[SS-69] Add a GCP Connection to hold Google service account creds

Cargo.toml

@@ -346,6 +346,7 @@ futures = "0.3.32"
 futures-core = "0.3.31"
 futures-task = "0.3.31"
 futures-util = "0.3.31"
+gcp_auth = "0.12.6"
 glob = "0.3.3"
 globset = "0.4.18"
 governor = "0.10.1"

deny.toml

@@ -130,6 +130,19 @@ skip = [
     { name = "hashbrown", version = "0.16.1" },
     # Used by dynfmt; iceberg/typetag pulls in v0.4.
     { name = "erased-serde", version = "0.3.26" },
+    # gcp_auth → hyper-rustls → rustls-native-certs pulls newer versions
+    # while native-tls still pulls older versions.
+    { name = "core-foundation", version = "0.10.1" },
+    { name = "security-framework", version = "3.7.0" },
+    { name = "openssl-probe", version = "0.2.1" },
+    # reqsign (via iceberg-storage-opendal / opendal) pins older deps
+    # than the workspace.
+    { name = "jsonwebtoken", version = "9.3.1" },
+    { name = "quick-xml", version = "0.37.5" },
+    # aws-lc-rs (via jsonwebtoken 10) and ring pull different `untrusted`.
+    { name = "untrusted", version = "0.7.1" },
+    # Held back by lazy_static 1.4.0 (used by num-bigint-dig).
+    { name = "spin", version = "0.5.2" },
 ]
 
 [[bans.deny]]
@@ -206,9 +219,11 @@ wrappers = [
 ]
 
 # We prefer the system's native TLS or OpenSSL to Rustls, since they are more
-# mature and more widely used.
+# mature and more widely used. `gcp_auth` only ships with rustls-based TLS,
+# so allow it through.
 [[bans.deny]]
 name = "rustls"
+wrappers = ["hyper-rustls", "tokio-rustls"]
 
 # once_cell is going to be added to std, and doesn't use macros
 # Unfortunately, its heavily used, so we have lots of exceptions.
@@ -219,6 +234,7 @@ wrappers = [
     "findshlibs",
     "launchdarkly-server-sdk",
     "launchdarkly-server-sdk-evaluation",
+    "num-bigint-dig",
     "prometheus",
     "rayon-core",
     "sharded-slab",

src/adapter/src/catalog/builtin_table_updates.rs

@@ -1039,6 +1039,7 @@ impl CatalogState {
                 updates.push(self.pack_ssh_tunnel_connection_update(id, key_1, key_2, diff));
             }
             ConnectionDetails::Csr(_)
+            | ConnectionDetails::Gcp(_)
             | ConnectionDetails::Postgres(_)
             | ConnectionDetails::MySql(_)
             | ConnectionDetails::SqlServer(_)

src/adapter/src/catalog/state.rs

@@ -2777,6 +2777,7 @@ impl ConnectionResolver for CatalogState {
             Ssh(conn) => Ssh(conn),
             Aws(conn) => Aws(conn),
             AwsPrivatelink(conn) => AwsPrivatelink(conn),
+            Gcp(conn) => Gcp(conn),
             MySql(conn) => MySql(conn.into_inline_connection(self)),
             SqlServer(conn) => SqlServer(conn.into_inline_connection(self)),
             IcebergCatalog(conn) => IcebergCatalog(conn.into_inline_connection(self)),

src/adapter/src/coord/ddl.rs

@@ -1135,6 +1135,7 @@ impl Coordinator {
                             ConnectionDetails::Csr(_)
                             | ConnectionDetails::Ssh { .. }
                             | ConnectionDetails::Aws(_)
+                            | ConnectionDetails::Gcp(_)
                             | ConnectionDetails::IcebergCatalog(_) => {}
                         },
                         CatalogItem::Table(_) => {
@@ -1311,6 +1312,7 @@ impl Coordinator {
                 ConnectionDetails::Csr(_)
                 | ConnectionDetails::Ssh { .. }
                 | ConnectionDetails::Aws(_)
+                | ConnectionDetails::Gcp(_)
                 | ConnectionDetails::IcebergCatalog(_) => {}
             }
         }

src/sql-lexer/src/keywords.txt

@@ -25,6 +25,7 @@
 
 Abort
 Access
+Account
 Action
 Add
 Added
@@ -200,6 +201,7 @@ Full
 Fullname
 Function
 Fusion
+Gcp
 Generator
 Grant
 Greatest

