dataroaring opened a new pull request, #60515:
URL: https://github.com/apache/doris/pull/60515
## Summary
- When Doris runs on an instance with an IAM role, S3 TVF queries against
public buckets fail with 403 because the default AWS credential chain picks up
instance profile credentials before reaching the anonymous fallback
- Add retry-with-anonymous logic in `S3TableValuedFunction`: when
`parseFile()` fails with 403 and no explicit credentials were provided, switch
to `ANONYMOUS` credentials and retry
- All three property maps (`storageProperties`, `backendConnectProperties`,
`processedParams`) are updated so both FE listing and BE data reading use
anonymous access
- No BE changes needed: the BE already supports
`AWS_CREDENTIALS_PROVIDER_TYPE=ANONYMOUS` via `CredProviderType::Anonymous`
## Test plan
- [ ] Unit tests added in `S3TableValuedFunctionTest` covering: anonymous
fallback on 403, no fallback with explicit credentials, no fallback with
explicit role_arn, original error preserved when both attempts fail, no
fallback on non-403 errors
- [ ] Manual test on cloud deployment with IAM role: `SELECT * FROM
s3("uri"="s3://bench-dataset/amazon_review/amazon_reviews_2010.snappy.parquet",
"s3.region"="us-east-1", "format"="parquet") LIMIT 10;`
- [ ] Regression check: queries with explicit credentials still work
normally and do not trigger anonymous fallback
🤖 Generated with [Claude Code](https://claude.ai/code)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
