ID, str, Hints.Catalogs.External.CATALOG_EXTERNAL_ID),
+        Argument(Arguments.CATALOG_SIGNING_REGION, str, Hints.Catalogs.External.CATALOG_SIGNING_REGION),
+        Argument(Arguments.CATALOG_SIGNING_NAME, str, Hints.Catalogs.External.CATALOG_SIGNING_NAME, lower=True)
+    ]
+
     @staticmethod
     def get_tree() -> List[Option]:
         return [
@@ -94,7 +114,7 @@ def get_tree() -> List[Option]:
                     Argument(Arguments.CONSENT_URL, str, Hints.Catalogs.Create.CONSENT_URL),
                     Argument(Arguments.SERVICE_ACCOUNT, str, Hints.Catalogs.Create.SERVICE_ACCOUNT),
                     Argument(Arguments.PROPERTY, str, Hints.PROPERTY, allow_repeats=True),
-                ], input_name=Arguments.CATALOG),
+                ] + OptionTree._FEDERATION_ARGS, input_name=Arguments.CATALOG),
                 Option(Subcommands.DELETE, input_name=Arguments.CATALOG),
                 Option(Subcommands.GET, input_name=Arguments.CATALOG),
                 Option(Subcommands.LIST, args=[
@@ -107,7 +127,7 @@ def get_tree() -> List[Option]:
                     Argument(Arguments.REGION, str, Hints.Catalogs.Create.REGION),
                     Argument(Arguments.SET_PROPERTY, str, Hints.SET_PROPERTY, allow_repeats=True),
                     Argument(Arguments.REMOVE_PROPERTY, str, Hints.REMOVE_PROPERTY, allow_repeats=True),
-                ], input_name=Arguments.CATALOG)
+                ] + OptionTree._FEDERATION_ARGS, input_name=Arguments.CATALOG)
             ]),
             Option(Commands.PRINCIPALS, 'manage principals', children=[
                 Option(Subcommands.CREATE, args=[

From f721a17297200454109c4b8cc098730cff9db18f Mon Sep 17 00:00:00 2001
From: Eric Maynard <eric.maynard+oss@snowflake.com>
Date: Wed, 18 Jun 2025 16:11:06 -0700
Subject: [PATCH 02/11] wire up command

---
 client/python/cli/command/__init__.py | 15 ++++++++++++++-
 client/python/cli/command/catalogs.py | 20 ++++++++++++++++++--
 2 files changed, 32 insertions(+), 3 deletions(-)

diff --git a/client/python/cli/command/__init__.py b/client/python/cli/command/__init__.py
index 414ce43f50..4dcef3231c 100644
--- a/client/python/cli/command/__init__.py
+++ b/client/python/cli/command/__init__.py
@@ -40,6 +40,7 @@ def options_get(key, f=lambda x: x):
         properties = Parser.parse_properties(options_get(Arguments.PROPERTY))
         set_properties = Parser.parse_properties(options_get(Arguments.SET_PROPERTY))
         remove_properties = options_get(Arguments.REMOVE_PROPERTY)
+        catalog_client_scopes = options_get(Arguments.CATALOG_CLIENT_SCOPE)
 
         command = None
         if options.command == Commands.CATALOGS:
@@ -61,7 +62,19 @@ def options_get(key, f=lambda x: x):
                 catalog_name=options_get(Arguments.CATALOG),
                 properties={} if properties is None else properties,
                 set_properties={} if set_properties is None else set_properties,
-                remove_properties=[] if remove_properties is None else remove_properties
+                remove_properties=[] if remove_properties is None else remove_properties,
+                catalog_connection_type=options_get(Arguments.CATALOG_CONNECTION_TYPE),
+                catalog_authentication_type=options_get(Arguments.CATALOG_AUTHENTICATION_TYPE),
+                catalog_token_uri=options_get(Arguments.CATALOG_TOKEN_URI),
+                catalog_client_id=options_get(Arguments.CATALOG_CLIENT_ID),
+                catalog_client_secret=options_get(Arguments.CATALOG_CLIENT_SECRET),
+                catalog_client_scopes=[] if catalog_client_scopes is None else catalog_client_scopes,
+                catalog_bearer_token=options_get(Arguments.CATALOG_BEARER_TOKEN),
+                catalog_role_arn=options_get(Arguments.CATALOG_ROLE_ARN),
+                catalog_role_session_name=options_get(Arguments.CATALOG_ROLE_SESSION_NAME),
+                catalog_external_id=options_get(Arguments.CATALOG_EXTERNAL_ID),
+                catalog_signing_region=options_get(Arguments.CATALOG_SIGNING_REGION),
+                catalog_signing_name=options_get(Arguments.CATALOG_SIGNING_NAME)
             )
         elif options.command == Commands.PRINCIPALS:
             from cli.command.principals import PrincipalsCommand
diff --git a/client/python/cli/command/catalogs.py b/client/python/cli/command/catalogs.py
index 9f7cd2015b..ee689bb16c 100644
--- a/client/python/cli/command/catalogs.py
+++ b/client/python/cli/command/catalogs.py
@@ -59,6 +59,18 @@ class CatalogsCommand(Command):
     properties: Dict[str, StrictStr]
     set_properties: Dict[str, StrictStr]
     remove_properties: List[str]
+    catalog_connection_type: str
+    catalog_authentication_type: str
+    catalog_token_uri: str
+    catalog_client_id: str
+    catalog_client_secret: str
+    catalog_client_scopes: List[str]
+    catalog_bearer_token: str
+    catalog_role_arn: str
+    catalog_role_session_name: str
+    catalog_external_id: str
+    catalog_signing_region: str
+    catalog_signing_name: str
 
     def validate(self):
         if self.catalogs_subcommand == Subcommands.CREATE:
@@ -137,15 +149,19 @@ def _build_storage_config_info(self):
             )
         return config
 
+    def _build_connection_config_info(self):
+        pass
+
     def execute(self, api: PolarisDefaultApi) -> None:
         if self.catalogs_subcommand == Subcommands.CREATE:
-            config = self._build_storage_config_info()
+            storage_config = self._build_storage_config_info()
+            connection_config = self._build_connection_config_info()
             if self.catalog_type == CatalogType.EXTERNAL.value:
                 request = CreateCatalogRequest(
                     catalog=ExternalCatalog(
                         type=self.catalog_type.upper(),
                         name=self.catalog_name,
-                        storage_config_info=config,
+                        storage_config_info=storage_config,
                         properties=CatalogProperties(
                             default_base_location=self.default_base_location,
                             additional_properties=self.properties

From 209b6e231582d0175120b7b3bc55b4acdf43a75e Mon Sep 17 00:00:00 2001
From: Eric Maynard <eric.maynard+oss@snowflake.com>
Date: Wed, 18 Jun 2025 16:19:22 -0700
Subject: [PATCH 03/11] start catalogs impl

---
 client/python/cli/command/catalogs.py | 53 +++++++++++++++++++++++----
 1 file changed, 45 insertions(+), 8 deletions(-)

diff --git a/client/python/cli/command/catalogs.py b/client/python/cli/command/catalogs.py
index ee689bb16c..a1598bd712 100644
--- a/client/python/cli/command/catalogs.py
+++ b/client/python/cli/command/catalogs.py
@@ -22,7 +22,7 @@
 from pydantic import StrictStr
 
 from cli.command import Command
-from cli.constants import StorageType, CatalogType, Subcommands, Arguments
+from cli.constants import StorageType, CatalogType, Subcommands, Arguments, AuthenticationType
 from cli.options.option_tree import Argument
 from polaris.management import PolarisDefaultApi, Catalog, CreateCatalogRequest, UpdateCatalogRequest, \
     StorageConfigInfo, ExternalCatalog, AwsStorageConfigInfo, AzureStorageConfigInfo, GcpStorageConfigInfo, \
@@ -74,12 +74,31 @@ class CatalogsCommand(Command):
 
