Skip to content

SNOW-3643369: Always set explicit GCS credentials to prevent ADC probe in SPCS#2664

Merged
sfc-gh-dheyman merged 3 commits into
masterfrom
dheyman/SNOW-3643369-fix-gcs-adc-probe-spcs
Jun 16, 2026
Merged

SNOW-3643369: Always set explicit GCS credentials to prevent ADC probe in SPCS#2664
sfc-gh-dheyman merged 3 commits into
masterfrom
dheyman/SNOW-3643369-fix-gcs-adc-probe-spcs

Conversation

@sfc-gh-dheyman

Copy link
Copy Markdown
Collaborator

Summary

  • Always set explicit credentials on StorageOptions.Builder when GCS_ACCESS_TOKEN is present, removing the conditional guard on areDisabledGcsDefaultCredentials(). This prevents the GCS SDK from triggering an Application Default Credentials (ADC) lookup that probes metadata.google.internal — which is unreachable inside SPCS pods, causing an opaque invalid_gcs_credentials failure.
  • Improve error handling in setupGCSClient: chain the original exception as the cause of IllegalArgumentException and log it at debug level, so the root cause (e.g., UnknownHostException) is visible in diagnostics instead of being silently swallowed.
  • Let SnowflakeSQLException propagate directly from setupGCSClient instead of wrapping it in IllegalArgumentException, matching the method's declared signature.

Context

SPCS pods on GCP cannot reach metadata.google.internal (DNS fails). When the JDBC driver initializes a GCS storage client for PUT operations, the GCS SDK's ADC probe fails, and the broad catch (Exception) in setupGCSClient swallows the real error. This has been observed across multiple GCP deployments (gcpqa1, gcpuseast4). The fix ensures the ADC probe is never attempted when an access token is already available, and surfaces the root cause when initialization does fail.

Test plan

  • Verified that setCredentials() is inside the if (accessToken != null) block, so null safety is guaranteed.
  • Confirmed no callers specifically catch IllegalArgumentException — all use generic Exception catch, so the added exception chaining is backward-compatible.
  • Confirmed GCSAccessStrategyAwsSdk (the virtual-URL path) already uses AnonymousCredentialsProvider and is not affected.
  • Formatter (fmt-maven-plugin:format) and checkstyle (-P check-style) both pass cleanly.

Made with Cursor

@sfc-gh-dheyman sfc-gh-dheyman requested a review from a team as a code owner June 12, 2026 12:39
@sfc-gh-dheyman sfc-gh-dheyman force-pushed the dheyman/SNOW-3643369-fix-gcs-adc-probe-spcs branch from 0da00d3 to 1f4640b Compare June 12, 2026 12:41
@sfc-gh-dheyman sfc-gh-dheyman enabled auto-merge (squash) June 12, 2026 12:46

@sfc-gh-merbel sfc-gh-merbel left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add more tests here

@sfc-gh-dheyman sfc-gh-dheyman force-pushed the dheyman/SNOW-3643369-fix-gcs-adc-probe-spcs branch 3 times, most recently from c9ccfa5 to 2e5f081 Compare June 13, 2026 07:18
…e in SPCS

Co-authored-by: Cursor <cursoragent@cursor.com>
@sfc-gh-dheyman sfc-gh-dheyman force-pushed the dheyman/SNOW-3643369-fix-gcs-adc-probe-spcs branch from 3806b9e to 1df07e1 Compare June 13, 2026 07:29
@sfc-gh-merbel

Copy link
Copy Markdown
Collaborator

Please take a look on failing tests.

@sfc-gh-dheyman sfc-gh-dheyman merged commit f108dbd into master Jun 16, 2026
118 of 121 checks passed
@sfc-gh-dheyman sfc-gh-dheyman deleted the dheyman/SNOW-3643369-fix-gcs-adc-probe-spcs branch June 16, 2026 10:45
@github-actions github-actions Bot locked and limited conversation to collaborators Jun 16, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants