SNOW-3643369: Always set explicit GCS credentials to prevent ADC probe in SPCS#2664
Merged
sfc-gh-dheyman merged 3 commits intoJun 16, 2026
Merged
Conversation
0da00d3 to
1f4640b
Compare
sfc-gh-merbel
requested changes
Jun 12, 2026
sfc-gh-merbel
requested changes
Jun 12, 2026
sfc-gh-merbel
left a comment
Collaborator
There was a problem hiding this comment.
Please add more tests here
c9ccfa5 to
2e5f081
Compare
…e in SPCS Co-authored-by: Cursor <cursoragent@cursor.com>
3806b9e to
1df07e1
Compare
sfc-gh-rkowalski
approved these changes
Jun 15, 2026
Collaborator
|
Please take a look on failing tests. |
sfc-gh-merbel
approved these changes
Jun 15, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
StorageOptions.BuilderwhenGCS_ACCESS_TOKENis present, removing the conditional guard onareDisabledGcsDefaultCredentials(). This prevents the GCS SDK from triggering an Application Default Credentials (ADC) lookup that probesmetadata.google.internal— which is unreachable inside SPCS pods, causing an opaqueinvalid_gcs_credentialsfailure.setupGCSClient: chain the original exception as the cause ofIllegalArgumentExceptionand log it at debug level, so the root cause (e.g.,UnknownHostException) is visible in diagnostics instead of being silently swallowed.SnowflakeSQLExceptionpropagate directly fromsetupGCSClientinstead of wrapping it inIllegalArgumentException, matching the method's declared signature.Context
SPCS pods on GCP cannot reach
metadata.google.internal(DNS fails). When the JDBC driver initializes a GCS storage client for PUT operations, the GCS SDK's ADC probe fails, and the broadcatch (Exception)insetupGCSClientswallows the real error. This has been observed across multiple GCP deployments (gcpqa1, gcpuseast4). The fix ensures the ADC probe is never attempted when an access token is already available, and surfaces the root cause when initialization does fail.Test plan
setCredentials()is inside theif (accessToken != null)block, so null safety is guaranteed.IllegalArgumentException— all use genericExceptioncatch, so the added exception chaining is backward-compatible.GCSAccessStrategyAwsSdk(the virtual-URL path) already usesAnonymousCredentialsProviderand is not affected.fmt-maven-plugin:format) and checkstyle (-P check-style) both pass cleanly.Made with Cursor