     def validate(self):
         if self.catalogs_subcommand == Subcommands.CREATE:
-            if not self.storage_type:
-                raise Exception(f'Missing required argument:'
-                                f' {Argument.to_flag_name(Arguments.STORAGE_TYPE)}')
-            if not self.default_base_location:
-                raise Exception(f'Missing required argument:'
-                                f' {Argument.to_flag_name(Arguments.DEFAULT_BASE_LOCATION)}')
+            if self.catalog_type != CatalogType.EXTERNAL.value:
+                if not self.storage_type:
+                    raise Exception(f'Missing required argument:'
+                                    f' {Argument.to_flag_name(Arguments.STORAGE_TYPE)}')
+                if not self.default_base_location:
+                    raise Exception(f'Missing required argument:'
+                                    f' {Argument.to_flag_name(Arguments.DEFAULT_BASE_LOCATION)}')
+            else:
+                if self.catalog_authentication_type == AuthenticationType.OAUTH.value:
+                    if not self.catalog_token_uri or not self.catalog_client_id \
+                            or not self.catalog_client_secret or len(self.catalog_client_scopes) == 0:
+                        raise Exception(f"Authentication type 'OAUTH' requires"
+                                f" {Argument.to_flag_name(Arguments.CATALOG_TOKEN_URI)},"
+                                f" {Argument.to_flag_name(Arguments.CATALOG_CLIENT_ID)},"
+                                f" {Argument.to_flag_name(Arguments.CATALOG_CLIENT_SECRET)},"
+                                f" and at least one {Argument.to_flag_name(Arguments.CATALOG_CLIENT_SCOPE)}.")
+                elif self.catalog_authentication_type == AuthenticationType.BEARER.value:
+                    if not self.catalog_bearer_token:
+                        raise Exception(f"Missing required argument for authentication type 'BEARER':"
+                                f" {Argument.to_flag_name(Arguments.CATALOG_BEARER_TOKEN)}")
+                elif self.catalog_authentication_type == AuthenticationType.SIGV4.value:
+                    if not self.catalog_role_arn or not self.catalog_role_session_name:
+                        raise Exception(f"Authentication type 'SIGV4 requires"
+                                f" {Argument.to_flag_name(Arguments.CATALOG_ROLE_ARN)}"
+                                f" and {Argument.to_flag_name(Arguments.CATALOG_ROLE_SESSION_NAME)}")
 
         if self.storage_type == StorageType.S3.value:
             if not self.role_arn:
@@ -150,7 +169,25 @@ def _build_storage_config_info(self):
         return config
 
     def _build_connection_config_info(self):
-        pass
+        auth_params = None
+        if self.catalog_authentication_type == StorageType.S3.value:
+            auth_params = AuthenicationParameters(
+                storage_type=self.storage_type.upper(),
+                allowed_locations=self.allowed_locations,
+                role_arn=self.role_arn,
+                external_id=self.external_id,
+                user_arn=self.user_arn,
+                region=self.region
+            )
+        elif self.storage_type == StorageType.AZURE.value:
+            config = AzureStorageConfigInfo(
+                storage_type=self.storage_type.upper(),
+                allowed_locations=self.allowed_locations,
+                tenant_id=self.tenant_id,
+                multi_tenant_app_name=self.multi_tenant_app_name,
+                consent_url=self.consent_url,
+            )
+        return config
 
     def execute(self, api: PolarisDefaultApi) -> None:
         if self.catalogs_subcommand == Subcommands.CREATE:

From 5dcabbeec8054086a226442f61a0dea266dbdaff Mon Sep 17 00:00:00 2001
From: Eric Maynard <eric.maynard+oss@snowflake.com>
Date: Wed, 18 Jun 2025 16:40:34 -0700
Subject: [PATCH 04/11] wip

---
 client/python/README.md                  | 20 +++++++
 client/python/cli/command/__init__.py    |  2 +
 client/python/cli/command/catalogs.py    | 73 +++++++++++++++++-------
 client/python/cli/constants.py           |  9 ++-
 client/python/cli/options/option_tree.py |  8 ++-
 5 files changed, 87 insertions(+), 25 deletions(-)

diff --git a/client/python/README.md b/client/python/README.md
index cec9526816..ff94e3e49c 100644
--- a/client/python/README.md
+++ b/client/python/README.md
@@ -1,3 +1,23 @@
+<!--
+
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements.  See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership.  The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License.  You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied.  See the License for the
+ specific language governing permissions and limitations
+ under the License.
+
+-->
 <!--
   Licensed to the Apache Software Foundation (ASF) under one
   or more contributor license agreements.  See the NOTICE file
diff --git a/client/python/cli/command/__init__.py b/client/python/cli/command/__init__.py
index 4dcef3231c..a83532d535 100644
--- a/client/python/cli/command/__init__.py
+++ b/client/python/cli/command/__init__.py
@@ -62,6 +62,8 @@ def options_get(key, f=lambda x: x):
                 catalog_name=options_get(Arguments.CATALOG),
                 properties={} if properties is None else properties,
                 set_properties={} if set_properties is None else set_properties,
+                hadoop_warehouse=options_get(Arguments.HADOOP_WAREHOUSE),
+                iceberg_remote_catalog_name=options_get(Arguments.ICEBERG_REMOTE_CATALOG_NAME),
                 remove_properties=[] if remove_properties is None else remove_properties,
                 catalog_connection_type=options_get(Arguments.CATALOG_CONNECTION_TYPE),
                 catalog_authentication_type=options_get(Arguments.CATALOG_AUTHENTICATION_TYPE),
diff --git a/client/python/cli/command/catalogs.py b/client/python/cli/command/catalogs.py
index a1598bd712..239d9acba0 100644
--- a/client/python/cli/command/catalogs.py
+++ b/client/python/cli/command/catalogs.py
@@ -19,14 +19,16 @@
 from dataclasses import dataclass, field
 from typing import Dict, Optional, List
 
-from pydantic import StrictStr
+from pydantic import StrictStr, SecretStr
 
 from cli.command import Command
-from cli.constants import StorageType, CatalogType, Subcommands, Arguments, AuthenticationType
+from cli.constants import StorageType, CatalogType, CatalogConnectionType, Subcommands, Arguments, AuthenticationType
 from cli.options.option_tree import Argument
 from polaris.management import PolarisDefaultApi, Catalog, CreateCatalogRequest, UpdateCatalogRequest, \
     StorageConfigInfo, ExternalCatalog, AwsStorageConfigInfo, AzureStorageConfigInfo, GcpStorageConfigInfo, \
-    PolarisCatalog, CatalogProperties
+    PolarisCatalog, CatalogProperties, AuthenticationParameters, BearerAuthenticationParameters, \
+    OAuthClientCredentialsParameters, SigV4AuthenticationParameters, HadoopConnectionConfigInfo, \
+    IcebergRestConnectionConfigInfo
 
 
 @dataclass
@@ -59,6 +61,8 @@ class CatalogsCommand(Command):
     properties: Dict[str, StrictStr]
     set_properties: Dict[str, StrictStr]
     remove_properties: List[str]
+    hadoop_warehouse: str
+    iceberg_remote_catalog_name: str
     catalog_connection_type: str
     catalog_authentication_type: str
     catalog_token_uri: str
@@ -95,10 +99,10 @@ def validate(self):
                         raise Exception(f"Missing required argument for authentication type 'BEARER':"
                                 f" {Argument.to_flag_name(Arguments.CATALOG_BEARER_TOKEN)}")
                 elif self.catalog_authentication_type == AuthenticationType.SIGV4.value:
-                    if not self.catalog_role_arn or not self.catalog_role_session_name:
+                    if not self.catalog_role_arn or not self.catalog_signing_region:
                         raise Exception(f"Authentication type 'SIGV4 requires"
                                 f" {Argument.to_flag_name(Arguments.CATALOG_ROLE_ARN)}"
-                                f" and {Argument.to_flag_name(Arguments.CATALOG_ROLE_SESSION_NAME)}")
+                                f" and {Argument.to_flag_name(Arguments.CATALOG_SIGNING_REGION)}")
 
         if self.storage_type == StorageType.S3.value:
             if not self.role_arn:
@@ -170,23 +174,50 @@ def _build_storage_config_info(self):
 
     def _build_connection_config_info(self):
         auth_params = None
-        if self.catalog_authentication_type == StorageType.S3.value:
-            auth_params = AuthenicationParameters(
-                storage_type=self.storage_type.upper(),
-                allowed_locations=self.allowed_locations,
-                role_arn=self.role_arn,
-                external_id=self.external_id,
-                user_arn=self.user_arn,
-                region=self.region
+        if self.catalog_authentication_type == AuthenticationType.OAUTH.value:
+            auth_params = OAuthClientCredentialsParameters(
+                token_uri=self.catalog_token_uri,
+                client_id=self.catalog_client_id,
+                client_secret=StrictStr(self.catalog_client_secret),
+                scopes=[SecretStr(s) for s in self.catalog_client_scopes]
             )
-        elif self.storage_type == StorageType.AZURE.value:
-            config = AzureStorageConfigInfo(
-                storage_type=self.storage_type.upper(),
-                allowed_locations=self.allowed_locations,
-                tenant_id=self.tenant_id,
-                multi_tenant_app_name=self.multi_tenant_app_name,
-                consent_url=self.consent_url,
+        elif self.storage_type == AuthenticationType.BEARER.value:
+            auth_params = BearerAuthenticationParameters(
+                bearer_token=SecretStr(self.catalog_bearer_token)
+            )
+        elif self.catalog_authentication_type == AuthenticationType.OAUTH.value:
+            auth_params = SigV4AuthenticationParameters(
+                role_arn=self.catalog_role_arn,
+                role_session_name=self.catalog_role_session_name,
+                external_id=self.catalog_external_id,
+                signing_region=self.catalog_signing_region,
+                signing_name=self.catalog_signing_name,
             )
+        else:
+            raise Exception("Unknown authentication type:", self.catalog_authentication_type)
+
+        """
+        connection_type: StrictStr = Field(description="The type of remote catalog service represented by this connection", alias="connectionType")
+        uri: Optional[StrictStr] = Field(default=None, description="URI to the remote catalog service")
+        authentication_parameters: Optional[AuthenticationParameters] = Field(default=None, alias="authenticationParameters")
+        service_identity: Optional[ServiceIdentityInfo] = Field(default=None, alias="serviceIdentity")
+        __properties: ClassVar[List[str]] = ["connectionType", "uri", "authenticationParameters", "serviceIdentity"]
+
+        """
+        config = None
+        if self.catalog_connection_type == CatalogConnectionType.HADOOP.value:
+            config = HadoopConnectionConfigInfo(
+                connection_type=self.catalog_connection_type,
+
+                warehouse=self.hadoop_warehouse,
+                
+            )
+        elif self.catalog_connection_type == CatalogConnectionType.ICEBERG.value:
+            config = IcebergRestConnectionConfigInfo(
+                remote_catalog_name=self.iceberg_remote_catalog_name,
+            )
+        else:
+            raise Exception("Unknown catalog connection type:", self.catalog_connection_type)
         return config
 
     def execute(self, api: PolarisDefaultApi) -> None:
@@ -210,7 +241,7 @@ def execute(self, api: PolarisDefaultApi) -> None:
                     catalog=PolarisCatalog(
                         type=self.catalog_type.upper(),
                         name=self.catalog_name,
-                        storage_config_info=config,
+                        storage_config_info=storage_config,
                         properties=CatalogProperties(
                             default_base_location=self.default_base_location,
                             additional_properties=self.properties
diff --git a/client/python/cli/constants.py b/client/python/cli/constants.py
index 4c57268d4b..6a98624cfc 100644
--- a/client/python/cli/constants.py
+++ b/client/python/cli/constants.py
@@ -48,13 +48,13 @@ class PrincipalType(Enum):
     SERVICE = 'service'
 
 
-class ConnectionType(Enum):
+class CatalogConnectionType(Enum):
     """
     Represents a ConnectionType for an EXTERNAL catalog -- see ConnectionConfigInfo in the spec
     """
 
     HADOOP = 'hadoop'
-    HIVE = 'hive'
+    ICEBERG = 'iceberg'
 
 
 class AuthenticationType(Enum):
@@ -155,6 +155,8 @@ class Arguments:
     REGION = 'region'
     PROFILE = 'profile'
     PROXY = 'proxy'
+    HADOOP_WAREHOUSE = 'hadoop_warehouse'
+    ICEBERG_REMOTE_CATALOG_NAME = 'iceberg_remote_catalog_name'
     CATALOG_CONNECTION_TYPE = 'catalog_connection_type'
     CATALOG_AUTHENTICATION_TYPE = 'catalog_authentication_type'
     CATALOG_TOKEN_URI = 'catalog_token_uri'
@@ -215,6 +217,9 @@ class External:
             CATALOG_CONNECTION_TYPE = 'The type of external catalog in [ICEBERG, HADOOP].'
             CATALOG_AUTHENTICATION_TYPE = 'The type of authentication in [OAUTH, BEARER, SIGV4]'
 
+            HADOOP_WAREHOUSE = 'The warehouse to use when federating to a HADOOP catalog'
+            ICEBERG_REMOTE_CATALOG_NAME = 'The remote catalog name when federating to an Iceberg REST catalog'
+
             CATALOG_TOKEN_URI = '(For authentication type OAUTH) Token server URI'
             CATALOG_CLIENT_ID = '(For authentication type OAUTH) oauth client id'
             CATALOG_CLIENT_SECRET = '(For authentication type OAUTH) oauth client secret (input-only)'
diff --git a/client/python/cli/options/option_tree.py b/client/python/cli/options/option_tree.py
index d8c263fd4f..ace60cad0f 100644
--- a/client/python/cli/options/option_tree.py
+++ b/client/python/cli/options/option_tree.py
@@ -19,7 +19,7 @@
 from dataclasses import dataclass, field
 from typing import List
 
-from cli.constants import StorageType, CatalogType, PrincipalType, Hints, Commands, Arguments, Subcommands, Actions, ConnectionType, AuthenticationType
+from cli.constants import StorageType, CatalogType, PrincipalType, Hints, Commands, Arguments, Subcommands, Actions, CatalogConnectionType, AuthenticationType
 
 
 @dataclass
@@ -77,7 +77,11 @@ class OptionTree:
     _FEDERATION_ARGS = [
         Argument(Arguments.CATALOG_CONNECTION_TYPE, str,
                  Hints.Catalogs.External.CATALOG_CONNECTION_TYPE, lower=True,
-                 choices=[ct.value for ct in ConnectionType]),
+                 choices=[ct.value for ct in CatalogConnectionType]),
+        Argument(Arguments.ICEBERG_REMOTE_CATALOG_NAME, str,
+                 Hints.Catalogs.External.ICEBERG_REMOTE_CATALOG_NAME),
+        Argument(Arguments.HADOOP_WAREHOUSE, str,
+                 Hints.Catalogs.External.HADOOP_WAREHOUSE),
         Argument(Arguments.CATALOG_AUTHENTICATION_TYPE, str,
                  Hints.Catalogs.External.CATALOG_AUTHENTICATION_TYPE, lower=True,
                  choices=[at.value for at in AuthenticationType]),

From 51f3b653ab15746a7083dc1cbb7717e825e45b7d Mon Sep 17 00:00:00 2001
From: Eric Maynard <eric.maynard+oss@snowflake.com>
Date: Thu, 19 Jun 2025 09:38:43 -0700
Subject: [PATCH 05/11] wire up service identity info

---
 client/python/cli/command/__init__.py    |  3 ++
 client/python/cli/command/catalogs.py    | 45 ++++++++++++++++--------
 client/python/cli/constants.py           | 18 ++++++++++
 client/python/cli/options/option_tree.py |  9 ++++-
 4 files changed, 59 insertions(+), 16 deletions(-)

diff --git a/client/python/cli/command/__init__.py b/client/python/cli/command/__init__.py
index a83532d535..5f0103bc73 100644
--- a/client/python/cli/command/__init__.py
+++ b/client/python/cli/command/__init__.py
@@ -67,6 +67,9 @@ def options_get(key, f=lambda x: x):
                 remove_properties=[] if remove_properties is None else remove_properties,
                 catalog_connection_type=options_get(Arguments.CATALOG_CONNECTION_TYPE),
                 catalog_authentication_type=options_get(Arguments.CATALOG_AUTHENTICATION_TYPE),
+                catalog_service_identity_type=options_get(Arguments.CATALOG_SERVICE_IDENTITY_TYPE),
+                catalog_service_identity_iam_arn=options_get(Arguments.CATALOG_SERVICE_IDENTITY_IAM_ARN),
+                catalog_uri=options_get(Arguments.CATALOG_URI),
                 catalog_token_uri=options_get(Arguments.CATALOG_TOKEN_URI),
                 catalog_client_id=options_get(Arguments.CATALOG_CLIENT_ID),
                 catalog_client_secret=options_get(Arguments.CATALOG_CLIENT_SECRET),
diff --git a/client/python/cli/command/catalogs.py b/client/python/cli/command/catalogs.py
index 239d9acba0..a7cc3d6879 100644
--- a/client/python/cli/command/catalogs.py
+++ b/client/python/cli/command/catalogs.py
@@ -22,13 +22,14 @@
 from pydantic import StrictStr, SecretStr
 
 from cli.command import Command
-from cli.constants import StorageType, CatalogType, CatalogConnectionType, Subcommands, Arguments, AuthenticationType
+from cli.constants import StorageType, CatalogType, CatalogConnectionType, Subcommands, Arguments, AuthenticationType, \
+    ServiceIdentityType
 from cli.options.option_tree import Argument
 from polaris.management import PolarisDefaultApi, Catalog, CreateCatalogRequest, UpdateCatalogRequest, \
     StorageConfigInfo, ExternalCatalog, AwsStorageConfigInfo, AzureStorageConfigInfo, GcpStorageConfigInfo, \
     PolarisCatalog, CatalogProperties, AuthenticationParameters, BearerAuthenticationParameters, \
     OAuthClientCredentialsParameters, SigV4AuthenticationParameters, HadoopConnectionConfigInfo, \
-    IcebergRestConnectionConfigInfo
+    IcebergRestConnectionConfigInfo, AwsIamServiceIdentityInfo
 
 
 @dataclass
@@ -65,6 +66,9 @@ class CatalogsCommand(Command):
     iceberg_remote_catalog_name: str
     catalog_connection_type: str
     catalog_authentication_type: str
+    catalog_service_identity_type: str
+    catalog_service_identity_iam_arn: str
+    catalog_uri: str
     catalog_token_uri: str
     catalog_client_id: str
     catalog_client_secret: str
@@ -104,6 +108,11 @@ def validate(self):
                                 f" {Argument.to_flag_name(Arguments.CATALOG_ROLE_ARN)}"
                                 f" and {Argument.to_flag_name(Arguments.CATALOG_SIGNING_REGION)}")
 
