• Documentation
    • Search documentation
    karat

    +

    K

    API Reference ↗
    Data connectivity & integrationIceberg tablesIceberg storage architecture & settingsConfiguring Iceberg settings in Control Panel

    Configuring Iceberg settings in Control Panel

    Iceberg table support is in the beta phase of development and may not be available on your environment. Contact Palantir Support to request access. Iceberg must be enabled on your environment before you can configure these settings.

    Overview

    Iceberg table settings are configured per-enrollment in Control Panel. From this interface, relevant administrators can enable Iceberg, configure encryption settings, manage storage locations, and set defaults for how Iceberg tables are written across projects.

    To access Iceberg settings, open Control Panel from the Applications portal and search for the Iceberg table settings page.

    Required permissions

    Only users with the Enrollment Administrator or Information Security Officer role can modify Iceberg settings in Control Panel.

    Verifying Iceberg is enabled

    After contacting Palantir Support and receiving approval, Palantir will enable Iceberg for your enrollment. You can verify that Iceberg is enabled by checking that Enable Foundry Iceberg is toggled on at the top of the Iceberg table settings page.

    Configuring Iceberg encryption settings

    Foundry supports two layers of encryption for Iceberg tables:

    • Server-side encryption (SSE): Encrypts data at rest in the storage bucket. SSE is enabled by default for Foundry-managed storage. For customer-managed buckets, you must enable SSE on your bucket to ensure your data is encrypted at rest.
    • Iceberg table encryption ↗ (client-side encryption): Applies additional encryption to metadata and data files before they are written to storage.

    Iceberg table encryption is an evolving feature and not yet supported by all tools and integrations. You may prefer to allow writing Iceberg tables without client-side encryption for certain workflows. Before configuring this, you must acknowledge and enable the Allow writing Iceberg tables without client-side encryption setting.

    Configuring storage locations

    Foundry supports the following storage options for Iceberg tables:

    • Foundry-managed storage: Managed storage provided by Palantir.
    • Bring-your-own-bucket (BYOB): Customer-managed storage buckets.

    If available in your environment, Foundry-managed storage will appear by default.

    To add a customer-managed storage bucket, first follow the instructions to set up your BYOB source. Once you have your source created, you can select it in the Control Panel interface via Configure buckets in the Iceberg storage buckets section. You can configure multiple storage locations and use them for different projects to organize where Iceberg table data is written.

    You can also set advanced storage settings on your BYOB buckets on this page, such as Access delegation details and Custom FileIO configuration properties.

    Configuring Iceberg storage and encryption defaults

    You can configure default settings for how Iceberg tables are written across your enrollment, and optionally override these defaults for specific projects or namespaces.

    Enrollment-wide defaults

    In the Configure global Iceberg storage section:

    • Allow writing Iceberg tables by default to all projects: When enabled, Iceberg tables can be written to any project by default. When disabled, Iceberg is only available in projects with explicit overrides.
    • Default storage for newly created Iceberg tables: Select which storage location to use by default for new Iceberg tables.
    • Enable Iceberg table encryption (client-side encryption): When enabled, newly written Iceberg tables will use Iceberg table encryption in addition to server-side encryption. This setting can only be disabled if you have checked the acknowledgment to allow tables without client-side encryption.

    Project level or namespace level overrides

    To configure different settings for specific projects or namespaces, select Add project or namespace in the Customize storage section. For each project or namespace, you can override:

    • The storage location for Iceberg tables in that project
    • Whether Iceberg table encryption (client-side encryption) is enabled or disabled

    Project level or namespace level overrides only apply to newly written tables in the project. Existing tables will not be migrated to new storage locations or have their encryption settings changed.

    Modifying existing settings

    When you modify storage settings, such as storage location or encryption configuration, the new settings apply only to newly created tables. Existing tables will not be migrated or have their encryption settings altered.