diff --git a/core/src/services/gcs/core.rs b/core/src/services/gcs/core.rs
index 0b9e8ae84c94..445659302515 100644
--- a/core/src/services/gcs/core.rs
+++ b/core/src/services/gcs/core.rs
@@ -75,20 +75,24 @@ static BACKOFF: Lazy<ExponentialBuilder> =
     Lazy::new(|| ExponentialBuilder::default().with_jitter());
 
 impl GcsCore {
-    async fn load_token(&self) -> Result<GoogleToken> {
+    async fn load_token(&self) -> Result<Option<GoogleToken>> {
         let cred = { || self.token_loader.load() }
             .retry(&*BACKOFF)
             .await
             .map_err(new_request_credential_error)?;
 
         if let Some(cred) = cred {
-            Ok(cred)
-        } else {
-            Err(Error::new(
-                ErrorKind::ConfigInvalid,
-                "no valid credential found",
-            ))
+            return Ok(Some(cred));
+        }
+
+        if self.allow_anonymous {
+            return Ok(None);
         }
+
+        Err(Error::new(
+            ErrorKind::ConfigInvalid,
+            "no valid credential found",
+        ))
     }
 
     fn load_credential(&self) -> Result<Option<GoogleCredential>> {
@@ -112,14 +116,13 @@ impl GcsCore {
     }
 
     pub async fn sign<T>(&self, req: &mut Request<T>) -> Result<()> {
-        if self.allow_anonymous {
+        if let Some(cred) = self.load_token().await? {
+            self.signer
+                .sign(req, &cred)
+                .map_err(new_request_sign_error)?;
+        } else {
             return Ok(());
         }
-        let cred = self.load_token().await?;
-
-        self.signer
-            .sign(req, &cred)
-            .map_err(new_request_sign_error)?;
 
         // Always remove host header, let users' client to set it based on HTTP
         // version.