Add static bearer tooken auth for GCS (#721)

Author: mpiannucci

docs/docs/icechunk-python/storage.md

@@ -175,6 +175,18 @@ Icechunk can be used with [Google Cloud Storage](https://cloud.google.com/storag
         )
         ```
 
+=== "Bearer Token"
+
+    With this option, you provide a bearer token to use for the object store. This is useful for short lived workflows where expiration is not relevant or when the bearer token will not expire [See the API](./reference.md#icechunk.gcs_storage)
+
+    ```python
+    icechunk.gcs_storage(
+        bucket="icechunk-test",
+        prefix="quickstart-demo-1",
+        bearer_token="my-bearer-token"
+    )
+    ```
+
 === "Refreshable Credentials"
 
     With this option, you provide a callback function that will be called to obtain GCS credentials when needed. This is useful for workloads that depend on retrieving short-lived credentials from GCS or similar authority, allowing for credentials to be refreshed as needed without interrupting any workflows. This works at a lower level than the other methods, and accepts a bearer token and expiration time. These are the same credentials that are created for you when specifying the service account file, key, or ADC. [See the API](./reference.md#icechunk.gcs_storage)

icechunk-python/python/icechunk/_icechunk_python.pyi

@@ -539,10 +539,14 @@ class GcsStaticCredentials:
     class ApplicationCredentials:
         def __init__(self, path: str) -> None: ...
 
+    class BearerToken:
+        def __init__(self, token: str) -> None: ...
+
 AnyGcsStaticCredential = (
     GcsStaticCredentials.ServiceAccount
     | GcsStaticCredentials.ServiceAccountKey
     | GcsStaticCredentials.ApplicationCredentials
+    | GcsStaticCredentials.BearerToken
 )
 
 class GcsCredentials:

icechunk-python/python/icechunk/credentials.py

@@ -24,6 +24,7 @@
     GcsStaticCredentials.ServiceAccount
     | GcsStaticCredentials.ServiceAccountKey
     | GcsStaticCredentials.ApplicationCredentials
+    | GcsStaticCredentials.BearerToken
 )
 
 AnyGcsCredential = (
@@ -181,6 +182,7 @@ def gcs_static_credentials(
     service_account_file: str | None = None,
     service_account_key: str | None = None,
     application_credentials: str | None = None,
+    bearer_token: str | None = None,
 ) -> AnyGcsStaticCredential:
     """Create static credentials Google Cloud Storage object store."""
     if service_account_file is not None:
@@ -189,6 +191,8 @@ def gcs_static_credentials(
         return GcsStaticCredentials.ServiceAccountKey(service_account_key)
     if application_credentials is not None:
         return GcsStaticCredentials.ApplicationCredentials(application_credentials)
+    if bearer_token is not None:
+        return GcsStaticCredentials.BearerToken(bearer_token)
     raise ValueError("Conflicting arguments to gcs_static_credentials function")
 
 
@@ -209,6 +213,7 @@ def gcs_credentials(
     service_account_file: str | None = None,
     service_account_key: str | None = None,
     application_credentials: str | None = None,
+    bearer_token: str | None = None,
     from_env: bool | None = None,
     get_credentials: Callable[[], GcsBearerCredential] | None = None,
 ) -> AnyGcsCredential:
@@ -220,19 +225,22 @@ def gcs_credentials(
         service_account_file is None
         and service_account_key is None
         and application_credentials is None
+        and bearer_token is None
     ):
         return gcs_from_env_credentials()
 
     if (
         service_account_file is not None
         or service_account_key is not None
         or application_credentials is not None
+        or bearer_token is not None
     ) and (from_env is None or not from_env):
         return GcsCredentials.Static(
             gcs_static_credentials(
                 service_account_file=service_account_file,
                 service_account_key=service_account_key,
                 application_credentials=application_credentials,
+                bearer_token=bearer_token,
             )
         )
 

