Add OAuth2 bearer token support for GCS #93
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Hi. Thanks for the PR! So If I understand this correctly, Polaris is returning a OAuth2 token to be used when reading from a GCS bucket? I don't think the oauth2 credentials will be picked up when attaching to the iceberg rest catalog, but we should be able to add this soon. Otherwise LGTM. Thanks for the tests. |
|
Correct. Polaris vends credentials in the loadtable response if the {
"metadata" : ...,
"metadta-location" : ...,
"config" : {
"gcs.oauth2.token": "{OAUTH2 BEARER TOKEN}",
"gcs.oauth2.token-expires-at": "{milliseconds since epoch}"
}
}If we can get this merged, I can try to add support to the iceberg extension to support this functionality and pass the bearer token to httpfs. It would be great if we could get this in before the 1.4 freeze |
danklynn
pushed a commit
to danklynn/duckdb-iceberg
that referenced
this pull request
Aug 8, 2025
Polaris returns an OAuth2 bearer token for GCS tables like so:
{
"metadata-location": "gs://my-bucket/warehouse/table/metadata.json",
"config": {
"gcs.oauth2.token": "ya29.a0AfH6SMBx..."
}
}
This commit adds support for passing bearer tokens through to GCS.
This commit depends upon functionality added to the httpfs extension here:
danklynn/duckdb-httpfs@d5a7a2b
It will compile if you comment out https loading from `out_of_tree_extensions.cmake`
in the duckdb submodule, but this can be resolved once this PR is merged:
duckdb/duckdb-httpfs#93
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Apache Polaris vends an OAuth2 access token for Iceberg tables hosted in GCS. This PR adds support for fetching files from GCS using these bearer tokens. Tested with read_parquet and iceberg_scan.