eloqdata · thweetkomputer · Feb 5, 2026 · github-actions · Feb 5, 2026 · github-actions
diff --git a/include/kv_options.h b/include/kv_options.h
@@ -174,6 +174,11 @@ struct KvOptions
      * @brief Secret key for cloud storage.
      */
     std::string cloud_secret_key = "minioadmin";
+    /**
+     * @brief Automatically retrieve credentials from the environment or
+     * instance metadata rather than using cloud_access_key/cloud_secret_key.
+     */
+    bool cloud_auto_credentials = false;
     /**
      * @brief Whether to verify TLS certificates when talking to the cloud
      * endpoint.

diff --git a/rust/eloqstore-sys/src/lib.rs b/rust/eloqstore-sys/src/lib.rs
@@ -160,6 +160,10 @@ mod ffi {
             access_key: *const c_char,
             secret_key: *const c_char,
         );
+        pub fn CEloqStore_Options_SetCloudAutoCredentials(
+            opts: CEloqStoreHandle,
+            enable: bool,
+        );
         pub fn CEloqStore_Options_SetCloudVerifySsl(opts: CEloqStoreHandle, verify: bool);
         pub fn CEloqStore_Options_Validate(opts: CEloqStoreHandle) -> bool;
 

diff --git a/rust/eloqstore-sys/src/types.rs b/rust/eloqstore-sys/src/types.rs
@@ -179,6 +179,7 @@ pub struct KvOptions {
     cloud_region: *mut c_char,
     cloud_access_key: *mut c_char,
     cloud_secret_key: *mut c_char,
+    cloud_auto_credentials: bool,
     cloud_verify_ssl: bool,
 }
 
@@ -199,6 +200,7 @@ impl Default for KvOptions {
             cloud_region: ptr::null_mut(),
             cloud_access_key: ptr::null_mut(),
             cloud_secret_key: ptr::null_mut(),
+            cloud_auto_credentials: false,
             cloud_verify_ssl: false,
         }
     }
@@ -253,6 +255,10 @@ impl KvOptions {
         Self::set_cstring_ptr(&mut self.cloud_access_key, access_key);
         Self::set_cstring_ptr(&mut self.cloud_secret_key, secret_key);
     }
+
+    pub fn set_cloud_auto_credentials(&mut self, enable: bool) {
+        self.cloud_auto_credentials = enable;
+    }
 }
 
 impl Drop for KvOptions {

diff --git a/rust/eloqstore-sys/vendor/ffi/include/eloqstore_capi.h b/rust/eloqstore-sys/vendor/ffi/include/eloqstore_capi.h
@@ -155,6 +155,8 @@ extern "C"
     void CEloqStore_Options_SetCloudCredentials(CEloqStoreHandle opts,
                                                 const char *access_key,
                                                 const char *secret_key);
+    void CEloqStore_Options_SetCloudAutoCredentials(CEloqStoreHandle opts,
+                                                    bool enable);
     void CEloqStore_Options_SetCloudVerifySsl(CEloqStoreHandle opts,
                                               bool verify);
 

diff --git a/rust/eloqstore-sys/vendor/ffi/src/eloqstore_capi.cpp b/rust/eloqstore-sys/vendor/ffi/src/eloqstore_capi.cpp
@@ -233,6 +233,13 @@ extern "C"
         }
     }
 
+    void CEloqStore_Options_SetCloudAutoCredentials(CEloqStoreHandle opts,
+                                                    bool enable)
+    {
+        if (opts)
+            reinterpret_cast<KvOptions *>(opts)->cloud_auto_credentials = enable;
+    }
+
     void CEloqStore_Options_SetCloudVerifySsl(CEloqStoreHandle opts,
                                               bool verify)
     {

diff --git a/rust/eloqstore/src/store.rs b/rust/eloqstore/src/store.rs
@@ -110,6 +110,10 @@ impl Options {
         Ok(())
     }
 
