Merge pull request #91706 from ClickHouse/no-s3providers-if-oauth

antonio2368 · web-flow · commit af7875fba4b0 · 2025-12-15T14:51:39.000Z
Don't add S3 providers if GCP OAuth is used
diff --git a/src/Databases/DataLake/GlueCatalog.cpp b/src/Databases/DataLake/GlueCatalog.cpp
@@ -170,8 +170,8 @@ GlueCatalog::GlueCatalog(
     else
     {
         LOG_TRACE(log, "Creating AWS glue client with credentials empty {}, region '{}', endpoint '{}'", credentials.IsEmpty(), region, endpoint);
-        std::shared_ptr<DB::S3::S3CredentialsProviderChain> chain = std::make_shared<DB::S3::S3CredentialsProviderChain>(poco_config, credentials, creds_config);
-        glue_client = std::make_unique<Aws::Glue::GlueClient>(chain, endpoint_provider, client_configuration);
+        auto credentials_provider = DB::S3::getCredentialsProvider(poco_config, credentials, creds_config);
+        glue_client = std::make_unique<Aws::Glue::GlueClient>(credentials_provider, endpoint_provider, client_configuration);
     }
 
 }
diff --git a/src/IO/S3/Client.cpp b/src/IO/S3/Client.cpp
@@ -1213,21 +1213,7 @@ std::unique_ptr<S3::Client> ClientFactory::create( // NOLINT
     credentials_configuration.use_environment_credentials =
         credentials_configuration.use_environment_credentials || (credentials.IsEmpty() && !credentials_configuration.role_arn.empty());
 
-    std::shared_ptr<Aws::Auth::AWSCredentialsProvider> credentials_provider = std::make_shared<S3CredentialsProviderChain>(
-            client_configuration,
-            std::move(credentials),
-            credentials_configuration);
-
-    if (!credentials_configuration.role_arn.empty())
-    {
-        credentials_provider = AwsAuthSTSAssumeRoleCredentialsProvider::create(
-            credentials_configuration.role_arn,
-            credentials_configuration.role_session_name,
-            credentials_configuration.expiration_window_seconds,
-            std::move(credentials_provider),
-            client_configuration,
-            credentials_configuration.sts_endpoint_override);
-    }
+    auto credentials_provider = getCredentialsProvider(client_configuration, credentials, credentials_configuration);
 
     /// Disable per-thread retry loops if global retry coordination is in use.
     if (client_configuration.s3_slow_all_threads_after_retryable_error)
diff --git a/src/IO/S3/Credentials.cpp b/src/IO/S3/Credentials.cpp
@@ -587,7 +587,7 @@ std::shared_ptr<Aws::Auth::AWSCredentialsProvider> AwsAuthSTSAssumeRoleWebIdenti
         }
     }
 
-    auto empty_credentials = std::make_shared<Aws::Auth::SimpleAWSCredentialsProvider>(Aws::Auth::AWSCredentials());
+    auto empty_credentials = std::make_shared<Aws::Auth::AnonymousAWSCredentialsProvider>();
     if (token_file.empty())
     {
         LOG_WARNING(logger, "Token file must be specified to use STS AssumeRole web identity creds provider.");
@@ -844,12 +844,12 @@ Aws::String SSOCredentialsProvider::loadAccessTokenFile(const Aws::String & sso_
 S3CredentialsProviderChain::S3CredentialsProviderChain(
         const DB::S3::PocoHTTPClientConfiguration & configuration,
         const Aws::Auth::AWSCredentials & credentials,
-        CredentialsConfiguration credentials_configuration)
+        const CredentialsConfiguration & credentials_configuration)
 {
     auto logger = getLogger("S3CredentialsProviderChain");
 
     /// we don't provide any credentials to avoid signing
-    if (credentials_configuration.no_sign_request)
+    if (credentials_configuration.no_sign_request || configuration.http_client == "gcp_oauth")
         return;
 
     /// add explicit credentials to the front of the chain
@@ -1103,7 +1103,7 @@ std::shared_ptr<Aws::Auth::AWSCredentialsProvider> AwsAuthSTSAssumeRoleCredentia
     std::string session_name_,
     uint64_t expiration_window_seconds_,
     std::shared_ptr<Aws::Auth::AWSCredentialsProvider> credentials_provider,
-    DB::S3::PocoHTTPClientConfiguration & client_configuration,
+    const DB::S3::PocoHTTPClientConfiguration & client_configuration,
     const std::string & sts_endpoint_override)
 {
     auto client = std::make_shared<AWSAssumeRoleClient>(credentials_provider, client_configuration, sts_endpoint_override);
@@ -1165,6 +1165,36 @@ void AwsAuthSTSAssumeRoleCredentialsProvider::Reload()
     LOG_TRACE(logger, "Successfully retrieved credentials");
 }
 