+        if self.catalog_service_identity_type == ServiceIdentityType.AWS_IAM.value:
+            if not self.catalog_service_identity_iam_arn:
+                        raise Exception(f"Missing required argument for service identity type 'AWS_IAM':"
+                                f" {Argument.to_flag_name(Arguments.CATALOG_SERVICE_IDENTITY_IAM_ARN)}")
+
         if self.storage_type == StorageType.S3.value:
             if not self.role_arn:
                 raise Exception(f"Missing required argument for storage type 's3':"
@@ -178,7 +187,7 @@ def _build_connection_config_info(self):
             auth_params = OAuthClientCredentialsParameters(
                 token_uri=self.catalog_token_uri,
                 client_id=self.catalog_client_id,
-                client_secret=StrictStr(self.catalog_client_secret),
+                client_secret=SecretStr(self.catalog_client_secret),
                 scopes=[SecretStr(s) for s in self.catalog_client_scopes]
             )
         elif self.storage_type == AuthenticationType.BEARER.value:
@@ -193,28 +202,34 @@ def _build_connection_config_info(self):
                 signing_region=self.catalog_signing_region,
                 signing_name=self.catalog_signing_name,
             )
-        else:
+        elif self.catalog_authentication_type is not None:
             raise Exception("Unknown authentication type:", self.catalog_authentication_type)
 
-        """
-        connection_type: StrictStr = Field(description="The type of remote catalog service represented by this connection", alias="connectionType")
-        uri: Optional[StrictStr] = Field(default=None, description="URI to the remote catalog service")
-        authentication_parameters: Optional[AuthenticationParameters] = Field(default=None, alias="authenticationParameters")
-        service_identity: Optional[ServiceIdentityInfo] = Field(default=None, alias="serviceIdentity")
-        __properties: ClassVar[List[str]] = ["connectionType", "uri", "authenticationParameters", "serviceIdentity"]
+        service_identity = None
+        if self.catalog_service_identity_type == ServiceIdentityType.AWS_IAM:
+            service_identity = AwsIamServiceIdentityInfo(
+                identity_type=self.catalog_service_identity_type,
+                iam_arn=self.catalog_service_identity_iam_arn
+            )
+        elif self.catalog_service_identity_type is not None:
+            raise Exception("Unknown service identity type:", self.catalog_service_identity_type)
 
-        """
         config = None
         if self.catalog_connection_type == CatalogConnectionType.HADOOP.value:
             config = HadoopConnectionConfigInfo(
                 connection_type=self.catalog_connection_type,
-
-                warehouse=self.hadoop_warehouse,
-                
+                uri=self.catalog_uri,
+                authentication_parameters=auth_params,
+                service_identity=service_identity,
+                warehouse=self.hadoop_warehouse
             )
         elif self.catalog_connection_type == CatalogConnectionType.ICEBERG.value:
             config = IcebergRestConnectionConfigInfo(
-                remote_catalog_name=self.iceberg_remote_catalog_name,
+                connection_type=self.catalog_connection_type,
+                uri=self.catalog_uri,
+                authentication_parameters=auth_params,
+                service_identity=service_identity,
+                remote_catalog_name=self.iceberg_remote_catalog_name
             )
         else:
             raise Exception("Unknown catalog connection type:", self.catalog_connection_type)
diff --git a/client/python/cli/constants.py b/client/python/cli/constants.py
index 6a98624cfc..f064b700e9 100644
--- a/client/python/cli/constants.py
+++ b/client/python/cli/constants.py
@@ -67,6 +67,14 @@ class AuthenticationType(Enum):
     SIGV4 = 'sigv4'
 
 
+class ServiceIdentityType(Enum):
+    """
+    Represents a Service Identity Type for an EXTERNAL catalog -- see ServiceIdentityInfo in the spec
+    """
+
+    AWS_IAM = 'aws_iam'
+
+
 class Commands:
     """
     Represents the various commands available in the CLI
@@ -159,6 +167,9 @@ class Arguments:
     ICEBERG_REMOTE_CATALOG_NAME = 'iceberg_remote_catalog_name'
     CATALOG_CONNECTION_TYPE = 'catalog_connection_type'
     CATALOG_AUTHENTICATION_TYPE = 'catalog_authentication_type'
+    CATALOG_SERVICE_IDENTITY_TYPE = 'catalog_service_identity_type'
+    CATALOG_SERVICE_IDENTITY_IAM_ARN = 'catalog_service_identity_iam_arn'
+    CATALOG_URI = 'catalog_uri'
     CATALOG_TOKEN_URI = 'catalog_token_uri'
     CATALOG_CLIENT_ID = 'catalog_client_id'
     CATALOG_CLIENT_SECRET = 'catalog_client_secret'
@@ -216,10 +227,17 @@ class Update:
         class External:
             CATALOG_CONNECTION_TYPE = 'The type of external catalog in [ICEBERG, HADOOP].'
             CATALOG_AUTHENTICATION_TYPE = 'The type of authentication in [OAUTH, BEARER, SIGV4]'
+            CATALOG_SERVICE_IDENTITY_TYPE = 'The type of service identity in [AWS_IAM]'
+
+            CATALOG_SERVICE_IDENTITY_IAM_ARN = ('When using the AWS_IAM service identity type, this is the ARN '
+                                                'of the IAM user or IAM role Polaris uses to assume roles and '
+                                                'then access external resources.')
 
+            CATALOG_URI = 'The URI of the external catalog'
             HADOOP_WAREHOUSE = 'The warehouse to use when federating to a HADOOP catalog'
             ICEBERG_REMOTE_CATALOG_NAME = 'The remote catalog name when federating to an Iceberg REST catalog'
 
+
             CATALOG_TOKEN_URI = '(For authentication type OAUTH) Token server URI'
             CATALOG_CLIENT_ID = '(For authentication type OAUTH) oauth client id'
             CATALOG_CLIENT_SECRET = '(For authentication type OAUTH) oauth client secret (input-only)'
diff --git a/client/python/cli/options/option_tree.py b/client/python/cli/options/option_tree.py
index ace60cad0f..0241dffa61 100644
--- a/client/python/cli/options/option_tree.py
+++ b/client/python/cli/options/option_tree.py
@@ -19,7 +19,8 @@
 from dataclasses import dataclass, field
 from typing import List
 
-from cli.constants import StorageType, CatalogType, PrincipalType, Hints, Commands, Arguments, Subcommands, Actions, CatalogConnectionType, AuthenticationType
+from cli.constants import StorageType, CatalogType, PrincipalType, Hints, Commands, Arguments, Subcommands, Actions, \
+    CatalogConnectionType, AuthenticationType, ServiceIdentityType
 
 
 @dataclass
@@ -85,6 +86,12 @@ class OptionTree:
         Argument(Arguments.CATALOG_AUTHENTICATION_TYPE, str,
                  Hints.Catalogs.External.CATALOG_AUTHENTICATION_TYPE, lower=True,
                  choices=[at.value for at in AuthenticationType]),
+        Argument(Arguments.CATALOG_SERVICE_IDENTITY_TYPE, str,
+                 Hints.Catalogs.External.CATALOG_SERVICE_IDENTITY_TYPE, lower=True,
+                 choices=[st.value for st in ServiceIdentityType]),
+        Argument(Arguments.CATALOG_SERVICE_IDENTITY_IAM_ARN, str,
+                 Hints.Catalogs.External.CATALOG_SERVICE_IDENTITY_IAM_ARN),
+        Argument(Arguments.CATALOG_URI, str, Hints.Catalogs.External.CATALOG_URI),
         Argument(Arguments.CATALOG_TOKEN_URI, str, Hints.Catalogs.External.CATALOG_TOKEN_URI),
         Argument(Arguments.CATALOG_CLIENT_ID, str, Hints.Catalogs.External.CATALOG_CLIENT_ID),
         Argument(Arguments.CATALOG_CLIENT_SECRET, str, Hints.Catalogs.External.CATALOG_CLIENT_SECRET),

From 04ce148d4836cf2920f51b54095e2a9e12989c7e Mon Sep 17 00:00:00 2001
From: Eric Maynard <eric.maynard+oss@snowflake.com>
Date: Thu, 19 Jun 2025 09:43:03 -0700
Subject: [PATCH 06/11] finish initial wiring

