One way to mask sensitive keys in logs when using RisingWave Iceberg sink with S3 is to modify the logging configuration to redact or mask the sensitive information before it is written to the logs.

Another approach is to use environment variables or a secure secrets management service to store and retrieve the sensitive keys at runtime, instead of hardcoding them in the configuration files.

Additionally, consider implementing a custom logging formatter or filter that automatically masks or redacts the sensitive keys before they are logged.

It's also important to follow best practices for handling sensitive information and regularly review and update the logging configurations to ensure that sensitive keys are not exposed in the logs.