diff --git a/br/pkg/storage/gcs.go b/br/pkg/storage/gcs.go
index ac5098ed16973..c5a0adccfa6a2 100644
--- a/br/pkg/storage/gcs.go
+++ b/br/pkg/storage/gcs.go
@@ -288,6 +288,9 @@ func NewGCSStorage(ctx context.Context, gcs *backuppb.GCS, opts *ExternalStorage
 	if gcs.Endpoint != "" {
 		clientOps = append(clientOps, option.WithEndpoint(gcs.Endpoint))
 	}
+	// the HTTPClient should has credential, currently the HTTPClient only has the http.Transport.
+	// So we remove the HTTPClient in the storage.New().
+	// Issue: https: //github.com/pingcap/tidb/issues/47022
 	if opts.HTTPClient != nil {
 		clientOps = append(clientOps, option.WithHTTPClient(opts.HTTPClient))
 	}
diff --git a/br/pkg/storage/storage.go b/br/pkg/storage/storage.go
index a62ad8a509986..8f22d65ccb3bd 100644
--- a/br/pkg/storage/storage.go
+++ b/br/pkg/storage/storage.go
@@ -132,7 +132,9 @@ type ExternalStorageOptions struct {
 	NoCredentials bool
 
 	// HTTPClient to use. The created storage may ignore this field if it is not
-	// directly using HTTP (e.g. the local storage).
+	// directly using HTTP (e.g. the local storage) or use self-design HTTP client
+	// with credential (e.g. the gcs).
+	// NOTICE: the HTTPClient is only used by s3 storage and azure blob storage.
 	HTTPClient *http.Client
 
 	// CheckPermissions check the given permission in New() function.
@@ -182,6 +184,9 @@ func New(ctx context.Context, backend *backuppb.StorageBackend, opts *ExternalSt
 		if backend.Gcs == nil {
 			return nil, errors.Annotate(berrors.ErrStorageInvalidConfig, "GCS config not found")
 		}
+		// the HTTPClient should has credential, currently the HTTPClient only has the http.Transport.
+		// Issue: https: //github.com/pingcap/tidb/issues/47022
+		opts.HTTPClient = nil
 		return NewGCSStorage(ctx, backend.Gcs, opts)
 	case *backuppb.StorageBackend_AzureBlobStorage:
 		return newAzureBlobStorage(ctx, backend.AzureBlobStorage, opts)