---
 client/python/cli/command/catalogs.py    | 12 +++++++-----
 client/python/cli/options/option_tree.py |  2 +-
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/client/python/cli/command/catalogs.py b/client/python/cli/command/catalogs.py
index a7cc3d6879..661b9fd202 100644
--- a/client/python/cli/command/catalogs.py
+++ b/client/python/cli/command/catalogs.py
@@ -208,7 +208,7 @@ def _build_connection_config_info(self):
         service_identity = None
         if self.catalog_service_identity_type == ServiceIdentityType.AWS_IAM:
             service_identity = AwsIamServiceIdentityInfo(
-                identity_type=self.catalog_service_identity_type,
+                identity_type=self.catalog_service_identity_type.upper(),
                 iam_arn=self.catalog_service_identity_iam_arn
             )
         elif self.catalog_service_identity_type is not None:
@@ -217,7 +217,7 @@ def _build_connection_config_info(self):
         config = None
         if self.catalog_connection_type == CatalogConnectionType.HADOOP.value:
             config = HadoopConnectionConfigInfo(
-                connection_type=self.catalog_connection_type,
+                connection_type=self.catalog_connection_type.upper(),
                 uri=self.catalog_uri,
                 authentication_parameters=auth_params,
                 service_identity=service_identity,
@@ -225,7 +225,7 @@ def _build_connection_config_info(self):
             )
         elif self.catalog_connection_type == CatalogConnectionType.ICEBERG.value:
             config = IcebergRestConnectionConfigInfo(
-                connection_type=self.catalog_connection_type,
+                connection_type=self.catalog_connection_type.upper(),
                 uri=self.catalog_uri,
                 authentication_parameters=auth_params,
                 service_identity=service_identity,
@@ -248,7 +248,8 @@ def execute(self, api: PolarisDefaultApi) -> None:
                         properties=CatalogProperties(
                             default_base_location=self.default_base_location,
                             additional_properties=self.properties
-                        )
+                        ),
+                        connection_config_info=connection_config
                     )
                 )
             else:
@@ -260,7 +261,8 @@ def execute(self, api: PolarisDefaultApi) -> None:
                         properties=CatalogProperties(
                             default_base_location=self.default_base_location,
                             additional_properties=self.properties
-                        )
+                        ),
+                        connection_config_info=connection_config
                     )
                 )
             api.create_catalog(request)
diff --git a/client/python/cli/options/option_tree.py b/client/python/cli/options/option_tree.py
index 0241dffa61..8418dbea4a 100644
--- a/client/python/cli/options/option_tree.py
+++ b/client/python/cli/options/option_tree.py
@@ -138,7 +138,7 @@ def get_tree() -> List[Option]:
                     Argument(Arguments.REGION, str, Hints.Catalogs.Create.REGION),
                     Argument(Arguments.SET_PROPERTY, str, Hints.SET_PROPERTY, allow_repeats=True),
                     Argument(Arguments.REMOVE_PROPERTY, str, Hints.REMOVE_PROPERTY, allow_repeats=True),
-                ] + OptionTree._FEDERATION_ARGS, input_name=Arguments.CATALOG)
+                ], input_name=Arguments.CATALOG)
             ]),
             Option(Commands.PRINCIPALS, 'manage principals', children=[
                 Option(Subcommands.CREATE, args=[

From ca4a060fccc56833ddc53ecb0d6a44213744a817 Mon Sep 17 00:00:00 2001
From: Eric Maynard <eric.maynard+oss@snowflake.com>
Date: Thu, 19 Jun 2025 09:53:27 -0700
Subject: [PATCH 07/11] basic script passing

---
 client/python/README.md               | 20 ++++++++++++++++++++
 client/python/cli/command/catalogs.py |  5 ++++-
 2 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/client/python/README.md b/client/python/README.md
index ff94e3e49c..2d1575ee48 100644
--- a/client/python/README.md
+++ b/client/python/README.md
@@ -17,6 +17,26 @@
  specific language governing permissions and limitations
  under the License.
 
+-->
+<!--
+
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements.  See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership.  The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License.  You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied.  See the License for the
+ specific language governing permissions and limitations
+ under the License.
+
 -->
 <!--
   Licensed to the Apache Software Foundation (ASF) under one
diff --git a/client/python/cli/command/catalogs.py b/client/python/cli/command/catalogs.py
index 661b9fd202..81af5630c3 100644
--- a/client/python/cli/command/catalogs.py
+++ b/client/python/cli/command/catalogs.py
@@ -182,6 +182,9 @@ def _build_storage_config_info(self):
         return config
 
     def _build_connection_config_info(self):
+        if self.catalog_type != CatalogType.EXTERNAL:
+            return None
+
         auth_params = None
         if self.catalog_authentication_type == AuthenticationType.OAUTH.value:
             auth_params = OAuthClientCredentialsParameters(
@@ -231,7 +234,7 @@ def _build_connection_config_info(self):
                 service_identity=service_identity,
                 remote_catalog_name=self.iceberg_remote_catalog_name
             )
-        else:
+        elif self.catalog_connection_type is not None:
             raise Exception("Unknown catalog connection type:", self.catalog_connection_type)
         return config
 

From 40a5d9b7b95b204c91899d882830b0b6cabf2b1c Mon Sep 17 00:00:00 2001
From: Eric Maynard <eric.maynard+oss@snowflake.com>
Date: Thu, 19 Jun 2025 11:16:21 -0700
Subject: [PATCH 08/11] more tests

---
 client/python/cli/command/catalogs.py  | 13 +++--
 client/python/cli/constants.py         |  4 +-
 client/python/test/test_cli_parsing.py | 79 ++++++++++++++++++++++++++
 3 files changed, 89 insertions(+), 7 deletions(-)

diff --git a/client/python/cli/command/catalogs.py b/client/python/cli/command/catalogs.py
index 81af5630c3..4f65b9e432 100644
--- a/client/python/cli/command/catalogs.py
+++ b/client/python/cli/command/catalogs.py
@@ -182,23 +182,26 @@ def _build_storage_config_info(self):
         return config
 
     def _build_connection_config_info(self):
-        if self.catalog_type != CatalogType.EXTERNAL:
+        if self.catalog_type != CatalogType.EXTERNAL.value:
             return None
 
         auth_params = None
         if self.catalog_authentication_type == AuthenticationType.OAUTH.value:
             auth_params = OAuthClientCredentialsParameters(
+                authentication_type=self.catalog_authentication_type.upper(),
                 token_uri=self.catalog_token_uri,
                 client_id=self.catalog_client_id,
                 client_secret=SecretStr(self.catalog_client_secret),
-                scopes=[SecretStr(s) for s in self.catalog_client_scopes]
+                scopes=self.catalog_client_scopes
             )
-        elif self.storage_type == AuthenticationType.BEARER.value:
+        elif self.catalog_authentication_type == AuthenticationType.BEARER.value:
             auth_params = BearerAuthenticationParameters(
+                authentication_type=self.catalog_authentication_type.upper(),
                 bearer_token=SecretStr(self.catalog_bearer_token)
             )
-        elif self.catalog_authentication_type == AuthenticationType.OAUTH.value:
+        elif self.catalog_authentication_type == AuthenticationType.SIGV4.value:
             auth_params = SigV4AuthenticationParameters(
+                authentication_type=self.catalog_authentication_type.upper(),
                 role_arn=self.catalog_role_arn,
                 role_session_name=self.catalog_role_session_name,
                 external_id=self.catalog_external_id,
@@ -228,7 +231,7 @@ def _build_connection_config_info(self):
             )
         elif self.catalog_connection_type == CatalogConnectionType.ICEBERG.value:
             config = IcebergRestConnectionConfigInfo(
-                connection_type=self.catalog_connection_type.upper(),
+                connection_type=self.catalog_connection_type.upper().replace('-', '_'),
                 uri=self.catalog_uri,
                 authentication_parameters=auth_params,
                 service_identity=service_identity,
diff --git a/client/python/cli/constants.py b/client/python/cli/constants.py
index f064b700e9..905fc0bf75 100644
--- a/client/python/cli/constants.py
+++ b/client/python/cli/constants.py
@@ -54,7 +54,7 @@ class CatalogConnectionType(Enum):
     """
 
     HADOOP = 'hadoop'
-    ICEBERG = 'iceberg'
+    ICEBERG = 'iceberg-rest'
 
 
 class AuthenticationType(Enum):
@@ -177,7 +177,7 @@ class Arguments:
     CATALOG_BEARER_TOKEN = 'catalog_bearer_token'
     CATALOG_ROLE_ARN = 'catalog_role_arn'
     CATALOG_ROLE_SESSION_NAME = 'catalog_role_session_name'
-    CATALOG_EXTERNAL_ID = 'catalog_role_external_id'
+    CATALOG_EXTERNAL_ID = 'catalog_external_id'
     CATALOG_SIGNING_REGION = 'catalog_signing_region'
     CATALOG_SIGNING_NAME = 'catalog_signing_name'
 
