From 62808b887bee4e0991d8ac6ab5efe2f1cd9fad11 Mon Sep 17 00:00:00 2001
From: shuiyisong <113876041+shuiyisong@users.noreply.github.com>
Date: Wed, 17 Dec 2025 14:34:29 +0800
Subject: [PATCH] fix: using anonymous s3 access when ak and sk is not provided
 (#7425)

* chore: allow s3 anon

Signed-off-by: shuiyisong <xixing.sys@gmail.com>

* chore: disable ec2 metadata

Signed-off-by: shuiyisong <xixing.sys@gmail.com>

---------

Signed-off-by: shuiyisong <xixing.sys@gmail.com>
---
 src/object-store/src/config.rs | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/src/object-store/src/config.rs b/src/object-store/src/config.rs
index ea34e238c4..ac976da8f0 100644
--- a/src/object-store/src/config.rs
+++ b/src/object-store/src/config.rs
@@ -16,6 +16,7 @@ use std::time::Duration;
 
 use common_base::readable_size::ReadableSize;
 use common_base::secrets::{ExposeSecret, SecretString};
+use common_telemetry::tracing::warn;
 use opendal::services::{Azblob, Gcs, Oss, S3};
 use serde::{Deserialize, Serialize};
 
@@ -123,11 +124,18 @@ impl From<&S3Connection> for S3 {
     fn from(connection: &S3Connection) -> Self {
         let root = util::normalize_dir(&connection.root);
 
-        let mut builder = S3::default()
-            .root(&root)
-            .bucket(&connection.bucket)
-            .access_key_id(connection.access_key_id.expose_secret())
-            .secret_access_key(connection.secret_access_key.expose_secret());
+        let mut builder = S3::default().root(&root).bucket(&connection.bucket);
+
+        if !connection.access_key_id.expose_secret().is_empty()
+            && !connection.secret_access_key.expose_secret().is_empty()
+        {
+            builder = builder
+                .access_key_id(connection.access_key_id.expose_secret())
+                .secret_access_key(connection.secret_access_key.expose_secret());
+        } else {
+            warn!("No access key id or secret access key provided, using anonymous access");
+            builder = builder.allow_anonymous().disable_ec2_metadata();
+        }
 
         if let Some(endpoint) = &connection.endpoint {
             builder = builder.endpoint(endpoint);