Class FileDataSourceConfiguration

java.lang.Object
org.elasticsearch.xpack.esql.datasources.spi.DataSourceConfiguration
org.elasticsearch.xpack.esql.datasources.spi.FileDataSourceConfiguration

public abstract class FileDataSourceConfiguration extends DataSourceConfiguration
Base configuration for file-based external sources (S3, GCS, Azure). Handles the auth mode and the cross-field rules that bind it to the credential fields.

auth is an explicit mode switch with these canonical values:

  • auto (the default when auth is omitted) — resolve the mode from the fields present: federated authentication settings → federated_identity, a stored secret → static_credentials (the auth value itself stays auto and is not rewritten). A credential-less auto config is unresolvable and is rejected at create time by validate(org.elasticsearch.common.ValidationException) — not deferred to the storage provider. Never resolves to anonymous or managed_identity — those are opt-in only.
  • anonymous — public / unauthenticated access (no credentials).
  • static_credentials — a stored long-lived secret.
  • federated_identity — issuer-minted OIDC federation (federated settings such as a role ARN + audience).
  • managed_identity — the node's ambient cloud identity (instance profile / IMDS / metadata server); gated by a cluster setting.

Backwards compatibility: the former value names none and workload_identity are still accepted, canonicalized to anonymous and managed_identity on parse (so a stored configuration and every later read hold the canonical value), and each use emits a deprecation warning. See normalize(Map) and DEPRECATED_AUTH_ALIASES.

Credential-conflict detection is automatic — any field marked secret or federated auth that has a value set is treated as an authentication setting, and the two kinds cannot be combined.