src/sql-parser/src/ast/defs/ddl.rs

@@ -791,6 +791,7 @@ pub enum ConnectionOptionName {
     Scope,
     SecretAccessKey,
     SecurityProtocol,
+    ServiceAccountKey,
     ServiceName,
     SshTunnel,
     SslCertificate,
@@ -834,6 +835,7 @@ impl AstDisplay for ConnectionOptionName {
             ConnectionOptionName::Scope => "SCOPE",
             ConnectionOptionName::SecurityProtocol => "SECURITY PROTOCOL",
             ConnectionOptionName::SecretAccessKey => "SECRET ACCESS KEY",
+            ConnectionOptionName::ServiceAccountKey => "SERVICE ACCOUNT KEY",
             ConnectionOptionName::ServiceName => "SERVICE NAME",
             ConnectionOptionName::SshTunnel => "SSH TUNNEL",
             ConnectionOptionName::SslCertificate => "SSL CERTIFICATE",
@@ -883,6 +885,7 @@ impl WithOptionName for ConnectionOptionName {
             | ConnectionOptionName::Scope
             | ConnectionOptionName::SecurityProtocol
             | ConnectionOptionName::SecretAccessKey
+            | ConnectionOptionName::ServiceAccountKey
             | ConnectionOptionName::ServiceName
             | ConnectionOptionName::SshTunnel
             | ConnectionOptionName::SslCertificate
@@ -911,6 +914,7 @@ impl_display_t!(ConnectionOption);
 pub enum CreateConnectionType {
     Aws,
     AwsPrivatelink,
+    Gcp,
     Kafka,
     Csr,
     Postgres,
@@ -928,6 +932,7 @@ impl CreateConnectionType {
             Self::Postgres => "postgres",
             Self::Aws => "aws",
             Self::AwsPrivatelink => "aws-privatelink",
+            Self::Gcp => "gcp",
             Self::Ssh => "ssh-tunnel",
             Self::MySql => "mysql",
             Self::SqlServer => "sql-server",
@@ -954,6 +959,9 @@ impl AstDisplay for CreateConnectionType {
             Self::AwsPrivatelink => {
                 f.write_str("AWS PRIVATELINK");
             }
+            Self::Gcp => {
+                f.write_str("GCP");
+            }
             Self::Ssh => {
                 f.write_str("SSH TUNNEL");
             }

src/sql-parser/src/parser.rs

@@ -2456,16 +2456,17 @@ impl<'a> Parser<'a> {
             TO => true,
             _ => unreachable!(),
         };
-        let connection_type = match self
-            .expect_one_of_keywords(&[AWS, KAFKA, CONFLUENT, POSTGRES, SSH, SQL, MYSQL, ICEBERG])?
-        {
+        let connection_type = match self.expect_one_of_keywords(&[
+            AWS, GCP, KAFKA, CONFLUENT, POSTGRES, SSH, SQL, MYSQL, ICEBERG,
+        ])? {
             AWS => {
                 if self.parse_keyword(PRIVATELINK) {
                     CreateConnectionType::AwsPrivatelink
                 } else {
                     CreateConnectionType::Aws
                 }
             }
+            GCP => CreateConnectionType::Gcp,
             KAFKA => CreateConnectionType::Kafka,
             CONFLUENT => {
                 self.expect_keywords(&[SCHEMA, REGISTRY])?;
@@ -2873,10 +2874,14 @@ impl<'a> Parser<'a> {
                     self.expect_keywords(&[ACCESS, KEY])?;
                     ConnectionOptionName::SecretAccessKey
                 }
-                SERVICE => {
-                    self.expect_keyword(NAME)?;
-                    ConnectionOptionName::ServiceName
-                }
+                SERVICE => match self.expect_one_of_keywords(&[ACCOUNT, NAME])? {
+                    ACCOUNT => {
+                        self.expect_keyword(KEY)?;
+                        ConnectionOptionName::ServiceAccountKey
+                    }
+                    NAME => ConnectionOptionName::ServiceName,
+                    _ => unreachable!(),
+                },
                 SESSION => {
                     self.expect_keyword(TOKEN)?;
                     ConnectionOptionName::SessionToken

src/sql-parser/tests/testdata/ddl

@@ -561,6 +561,13 @@ CREATE CONNECTION privatelinkconn TO AWS PRIVATELINK (SERVICE NAME = 'com.amazon
 =>
 CreateConnection(CreateConnectionStatement { name: UnresolvedItemName([Ident("privatelinkconn")]), connection_type: AwsPrivatelink, if_not_exists: false, values: [ConnectionOption { name: ServiceName, value: Some(Value(String("com.amazonaws.vpce.us-east-1.vpce-svc-0e123abc123198abc"))) }, ConnectionOption { name: AvailabilityZones, value: Some(Sequence([Value(String("use1-az1")), Value(String("use1-az4"))])) }], with_options: [] })
 
+parse-statement
+CREATE CONNECTION gcpconn TO GCP (SERVICE ACCOUNT KEY = SECRET keyfile)
+----
+CREATE CONNECTION gcpconn TO GCP (SERVICE ACCOUNT KEY = SECRET keyfile)
+=>
+CreateConnection(CreateConnectionStatement { name: UnresolvedItemName([Ident("gcpconn")]), connection_type: Gcp, if_not_exists: false, values: [ConnectionOption { name: ServiceAccountKey, value: Some(Secret(Name(UnresolvedItemName([Ident("keyfile")])))) }], with_options: [] })
+
 parse-statement
 CREATE CONNECTION privatelinkconn TO AWS PRIVATELINK (SERVICE NAME 'com.amazonaws.vpce.us-east-1.vpce-svc-0e123abc123198abc', AVAILABILITY ZONES ('use1-az1', 'use1-az4')) WITH (VALIDATE = FALSE)
 ----