Enhance 'unauthenticated' auth type for GCS storage #26984
Description
This is related to
- Should be possible to use GCS without authentication #25810 (https://github.com/trinodb/trino/pull/25811/files)
- Explicit auth and emulating Google Cloud Storage as object storage for Iceberg #26854
What your current code does (v477)
In GcsServiceAccountAuth, if neither jsonKey nor jsonKeyFilePath is supplied and ADC cannot be resolved, the catch block returns null, so we simply never call builder.setCredentials(...). That means the Storage client is built with credentials == null. In practice, the google-cloud-storage library will then send requests without an Authorization header.
Potential downsides of just “null”
- Silent failure: If you accidentally run against real GCS (not eg a fake server) and no credentials are available, you won’t see an early, explicit error; you’ll just get 401/403 when making calls.
- Repeated ADC attempts: In some library versions, constructing clients or performing certain operations may retry ADC resolution internally, adding overhead or noisy logs (to be verified in the current version).
- Ambiguity: It’s not obvious to a future reader that “null” was intentionally used to mean “unauthenticated mode.”
Proposal
- Prefer explicit
NoCredentialsfor clarity. The GCS library providesNoCredentials.getInstance(). This documents intent and prevents future code paths from trying to refresh tokens. - We could add
NoCredentialsto GcsServiceAccountAuth - We could add a new
GcsNoAuthauth type that is configurable withUNAUTHENTICATED(in GcsFileSystemConfig)
WDYT?