+std::shared_ptr<Aws::Auth::AWSCredentialsProvider> getCredentialsProvider(
+    const DB::S3::PocoHTTPClientConfiguration & configuration,
+    const Aws::Auth::AWSCredentials & credentials,
+    const CredentialsConfiguration & credentials_configuration)
+{
+    std::shared_ptr<Aws::Auth::AWSCredentialsProvider> credentials_provider;
+    if (credentials_configuration.no_sign_request || configuration.http_client == "gcp_oauth")
+    {
+        credentials_provider = std::make_shared<Aws::Auth::AnonymousAWSCredentialsProvider>();
+    }
+    else
+    {
+        credentials_provider
+            = std::make_shared<S3CredentialsProviderChain>(configuration, credentials, credentials_configuration);
+    }
+
+    if (!credentials_configuration.role_arn.empty())
+    {
+        credentials_provider = AwsAuthSTSAssumeRoleCredentialsProvider::create(
+            credentials_configuration.role_arn,
+            credentials_configuration.role_session_name,
+            credentials_configuration.expiration_window_seconds,
+            std::move(credentials_provider),
+            configuration,
+            credentials_configuration.sts_endpoint_override);
+    }
+
+    return credentials_provider;
+}
+
 }
 
 }
diff --git a/src/IO/S3/Credentials.h b/src/IO/S3/Credentials.h
@@ -214,7 +214,7 @@ class S3CredentialsProviderChain : public Aws::Auth::AWSCredentialsProviderChain
     S3CredentialsProviderChain(
         const DB::S3::PocoHTTPClientConfiguration & configuration,
         const Aws::Auth::AWSCredentials & credentials,
-        CredentialsConfiguration credentials_configuration);
+        const CredentialsConfiguration & credentials_configuration);
 };
 
 class AssumeRoleRequest : public Aws::AmazonSerializableWebServiceRequest
@@ -283,7 +283,7 @@ class AwsAuthSTSAssumeRoleCredentialsProvider : public Aws::Auth::AWSCredentials
             std::string session_name_,
             uint64_t expiration_window_seconds_,
             std::shared_ptr<Aws::Auth::AWSCredentialsProvider> credentials_provider,
-            DB::S3::PocoHTTPClientConfiguration & client_configuration,
+            const DB::S3::PocoHTTPClientConfiguration & client_configuration,
             const std::string & sts_endpoint_override = "");
 
     AwsAuthSTSAssumeRoleCredentialsProvider(
@@ -317,6 +317,10 @@ class AwsAuthSTSAssumeRoleCredentialsProvider : public Aws::Auth::AWSCredentials
     LoggerPtr logger;
 };
 
+std::shared_ptr<Aws::Auth::AWSCredentialsProvider> getCredentialsProvider(
+    const DB::S3::PocoHTTPClientConfiguration & configuration,
+    const Aws::Auth::AWSCredentials & credentials,
+    const CredentialsConfiguration & credentials_configuration);
 }
 
 #else

Original file line number	Diff line number	Diff line change
`@@ -170,8 +170,8 @@ GlueCatalog::GlueCatalog(`
`170`	`170`	`else`
`171`	`171`	`{`
`172`	`172`	`LOG_TRACE(log, "Creating AWS glue client with credentials empty {}, region '{}', endpoint '{}'", credentials.IsEmpty(), region, endpoint);`
`173`		`- std::shared_ptr<DB::S3::S3CredentialsProviderChain> chain = std::make_shared<DB::S3::S3CredentialsProviderChain>(poco_config, credentials, creds_config);`
`174`		`- glue_client = std::make_unique<Aws::Glue::GlueClient>(chain, endpoint_provider, client_configuration);`
	`173`	`+ auto credentials_provider = DB::S3::getCredentialsProvider(poco_config, credentials, creds_config);`
	`174`	`+ glue_client = std::make_unique<Aws::Glue::GlueClient>(credentials_provider, endpoint_provider, client_configuration);`
`175`	`175`	`}`
`176`	`176`
`177`	`177`	`}`