check Iceberg catalog URL for GCP connections at plan time

ublubu · ublubu · commit ac9ed8aead0e · 2026-06-10T12:56:07.000-04:00
diff --git a/src/sql/src/plan/statement/ddl/connection.rs b/src/sql/src/plan/statement/ddl/connection.rs
@@ -729,7 +729,18 @@ impl ConnectionOptionExtracted {
                                 credential,
                                 scope: self.scope.clone(),
                             },
-                            (None, Some(gcp_connection)) => IcebergCatalogAuth::Gcp(gcp_connection),
+                            (None, Some(gcp_connection)) => {
+                                /// All BigLake Iceberg REST Catalogs use the same catalog URI.
+                                const BIGLAKE_CATALOG_URI: &str =
+                                    "https://biglake.googleapis.com/iceberg/v1/restcatalog";
+                                if uri.to_string() != BIGLAKE_CATALOG_URI {
+                                    sql_bail!(
+                                        "GCP connection can only be used with '{}'",
+                                        BIGLAKE_CATALOG_URI
+                                    );
+                                }
+                                IcebergCatalogAuth::Gcp(gcp_connection)
+                            }
                             (None, None) => sql_bail!(
                                 "invalid CONNECTION: ICEBERG rest connections require a CREDENTIAL or GCP CONNECTION"
                             ),
diff --git a/src/storage-types/src/connections.rs b/src/storage-types/src/connections.rs
@@ -915,6 +915,7 @@ impl IcebergCatalogConnection<InlinedConnection> {
                     GCS_CREDENTIALS_JSON.to_owned(),
                     base64::engine::general_purpose::STANDARD.encode(creds_json),
                 );
+                // We supplied a service account key. Don't look elsewhere for GCP credentials.
                 props.insert(GCS_DISABLE_VM_METADATA.to_owned(), "true".to_owned());
                 props.insert(GCS_DISABLE_CONFIG_LOAD.to_owned(), "true".to_owned());
                 if let Some(project_id) = service_account.project_id() {
diff --git a/test/iceberg/gcp-connection-validation.td b/test/iceberg/gcp-connection-validation.td
@@ -29,7 +29,7 @@ ALTER SYSTEM SET enable_default_connection_validation = false
     GCP CONNECTION = gcpconn,
     WAREHOUSE = 'gs://anything'
   )
-contains:must point URL at a *.googleapis.com host
+contains:GCP connection can only be used with 'https://biglake.googleapis.com/iceberg/v1/restcatalog'
 
 # Positive control: a real BigLake host is accepted, so the allowlist doesn't
 # break the feature.

Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,7 @@ ALTER SYSTEM SET enable_default_connection_validation = false`
`29`	`29`	`GCP CONNECTION = gcpconn,`
`30`	`30`	`WAREHOUSE = 'gs://anything'`
`31`	`31`	`)`
`32`		`-contains:must point URL at a *.googleapis.com host`
	`32`	`+contains:GCP connection can only be used with 'https://biglake.googleapis.com/iceberg/v1/restcatalog'`
`33`	`33`
`34`	`34`	`# Positive control: a real BigLake host is accepted, so the allowlist doesn't`
`35`	`35`	`# break the feature.`