diff --git a/client/python/test/test_cli_parsing.py b/client/python/test/test_cli_parsing.py
index bc4f59afeb..715e2e3af8 100644
--- a/client/python/test/test_cli_parsing.py
+++ b/client/python/test/test_cli_parsing.py
@@ -504,6 +504,85 @@ def get(obj, arg_string):
                 (2, 'grant.namespace'): ['a', 'b', 'c'],
                 (2, 'grant.view_name'): 'v',
             })
+        check_arguments(
+            mock_execute(['catalogs', 'create', 'my-catalog', '--type', 'external',
+                          '--storage-type', 'gcs', '--default-base-location', 'dbl',
+                          '--catalog-connection-type', 'hadoop', '--hadoop-warehouse', 'h',
+                          '--catalog-uri', 'u', '--catalog-authentication-type', 'bearer',
+                          '--catalog-bearer-token', 'b']),
+            'create_catalog', {
+                (0, 'catalog.name'): 'my-catalog',
+                (0, 'catalog.type'): 'EXTERNAL',
+                (0, 'catalog.connection_config_info.connection_type'): 'HADOOP',
+                (0, 'catalog.connection_config_info.warehouse'): 'h',
+                (0, 'catalog.connection_config_info.uri'): 'u',
+            })
+        check_arguments(
+            mock_execute(['catalogs', 'create', 'my-catalog', '--type', 'external',
+                          '--storage-type', 'gcs', '--default-base-location', 'dbl',
+                          '--catalog-connection-type', 'iceberg-rest', '--iceberg-remote-catalog-name', 'i',
+                          '--catalog-uri', 'u', '--catalog-authentication-type', 'bearer',
+                          '--catalog-bearer-token', 'b']),
+            'create_catalog', {
+                (0, 'catalog.name'): 'my-catalog',
+                (0, 'catalog.type'): 'EXTERNAL',
+                (0, 'catalog.connection_config_info.connection_type'): 'ICEBERG_REST',
+                (0, 'catalog.connection_config_info.remote_catalog_name'): 'i',
+                (0, 'catalog.connection_config_info.uri'): 'u',
+            })
+        check_arguments(
+            mock_execute(['catalogs', 'create', 'my-catalog', '--type', 'external',
+                          '--storage-type', 'gcs', '--default-base-location', 'dbl',
+                          '--catalog-connection-type', 'hadoop', '--hadoop-warehouse', 'h',
+                          '--catalog-authentication-type', 'oauth',
+                          '--catalog-token-uri', 'u', '--catalog-client-id', 'i',
+                          '--catalog-client-secret', 'k', '--catalog-client-scope', 's1',
+                          '--catalog-client-scope', 's2']),
+            'create_catalog', {
+                (0, 'catalog.name'): 'my-catalog',
+                (0, 'catalog.type'): 'EXTERNAL',
+                (0, 'catalog.connection_config_info.connection_type'): 'HADOOP',
+                (0, 'catalog.connection_config_info.warehouse'): 'h',
+                (0, 'catalog.connection_config_info.authentication_parameters.authentication_type'): 'OAUTH',
+                (0, 'catalog.connection_config_info.authentication_parameters.token_uri'): 'u',
+                (0, 'catalog.connection_config_info.authentication_parameters.client_id'): 'i',
+                (0, 'catalog.connection_config_info.authentication_parameters.scopes'): ['s1', 's2'],
+            })
+        check_arguments(
+            mock_execute(['catalogs', 'create', 'my-catalog', '--type', 'external',
+                          '--storage-type', 'gcs', '--default-base-location', 'dbl',
+                          '--catalog-connection-type', 'iceberg-rest', '--iceberg-remote-catalog-name', 'i',
+                          '--catalog-uri', 'u', '--catalog-authentication-type', 'sigv4',
+                          '--catalog-role-arn', 'a', '--catalog-signing-region', 's']),
+            'create_catalog', {
+                (0, 'catalog.name'): 'my-catalog',
+                (0, 'catalog.type'): 'EXTERNAL',
+                (0, 'catalog.connection_config_info.connection_type'): 'ICEBERG_REST',
+                (0, 'catalog.connection_config_info.remote_catalog_name'): 'i',
+                (0, 'catalog.connection_config_info.uri'): 'u',
+                (0, 'catalog.connection_config_info.authentication_parameters.role_arn'): 'a',
+                (0, 'catalog.connection_config_info.authentication_parameters.signing_region'): 's',
+            })
+        check_arguments(
+            mock_execute(['catalogs', 'create', 'my-catalog', '--type', 'external',
+                          '--storage-type', 'gcs', '--default-base-location', 'dbl',
+                          '--catalog-connection-type', 'iceberg-rest', '--iceberg-remote-catalog-name', 'i',
+                          '--catalog-uri', 'u', '--catalog-authentication-type', 'sigv4',
+                          '--catalog-role-arn', 'a', '--catalog-signing-region', 's',
+                          '--catalog-role-session-name', 'n', '--catalog-external-id', 'i',
+                          '--catalog-signing-name', 'g']),
+            'create_catalog', {
+                (0, 'catalog.name'): 'my-catalog',
+                (0, 'catalog.type'): 'EXTERNAL',
+                (0, 'catalog.connection_config_info.connection_type'): 'ICEBERG_REST',
+                (0, 'catalog.connection_config_info.remote_catalog_name'): 'i',
+                (0, 'catalog.connection_config_info.uri'): 'u',
+                (0, 'catalog.connection_config_info.authentication_parameters.role_arn'): 'a',
+                (0, 'catalog.connection_config_info.authentication_parameters.signing_region'): 's',
+                (0, 'catalog.connection_config_info.authentication_parameters.role_session_name'): 'n',
+                (0, 'catalog.connection_config_info.authentication_parameters.external_id'): 'i',
+                (0, 'catalog.connection_config_info.authentication_parameters.signing_name'): 'g',
+            })
 
 
 if __name__ == '__main__':

From 5f018ba5cea034aff4f35336a5a6f6d46bba60e0 Mon Sep 17 00:00:00 2001
From: Eric Maynard <eric.maynard+oss@snowflake.com>
Date: Thu, 19 Jun 2025 11:19:40 -0700
Subject: [PATCH 09/11] polish

---
 client/python/README.md | 40 ----------------------------------------
 1 file changed, 40 deletions(-)

diff --git a/client/python/README.md b/client/python/README.md
index 2d1575ee48..cec9526816 100644
--- a/client/python/README.md
+++ b/client/python/README.md
@@ -1,43 +1,3 @@
-<!--
-
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements.  See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership.  The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License.  You may obtain a copy of the License at
-
-   http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing,
- software distributed under the License is distributed on an
- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- KIND, either express or implied.  See the License for the
- specific language governing permissions and limitations
- under the License.
-
--->
-<!--
-
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements.  See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership.  The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License.  You may obtain a copy of the License at
-
-   http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing,
- software distributed under the License is distributed on an
- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- KIND, either express or implied.  See the License for the
- specific language governing permissions and limitations
- under the License.
-
--->
 <!--
   Licensed to the Apache Software Foundation (ASF) under one
   or more contributor license agreements.  See the NOTICE file

From f1e42ea0a5d467f0a64a67e6c3bf500da893c29c Mon Sep 17 00:00:00 2001
From: Eric Maynard <eric.maynard+oss@snowflake.com>
Date: Thu, 19 Jun 2025 11:22:33 -0700
Subject: [PATCH 10/11] update doc

