chore(query): allow_anonymous when key token is empty

.github/actions/test_sqllogic_standalone_linux/action.yml

@@ -35,6 +35,7 @@ runs:
       env:
         TEST_HANDLERS: ${{ inputs.handlers }}
         TEST_PARALLEL: ${{ inputs.parallel }}
+        TEST_EXT_ARGS: ${{ inputs.dirs == 'base' && '--skip_file 05_0016_ddl_stage_public_s3_list.test' || '' }}
         CACHE_ENABLE_TABLE_META_CACHE: ${{ inputs.enable_table_meta_cache}}
       run: bash ./scripts/ci/ci-run-sqllogic-tests.sh ${{ inputs.dirs }}
 
@@ -44,6 +45,6 @@ runs:
       env:
         TEST_HANDLERS: ${{ inputs.handlers }}
         TEST_PARALLEL: ${{ inputs.parallel }}
-        TEST_EXT_ARGS: '--skip_file tpcds_spill_1.test,tpcds_spill_2.test,tpcds_spill_3.test'
+        TEST_EXT_ARGS: ${{ inputs.dirs == 'base' && '--skip_file tpcds_spill_1.test,tpcds_spill_2.test,tpcds_spill_3.test,05_0016_ddl_stage_public_s3_list.test' || '--skip_file tpcds_spill_1.test,tpcds_spill_2.test,tpcds_spill_3.test' }}
         CACHE_ENABLE_TABLE_META_CACHE: ${{ inputs.enable_table_meta_cache}}
       run: bash ./scripts/ci/ci-run-sqllogic-tests-native.sh ${{ inputs.dirs }}

.github/workflows/reuse.sqllogic.yml

@@ -81,6 +81,23 @@ jobs:
         with:
           name: test-sqllogic-standalone-${{ matrix.tests.dirs }}-${{ matrix.handler }}
 
+  public_s3_stage_list:
+    runs-on:
+      - self-hosted
+      - ${{ inputs.runner_arch }}
+      - Linux
+      - 2c8g
+      - "${{ inputs.runner_provider }}"
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/setup_test
+        with:
+          artifacts: sqllogictests,meta,query
+      - name: Run public S3 stage list test (insecure disabled)
+        timeout-minutes: 10
+        shell: bash
+        run: bash ./scripts/ci/ci-run-sqllogic-tests-public-s3.sh
+
   standalone_udf_server:
     runs-on:
       - self-hosted

scripts/ci/ci-run-sqllogic-tests-public-s3.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+# Copyright 2020-2021 The Databend Authors.
+# SPDX-License-Identifier: Apache-2.0.
+
+set -e
+
+# Run this test with insecure disabled so external S3 stages don't load credentials
+# from the environment and can access public buckets via unsigned requests.
+export STORAGE_ALLOW_INSECURE=false
+
+echo "Starting standalone DatabendQuery and DatabendMeta"
+./scripts/ci/deploy/databend-query-standalone.sh
+
+TEST_HANDLERS=${TEST_HANDLERS:-"http"}
+BUILD_PROFILE=${BUILD_PROFILE:-debug}
+
+echo "Starting databend-sqllogic tests"
+target/${BUILD_PROFILE}/databend-sqllogictests \
+  --handlers ${TEST_HANDLERS} \
+  --run_file tests/sqllogictests/suites/base/05_ddl/05_0016_ddl_stage_public_s3_list.test \
+  --enable_sandbox \
+  --parallel 1 \
+  ${TEST_EXT_ARGS}
+

src/common/storage/src/operator.rs

@@ -421,6 +421,17 @@ fn init_s3_operator(cfg: &StorageS3Config) -> Result<impl Builder> {
         builder = builder.disable_config_load().disable_ec2_metadata();
     }
 
+    // If credential loading is disabled and no credentials are provided, use unsigned requests.
+    // This allows accessing public buckets reliably in environments where signing could be rejected.
+    if cfg.disable_credential_loader
+        && cfg.access_key_id.is_empty()
+        && cfg.secret_access_key.is_empty()
+        && cfg.security_token.is_empty()
+        && cfg.role_arn.is_empty()
+    {
+        builder = builder.allow_anonymous();
+    }
+
     // Enable virtual host style
     if cfg.enable_virtual_host_style {
         builder = builder.enable_virtual_host_style();

tests/sqllogictests/suites/base/05_ddl/05_0016_ddl_stage_public_s3_list.test

@@ -0,0 +1,11 @@
+statement ok
+DROP STAGE IF EXISTS wizardbend_tpch
+
+statement ok
+CREATE OR REPLACE STAGE wizardbend_tpch URL='s3://wizardbend/TPC-H/1TB/customer/'
+
+statement ok
+LIST @wizardbend_tpch
+
+statement ok
+DROP STAGE IF EXISTS wizardbend_tpch