icechunk-python/python/icechunk/storage.py

@@ -186,6 +186,7 @@ def gcs_storage(
     service_account_file: str | None = None,
     service_account_key: str | None = None,
     application_credentials: str | None = None,
+    bearer_token: str | None = None,
     from_env: bool | None = None,
     config: dict[str, str] | None = None,
 ) -> Storage:
@@ -199,11 +200,14 @@ def gcs_storage(
         The prefix within the bucket that is the root directory of the repository
     from_env: bool | None
         Fetch credentials from the operative system environment
+    bearer_token: str | None
+        The bearer token to use for the object store
     """
     credentials = gcs_credentials(
         service_account_file=service_account_file,
         service_account_key=service_account_key,
         application_credentials=application_credentials,
+        bearer_token=bearer_token,
         from_env=from_env,
     )
     return Storage.new_gcs(

icechunk-python/src/config.rs

@@ -214,6 +214,7 @@ pub enum PyGcsStaticCredentials {
     ServiceAccount(String),
     ServiceAccountKey(String),
     ApplicationCredentials(String),
+    BearerToken(String),
 }
 
 impl From<PyGcsStaticCredentials> for GcsStaticCredentials {
@@ -228,6 +229,12 @@ impl From<PyGcsStaticCredentials> for GcsStaticCredentials {
             PyGcsStaticCredentials::ApplicationCredentials(path) => {
                 GcsStaticCredentials::ApplicationCredentials(path.into())
             }
+            PyGcsStaticCredentials::BearerToken(token) => {
+                GcsStaticCredentials::BearerToken(GcsBearerCredential {
+                    bearer: token,
+                    expires_after: None,
+                })
+            }
         }
     }
 }

icechunk/src/config.rs

@@ -389,6 +389,7 @@ pub enum GcsStaticCredentials {
     ServiceAccount(PathBuf),
     ServiceAccountKey(String),
     ApplicationCredentials(PathBuf),
+    BearerToken(GcsBearerCredential),
 }
 
 #[derive(Clone, Debug, Deserialize, Serialize, PartialEq, Eq)]
@@ -399,9 +400,9 @@ pub struct GcsBearerCredential {
     pub expires_after: Option<DateTime<Utc>>,
 }
 
-impl From<GcsBearerCredential> for GcpCredential {
-    fn from(value: GcsBearerCredential) -> Self {
-        GcpCredential { bearer: value.bearer }
+impl From<&GcsBearerCredential> for GcpCredential {
+    fn from(value: &GcsBearerCredential) -> Self {
+        GcpCredential { bearer: value.bearer.clone() }
     }
 }
 

icechunk/src/storage/object_store.rs

@@ -21,7 +21,8 @@ use object_store::{
     memory::InMemory,
     path::Path as ObjectPath,
     Attribute, AttributeValue, Attributes, CredentialProvider, GetOptions, ObjectMeta,
-    ObjectStore, PutMode, PutOptions, PutPayload, UpdateVersion,
+    ObjectStore, PutMode, PutOptions, PutPayload, StaticCredentialProvider,
+    UpdateVersion,
 };
 use serde::{Deserialize, Serialize};
 use std::{
@@ -899,6 +900,10 @@ impl ObjectStoreBackend for GcsObjectStoreBackend {
                 })?;
                 builder.with_application_credentials(path)
             }
+            Some(GcsCredentials::Static(GcsStaticCredentials::BearerToken(token))) => {
+                let provider = StaticCredentialProvider::new(GcpCredential::from(token));
+                builder.with_credentials(Arc::new(provider))
+            }
             Some(GcsCredentials::Refreshable(fetcher)) => {
                 let credential_provider =
                     GcsRefreshableCredentialProvider::new(Arc::clone(fetcher));
@@ -971,7 +976,7 @@ impl CredentialProvider for GcsRefreshableCredentialProvider {
         let creds = self.get_or_update_credentials().await.map_err(|e| {
             object_store::Error::Generic { store: "gcp", source: Box::new(e) }
         })?;
-        Ok(Arc::new(creds.into()))
+        Ok(Arc::new(GcpCredential::from(&creds)))
     }
 }