+    pub fn set_cloud_auto_credentials(&mut self, enable: bool) {
+        unsafe { eloqstore_sys::CEloqStore_Options_SetCloudAutoCredentials(self.ptr, enable) }
+    }
+
     pub fn set_cloud_verify_ssl(&mut self, verify: bool) {
         unsafe { eloqstore_sys::CEloqStore_Options_SetCloudVerifySsl(self.ptr, verify) }
     }

diff --git a/src/kv_options.cpp b/src/kv_options.cpp
@@ -264,6 +264,11 @@ int KvOptions::LoadFromIni(const char *path)
         cloud_secret_key =
             reader.Get(sec_permanent, "cloud_secret_key", cloud_secret_key);
     }
+    if (reader.HasValue(sec_permanent, "cloud_auto_credentials"))
+    {
+        cloud_auto_credentials = reader.GetBoolean(
+            sec_permanent, "cloud_auto_credentials", cloud_auto_credentials);
+    }
     if (reader.HasValue(sec_permanent, "cloud_verify_ssl"))
     {
         cloud_verify_ssl = reader.GetBoolean(
@@ -358,6 +363,7 @@ bool KvOptions::operator==(const KvOptions &other) const
            cloud_region == other.cloud_region &&
            cloud_access_key == other.cloud_access_key &&
            cloud_secret_key == other.cloud_secret_key &&
+           cloud_auto_credentials == other.cloud_auto_credentials &&
            cloud_verify_ssl == other.cloud_verify_ssl &&
            data_page_size == other.data_page_size &&
            pages_per_file_shift == other.pages_per_file_shift &&

diff --git a/src/storage/object_store.cpp b/src/storage/object_store.cpp
@@ -2,6 +2,7 @@
 
 #include <aws/core/Aws.h>
 #include <aws/core/auth/AWSCredentialsProvider.h>
+#include <aws/core/auth/AWSCredentialsProviderChain.h>
 #include <aws/core/auth/signer/AWSAuthV4Signer.h>
 #include <aws/core/client/ClientConfiguration.h>
 #include <aws/core/http/Scheme.h>
@@ -576,6 +577,14 @@ class AwsCloudBackend : public CloudBackend
     virtual std::shared_ptr<Aws::Auth::AWSCredentialsProvider>
     BuildCredentialsProvider() const
     {
+        if (options_ && options_->cloud_auto_credentials)
+        {
+            // TODO: extend this to support GCP-native credential sources when
+            // the provider is gcs (e.g. metadata server, service accounts).
+            return Aws::MakeShared<
+                Aws::Auth::DefaultAWSCredentialsProviderChain>(
+                "eloqstore");
+        }
         return Aws::MakeShared<Aws::Auth::SimpleAWSCredentialsProvider>(
             "eloqstore",
             options_->cloud_access_key.c_str(),

diff --git a/tests/common.h b/tests/common.h
@@ -2,6 +2,7 @@
 
 #include <aws/core/Aws.h>
 #include <aws/core/auth/AWSCredentials.h>
+#include <aws/core/auth/AWSCredentialsProviderChain.h>
 #include <aws/core/client/ClientConfiguration.h>
 #include <aws/core/http/Scheme.h>
 #include <aws/s3/S3Client.h>
@@ -226,13 +227,26 @@ class S3TestClient
         bool verify_ssl =
             opts.cloud_endpoint.empty() ? false : opts.cloud_verify_ssl;
         config.verifySSL = verify_ssl;
-        Aws::Auth::AWSCredentials credentials(opts.cloud_access_key.c_str(),
-                                              opts.cloud_secret_key.c_str());
-        client_ = std::make_unique<Aws::S3::S3Client>(
-            credentials,
-            config,
-            Aws::Client::AWSAuthV4Signer::PayloadSigningPolicy::Never,
-            false);
+        if (opts.cloud_auto_credentials)
+        {
+            credentials_provider_ = Aws::MakeShared<
+                Aws::Auth::DefaultAWSCredentialsProviderChain>("eloqstore");
+            client_ = std::make_unique<Aws::S3::S3Client>(
+                credentials_provider_,
+                config,
+                Aws::Client::AWSAuthV4Signer::PayloadSigningPolicy::Never,
+                false);
+        }
+        else
+        {
+            Aws::Auth::AWSCredentials credentials(
+                opts.cloud_access_key.c_str(), opts.cloud_secret_key.c_str());
+            client_ = std::make_unique<Aws::S3::S3Client>(
+                credentials,
+                config,
+                Aws::Client::AWSAuthV4Signer::PayloadSigningPolicy::Never,
+                false);
+        }
     }
 
     ~S3TestClient() = default;
@@ -243,6 +257,7 @@ class S3TestClient
     }
 
 private:
+    std::shared_ptr<Aws::Auth::AWSCredentialsProvider> credentials_provider_;
     std::unique_ptr<Aws::S3::S3Client> client_;
 };