Getting Started Concepts CLI Reference Environment Variables DuckDB Configuration Validation Scripting Examples Lineage & Metadata
Blueprints Blog Contact About

Environment Variables

Configuration and secrets via .env — no secret manager, no config service

All configuration and secrets live in a .env file. No secret manager. No config service. No extra tooling.

Variables are available everywhere in your pipeline:

ContextHow to access
SQL config files (databases, secrets)${VAR}
Starlark scripts (APIs, tokens)env.get("VAR")

System environment variables override .env.

.env Syntax

Standard KEY=VALUE format — no special syntax.

# Cloud credentials
AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
AWS_REGION=eu-north-1

# Database
PG_HOST=db.prod.internal
PG_PASSWORD=supersecret

# API tokens
API_TOKEN=sk-1234567890

Comments (#) and blank lines are ignored. Values can be quoted with single or double quotes.

Example: API Ingestion with Credentials

# .env
API_TOKEN=sk-abc123
API_BASE_URL=https://api.example.com

# models/raw/users.star
resp = http.get(
    env.get("API_BASE_URL") + "/users",
    headers={"Authorization": env.get("API_TOKEN")},
)

for user in resp.json:
    save.row(user)

SQL Config Files

All SQL config files (secrets.sql, catalog.sql, sources.sql, etc.) support ${VAR} expansion. Variables are substituted before the SQL is sent to DuckDB.

-- config/secrets.sql
CREATE SECRET pg_secret (
    TYPE postgres,
    HOST '${PG_HOST}',
    PORT 5432,
    DATABASE 'warehouse',
    USER 'readonly',
    PASSWORD '${PG_PASSWORD}'
);

-- config/sources.sql
ATTACH 'postgresql://${PG_USER}:${PG_PASSWORD}@${PG_HOST}/warehouse' AS warehouse (READ_ONLY);

Cloud Storage Credentials

Works seamlessly with DuckDB’s credential chain. Standard environment variables (AWS_ACCESS_KEY_ID, etc.) are picked up automatically — no additional configuration.

-- config/secrets.sql
CREATE SECRET aws_chain (TYPE S3, PROVIDER credential_chain);

Event Collection

The ondatrasql daemon uses environment variables for its HTTP ports:

VariableDefaultDescription
COLLECT_PORT8080Public event ingestion endpoint
COLLECT_ADMIN_PORTCOLLECT_PORT + 1Internal flush API (localhost only)
COLLECT_PORT=9090 COLLECT_ADMIN_PORT=9091 ondatrasql daemon

See Event Collection.

Security

  • .env is local — loaded at runtime, never stored in DuckLake
  • Never committed to git (.gitignore includes it by default)
  • Supports standard cloud credential variables (AWS, GCP, Azure)
  • System environment variables override .env — use this for CI/CD