---
 .../unreleased/command-line-interface.md       | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/site/content/in-dev/unreleased/command-line-interface.md b/site/content/in-dev/unreleased/command-line-interface.md
index f20210e2c6..fba8730ad0 100644
--- a/site/content/in-dev/unreleased/command-line-interface.md
+++ b/site/content/in-dev/unreleased/command-line-interface.md
@@ -133,12 +133,30 @@ options:
       --default-base-location  (Required) Default base location of the catalog
       --allowed-location  An allowed location for files tracked by the catalog. Multiple locations can be provided by specifying this option more than once.
       --role-arn  (Required for S3) A role ARN to use when connecting to S3
+      --region  (Only for S3) The region to use when connecting to S3
       --external-id  (Only for S3) The external ID to use when connecting to S3
       --tenant-id  (Required for Azure) A tenant ID to use when connecting to Azure Storage
       --multi-tenant-app-name  (Only for Azure) The app name to use when connecting to Azure Storage
       --consent-url  (Only for Azure) A consent URL granting permissions for the Azure Storage location
       --service-account  (Only for GCS) The service account to use when connecting to GCS
       --property  A key/value pair such as: tag=value. Multiple can be provided by specifying this option more than once
+      --catalog-connection-type  The type of external catalog in [ICEBERG, HADOOP].
+      --iceberg-remote-catalog-name  The remote catalog name when federating to an Iceberg REST catalog
+      --hadoop-warehouse  The warehouse to use when federating to a HADOOP catalog
+      --catalog-authentication-type  The type of authentication in [OAUTH, BEARER, SIGV4]
+      --catalog-service-identity-type  The type of service identity in [AWS_IAM]
+      --catalog-service-identity-iam-arn  When using the AWS_IAM service identity type, this is the ARN of the IAM user or IAM role Polaris uses to assume roles and then access external resources.
+      --catalog-uri  The URI of the external catalog
+      --catalog-token-uri  (For authentication type OAUTH) Token server URI
+      --catalog-client-id  (For authentication type OAUTH) oauth client id
+      --catalog-client-secret  (For authentication type OAUTH) oauth client secret (input-only)
+      --catalog-client-scope  (For authentication type OAUTH) oauth scopes to specify when exchanging for a short-lived access token. Multiple can be provided by specifying this option more than once
+      --catalog-bearer-token  (For authentication type BEARER) Bearer token (input-only)
+      --catalog-role-arn  (For authentication type SIGV4) The aws IAM role arn assumed by polaris userArn when signing requests
+      --catalog-role-session-name  (For authentication type SIGV4) The role session name to be used by the SigV4 protocol for signing requests
+      --catalog-external-id  (For authentication type SIGV4) An optional external id used to establish a trust relationship with AWS in the trust policy
+      --catalog-signing-region  (For authentication type SIGV4) Region to be used by the SigV4 protocol for signing requests
+      --catalog-signing-name  (For authentication type SIGV4) The service name to be used by the SigV4 protocol for signing requests, the default signing name is "execute-api" is if not provided
     Positional arguments:
       catalog
 ```

From c78c7fbcc88c41276090aa418a49e2914e374976 Mon Sep 17 00:00:00 2001
From: Eric Maynard <eric.maynard+oss@snowflake.com>
Date: Tue, 1 Jul 2025 19:01:23 -0700
Subject: [PATCH 11/11] ruff

---
 client/python/cli/command/catalogs.py               |  8 ++++----
 client/python/cli/command/namespaces.py             |  1 -
 client/python/cli/command/principal_roles.py        |  2 +-
 client/python/cli/command/profiles.py               |  1 -
 client/python/cli/options/parser.py                 |  6 +++---
 client/python/cli/polaris_cli.py                    |  2 +-
 getting-started/spark/notebooks/SparkPolaris.ipynb  |  5 ++---
 .../getting-started/notebooks/SparkPolaris.ipynb    |  5 ++---
 regtests/t_cli/src/test_cli.py                      | 10 ++++------
 regtests/t_oauth/test_oauth2_tokens.py              |  1 -
 regtests/t_pyspark/src/conftest.py                  |  2 +-
 regtests/t_pyspark/src/iceberg_spark.py             |  1 -
 .../src/test_spark_sql_s3_with_privileges.py        | 13 ++++++-------
 13 files changed, 24 insertions(+), 33 deletions(-)

diff --git a/client/python/cli/command/catalogs.py b/client/python/cli/command/catalogs.py
index 4f65b9e432..778e533cd6 100644
--- a/client/python/cli/command/catalogs.py
+++ b/client/python/cli/command/catalogs.py
@@ -16,8 +16,8 @@
 # specific language governing permissions and limitations
 # under the License.
 #
-from dataclasses import dataclass, field
-from typing import Dict, Optional, List
+from dataclasses import dataclass
+from typing import Dict, List
 
 from pydantic import StrictStr, SecretStr
 
@@ -25,9 +25,9 @@
 from cli.constants import StorageType, CatalogType, CatalogConnectionType, Subcommands, Arguments, AuthenticationType, \
     ServiceIdentityType
 from cli.options.option_tree import Argument
-from polaris.management import PolarisDefaultApi, Catalog, CreateCatalogRequest, UpdateCatalogRequest, \
+from polaris.management import PolarisDefaultApi, CreateCatalogRequest, UpdateCatalogRequest, \
     StorageConfigInfo, ExternalCatalog, AwsStorageConfigInfo, AzureStorageConfigInfo, GcpStorageConfigInfo, \
-    PolarisCatalog, CatalogProperties, AuthenticationParameters, BearerAuthenticationParameters, \
+    PolarisCatalog, CatalogProperties, BearerAuthenticationParameters, \
     OAuthClientCredentialsParameters, SigV4AuthenticationParameters, HadoopConnectionConfigInfo, \
     IcebergRestConnectionConfigInfo, AwsIamServiceIdentityInfo
 
diff --git a/client/python/cli/command/namespaces.py b/client/python/cli/command/namespaces.py
index 9764016995..65687226a0 100644
--- a/client/python/cli/command/namespaces.py
+++ b/client/python/cli/command/namespaces.py
@@ -27,7 +27,6 @@
 from cli.constants import Subcommands, Arguments, UNIT_SEPARATOR
 from cli.options.option_tree import Argument
 from polaris.catalog import IcebergCatalogAPI, CreateNamespaceRequest, ApiClient, Configuration
-from polaris.catalog.exceptions import NotFoundException
 from polaris.management import PolarisDefaultApi
 
 
diff --git a/client/python/cli/command/principal_roles.py b/client/python/cli/command/principal_roles.py
index c64e363f02..911f741f5c 100644
--- a/client/python/cli/command/principal_roles.py
+++ b/client/python/cli/command/principal_roles.py
@@ -25,7 +25,7 @@
 from cli.constants import Subcommands, Arguments
 from cli.options.option_tree import Argument
 from polaris.management import PolarisDefaultApi, CreatePrincipalRoleRequest, PrincipalRole, UpdatePrincipalRoleRequest, \
-    GrantCatalogRoleRequest, CatalogRole, GrantPrincipalRoleRequest
+    GrantPrincipalRoleRequest
 
 
 @dataclass
diff --git a/client/python/cli/command/profiles.py b/client/python/cli/command/profiles.py
index ed0a102818..8679907b0d 100644
--- a/client/python/cli/command/profiles.py
+++ b/client/python/cli/command/profiles.py
@@ -22,7 +22,6 @@
 from dataclasses import dataclass
 from typing import Dict, Optional, List
 
-from pydantic import StrictStr
 
 from cli.command import Command
 from cli.constants import Subcommands, DEFAULT_HOSTNAME, DEFAULT_PORT, CONFIG_DIR, CONFIG_FILE
diff --git a/client/python/cli/options/parser.py b/client/python/cli/options/parser.py
index 6413096803..8613474fe7 100644
--- a/client/python/cli/options/parser.py
+++ b/client/python/cli/options/parser.py
@@ -68,7 +68,7 @@ def add_arguments(parser, args: List[Argument]):
                 if arg.default:
                     kwargs['default'] = arg.default
 
-                if arg.type == bool:
+                if arg.type is bool:
                     del kwargs['type']
                     parser.add_argument(arg.get_flag_name(), **kwargs, action='store_true')
                 elif arg.allow_repeats:
@@ -128,7 +128,7 @@ def parse_args(self, args=None, namespace=None):
             tree_str = self._get_tree_str(args[:help_index])
             if tree_str:
                 print(f'input: polaris {" ".join(args)}')
-                print(f'options:')
+                print('options:')
                 print(tree_str)
                 print('\n')
                 self.print_usage()
@@ -187,7 +187,7 @@ def _get_command_path(self, args: List[str], options: List[Option]) -> List[str]
                     parser = parser._subparsers._group_actions[0].choices.get(arg)
                     if not parser:
                         break
-                except Exception as e:
+                except Exception:
                     break
                 options = list(filter(lambda o: o.name == arg, options))[0].children
                 if options is None:
diff --git a/client/python/cli/polaris_cli.py b/client/python/cli/polaris_cli.py
index b4d1fd8e41..d607912326 100644
--- a/client/python/cli/polaris_cli.py
+++ b/client/python/cli/polaris_cli.py
@@ -133,7 +133,7 @@ def _get_client_builder(options):
             if options.host is not None or options.port is not None:
                 raise Exception(f'Please provide either {Argument.to_flag_name(Arguments.BASE_URL)} or'
