apache · flyrain · Nov 21, 2025 · Nov 13, 2025 · Nov 20, 2025 · Nov 20, 2025
diff --git a/...sed/configuring-polaris-for-production.md → ...figuring-polaris-for-production/_index.md b/...sed/configuring-polaris-for-production.md → ...figuring-polaris-for-production/_index.md
@@ -173,7 +173,7 @@ Depending on your database, this may not be convenient as the generated credenti
 in clear text in the database.
 
 In order to provide your own credentials for `root` principal (so you can request tokens via
-`api/catalog/v1/oauth/tokens`), use the [Polaris Admin Tool]({{% ref "admin-tool" %}})
+`api/catalog/v1/oauth/tokens`), use the [Polaris Admin Tool](../../../../docs/admin-tool.md)
 
 You can verify the setup by attempting a token issue for the `root` principal:
 
@@ -234,3 +234,7 @@ profile (for example, `%prod`).
 
 The [Polaris Evolution](../evolution) page discusses backward compatibility and
 upgrade concerns.
+
+### Configuring Polaris for Cloud Storages
+
+For guidance on configuring specific cloud storage providers see child pages (links in the left-hand pane).
diff --git a/...ed/configuring-polaris-for-production/configuring-gcs-cloud-storage-specific.md b/...ed/configuring-polaris-for-production/configuring-gcs-cloud-storage-specific.md
@@ -0,0 +1,32 @@
+---
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+title: Configuring GCS Cloud Storage
+linkTitle: Configuring GCS Cloud Storage
+type: docs
+weight: 600
+---
+
+This page provides guidance for configuring GCS Cloud Storage provider for use with Polaris. It covers credential vending, IAM roles, ACL requirements, and best practices to ensure secure and reliable integration.
+
+All catalog operations in Polaris for Google Cloud Storage (GCS)—including listing, reading, and writing objects—are performed using credential vending, which issues scoped (vended) tokens for secure access.
+
+Polaris requires both IAM roles and [Hierarchical Namespace (HNS)](https://docs.cloud.google.com/storage/docs/hns-overview) ACLs (if HNS is enabled) to be properly configured. Even with the correct IAM role (e.g., `roles/storage.objectAdmin`), access to paths such as `gs://<bucket>/idsp_ns/sample_table4/` may fail with 403 errors if HNS ACLs are missing for scoped tokens. The original access token may work, but scoped (vended) tokens require HNS ACLs on the base path or relevant subpath.
+
+**Note:** HNS is not mandatory when using GCS for a catalog in Polaris. If HNS is not enabled on the bucket, only IAM roles are required for access. Always verify HNS ACLs in addition to IAM roles when troubleshooting GCS access issues with credential vending and HNS enabled.