secrets.sql

On this page

Secrets: credentials for external data sources

Phase: Pre-catalog | Order: 2 | Required: No

Credentials for external systems using DuckDB’s secrets manager.

Cloud Storage

CREATE SECRET aws_chain (
    TYPE s3,
    PROVIDER credential_chain
);

CREATE SECRET s3_explicit (
    TYPE s3,
    KEY_ID '${AWS_ACCESS_KEY_ID}',
    SECRET '${AWS_SECRET_ACCESS_KEY}',
    REGION 'eu-north-1'
);

CREATE SECRET s3_scoped (
    TYPE s3,
    KEY_ID '${AWS_ACCESS_KEY_ID}',
    SECRET '${AWS_SECRET_ACCESS_KEY}',
    SCOPE 's3://prod-data/'
);

Databases

CREATE SECRET pg_secret (
    TYPE postgres,
    HOST '${PG_HOST}',
    PORT 5432,
    DATABASE 'warehouse',
    USER 'readonly',
    PASSWORD '${PG_PASSWORD}'
);

Supported Providers

S3, GCS, R2, Azure, PostgreSQL, MySQL.