Description
We are attempting to configure an AWS S3 data source using temporary credentials via an External Identity Provider (OIDC/SAML), as our corporate security policies strictly prohibit the use of long-term IAM Access Keys.

Our primary corporate IdP is Google Workspace. However, when we configure the connector using External Identity Provider - Assume Role With Web Identity with a GCP OAuth Client ID, the connection test fails. The system returns an HTTP 400 error indicating that the client_credentials grant type is unsupported.

Root Cause / Limitation
The current Incorta S3 connector relies on a non-interactive client_credentials grant type to perform seamless background refreshes. However, Google Workspace's OAuth mechanism strictly requires interactive user consent via a browser, which causes the non-interactive token request to be rejected by Google.

Proposed Solutions / Feature Requests
To unblock data integration projects for organizations that use Google Workspace as their exclusive IdP, we would like to request the following enhancements:

Interactive OAuth Flow Support: Implement an interactive OAuth flow for the AWS S3 connector (similar to the Google Sheets connector) that allows initial user authorization while supporting offline background refreshes.

Google Service Account Support: Allow the use of a Google Service Account (JSON key) as an alternative authentication method for this OIDC/SAML integration.

Reference
This idea is submitted based on the discussion in our recent Incorta Support Ticket.