                                 f' {Argument.to_flag_name(Arguments.HOST)} &'
-                                f' {Argument.to_flag_name(Arguments.PORT)}, but not both');
+                                f' {Argument.to_flag_name(Arguments.PORT)}, but not both')
 
             polaris_management_url = f'{options.base_url}/api/management/v1'
             polaris_catalog_url = f'{options.base_url}/api/catalog/v1'
diff --git a/getting-started/spark/notebooks/SparkPolaris.ipynb b/getting-started/spark/notebooks/SparkPolaris.ipynb
index 08f28e9f24..c59e0ca5aa 100644
--- a/getting-started/spark/notebooks/SparkPolaris.ipynb
+++ b/getting-started/spark/notebooks/SparkPolaris.ipynb
@@ -102,7 +102,7 @@
     "  try:\n",
     "    api.create_catalog_role(catalog_name=catalog.name, create_catalog_role_request=CreateCatalogRoleRequest(catalog_role=catalog_role))\n",
     "    return api.get_catalog_role(catalog_name=catalog.name, catalog_role_name=role_name)\n",
-    "  except ApiException as e:\n",
+    "  except ApiException:\n",
     "    return api.get_catalog_role(catalog_name=catalog.name, catalog_role_name=role_name)\n",
     "  else:\n",
     "    raise e\n",
@@ -113,7 +113,7 @@
     "  try:\n",
     "    api.create_principal_role(CreatePrincipalRoleRequest(principal_role=principal_role))\n",
     "    return api.get_principal_role(principal_role_name=role_name)\n",
-    "  except ApiException as e:\n",
+    "  except ApiException:\n",
     "    return api.get_principal_role(principal_role_name=role_name)\n"
    ]
   },
@@ -445,7 +445,6 @@
    "outputs": [],
    "source": [
     "import codecs\n",
-    "import json\n",
     "from IPython.display import display, JSON\n",
     "\n",
     "def format_namespace(namespace):\n",
diff --git a/plugins/spark/v3.5/getting-started/notebooks/SparkPolaris.ipynb b/plugins/spark/v3.5/getting-started/notebooks/SparkPolaris.ipynb
index f4459b0714..222bf94783 100644
--- a/plugins/spark/v3.5/getting-started/notebooks/SparkPolaris.ipynb
+++ b/plugins/spark/v3.5/getting-started/notebooks/SparkPolaris.ipynb
@@ -16,7 +16,6 @@
    "metadata": {},
    "outputs": [],
    "source": [
-    "from polaris.catalog.api.iceberg_catalog_api import IcebergCatalogAPI\n",
     "from polaris.catalog.api.iceberg_o_auth2_api import IcebergOAuth2API\n",
     "from polaris.catalog.api_client import ApiClient as CatalogApiClient\n",
     "from polaris.catalog.api_client import Configuration as CatalogApiClientConfiguration\n",
@@ -113,7 +112,7 @@
     "  try:\n",
     "    api.create_catalog_role(catalog_name=catalog.name, create_catalog_role_request=CreateCatalogRoleRequest(catalog_role=catalog_role))\n",
     "    return api.get_catalog_role(catalog_name=catalog.name, catalog_role_name=role_name)\n",
-    "  except ApiException as e:\n",
+    "  except ApiException:\n",
     "    return api.get_catalog_role(catalog_name=catalog.name, catalog_role_name=role_name)\n",
     "  else:\n",
     "    raise e\n",
@@ -124,7 +123,7 @@
     "  try:\n",
     "    api.create_principal_role(CreatePrincipalRoleRequest(principal_role=principal_role))\n",
     "    return api.get_principal_role(principal_role_name=role_name)\n",
-    "  except ApiException as e:\n",
+    "  except ApiException:\n",
     "    return api.get_principal_role(principal_role_name=role_name)\n"
    ]
   },
diff --git a/regtests/t_cli/src/test_cli.py b/regtests/t_cli/src/test_cli.py
index d60560f202..ee6bea7147 100644
--- a/regtests/t_cli/src/test_cli.py
+++ b/regtests/t_cli/src/test_cli.py
@@ -16,8 +16,6 @@
 # specific language governing permissions and limitations
 # under the License.
 #
-import contextlib
-import io
 import json
 import os
 import random
@@ -157,7 +155,7 @@ def test_quickstart_flow():
             f'test_cli_catalog_{SALT}',
             '--catalog-role',
             f'test_cli_c_role_{SALT}',
-            f'CATALOG_MANAGE_CONTENT'
+            'CATALOG_MANAGE_CONTENT'
         ), checker=lambda s: s == '')
 
         # User now has catalog access:
@@ -835,7 +833,7 @@ def test_list_privileges():
             f'test_cli_catalog_{SALT}',
             '--catalog-role',
             f'test_cli_c_role_{SALT}',
-            f'TABLE_READ_DATA'
+            'TABLE_READ_DATA'
         ), checker=lambda s: s == '')
         check_output(root_cli(
             'privileges',
@@ -847,7 +845,7 @@ def test_list_privileges():
             f'test_cli_c_role_{SALT}',
             '--namespace',
             f'a_{SALT}',
-            f'TABLE_WRITE_DATA'
+            'TABLE_WRITE_DATA'
         ), checker=lambda s: s == '')
         check_output(root_cli(
             'privileges',
@@ -859,7 +857,7 @@ def test_list_privileges():
             f'test_cli_c_role_{SALT}',
             '--namespace',
             f'a_{SALT}',
-            f'TABLE_LIST'
+            'TABLE_LIST'
         ), checker=lambda s: s == '')
 
         # List privileges:
diff --git a/regtests/t_oauth/test_oauth2_tokens.py b/regtests/t_oauth/test_oauth2_tokens.py
index e0019acfd4..3e165d7128 100644
--- a/regtests/t_oauth/test_oauth2_tokens.py
+++ b/regtests/t_oauth/test_oauth2_tokens.py
@@ -22,7 +22,6 @@
 """
 import argparse
 import requests
-import urllib
 
 
 def main(base_uri, client_id, client_secret):
diff --git a/regtests/t_pyspark/src/conftest.py b/regtests/t_pyspark/src/conftest.py
index da14b14a77..a250257af9 100644
--- a/regtests/t_pyspark/src/conftest.py
+++ b/regtests/t_pyspark/src/conftest.py
@@ -148,7 +148,7 @@ def create_catalog_role(api, catalog, role_name):
     api.create_catalog_role(catalog_name=catalog.name,
                             create_catalog_role_request=CreateCatalogRoleRequest(catalog_role=catalog_role))
     return api.get_catalog_role(catalog_name=catalog.name, catalog_role_name=role_name)
-  except ApiException as e:
+  except ApiException:
     return api.get_catalog_role(catalog_name=catalog.name, catalog_role_name=role_name)
   else:
     raise e
diff --git a/regtests/t_pyspark/src/iceberg_spark.py b/regtests/t_pyspark/src/iceberg_spark.py
index 8cb20591fc..f1bc295a73 100644
--- a/regtests/t_pyspark/src/iceberg_spark.py
+++ b/regtests/t_pyspark/src/iceberg_spark.py
@@ -21,7 +21,6 @@
 import os
 from typing import Any, Dict, List, Optional, Union
 
-from pyspark.errors import PySparkRuntimeError
 from pyspark.sql import SparkSession
 
 
diff --git a/regtests/t_pyspark/src/test_spark_sql_s3_with_privileges.py b/regtests/t_pyspark/src/test_spark_sql_s3_with_privileges.py
index 3d31de4649..89c7b5568b 100644
--- a/regtests/t_pyspark/src/test_spark_sql_s3_with_privileges.py
+++ b/regtests/t_pyspark/src/test_spark_sql_s3_with_privileges.py
@@ -28,10 +28,9 @@
 import pytest
 from py4j.protocol import Py4JJavaError
 
-from botocore.exceptions import ClientError
 
 from iceberg_spark import IcebergSparkSession
-from polaris.catalog import CreateNamespaceRequest, CreateTableRequest, ModelSchema, StructField
+from polaris.catalog import CreateNamespaceRequest, CreateTableRequest, ModelSchema
 from polaris.catalog.api.iceberg_catalog_api import IcebergCatalogAPI
 from polaris.catalog.api.iceberg_o_auth2_api import IcebergOAuth2API
 from polaris.catalog.api_client import ApiClient as CatalogApiClient
@@ -353,17 +352,17 @@ def test_spark_creates_table_in_custom_namespace_dir(root_client, snowflake_cata
     spark.sql('CREATE NAMESPACE db1')
     spark.sql(f"CREATE NAMESPACE db1.schema LOCATION '{namespace_location}'")
     spark.sql('USE db1.schema')
-    spark.sql(f"CREATE TABLE table_in_custom_namespace_location (col1 int, col2 string)")
+    spark.sql("CREATE TABLE table_in_custom_namespace_location (col1 int, col2 string)")
     assert spark.sql("SELECT * FROM table_in_custom_namespace_location").count() == 0
     # check the metadata and assert the custom namespace location is used
     entries = spark.sql(
-      f"SELECT file FROM db1.schema.table_in_custom_namespace_location.metadata_log_entries").collect()
+      "SELECT file FROM db1.schema.table_in_custom_namespace_location.metadata_log_entries").collect()
     assert namespace_location in entries[0][0]
     try:
         assert spark.sql("SELECT * FROM table_in_custom_namespace_location").count() == 0
         # check the metadata and assert the custom namespace location is used
         entries = spark.sql(
-            f"SELECT file FROM db1.schema.table_in_custom_namespace_location.metadata_log_entries").collect()
+            "SELECT file FROM db1.schema.table_in_custom_namespace_location.metadata_log_entries").collect()
         assert namespace_location in entries[0][0]
     finally:
         spark.sql('DROP TABLE table_in_custom_namespace_location PURGE')
@@ -1233,7 +1232,7 @@ def create_catalog_role(api, catalog, role_name):
     api.create_catalog_role(catalog_name=catalog.name,
                             create_catalog_role_request=CreateCatalogRoleRequest(catalog_role=catalog_role))
     return api.get_catalog_role(catalog_name=catalog.name, catalog_role_name=role_name)
-  except ApiException as e:
+  except ApiException:
     return api.get_catalog_role(catalog_name=catalog.name, catalog_role_name=role_name)
   else:
     raise e
@@ -1244,5 +1243,5 @@ def create_principal_role(api, role_name):
   try:
     api.create_principal_role(CreatePrincipalRoleRequest(principal_role=principal_role))
     return api.get_principal_role(principal_role_name=role_name)
-  except ApiException as e:
+  except ApiException:
     return api.get_principal_role(principal_role_name=role_name)