Skip to main content

Amazon S3

Configure Amazon S3 credentials

MotherDuck offers two ways to provide Amazon S3 credentials.

  • Create a SECRET object in MotherDuck. MotherDuck securely stores your Amazon S3 credentials, enabling you to query Amazon S3 without supplying credentials each time.
  • Use SET commands to provide credentials. Like DuckDB, credentials configured this way do not persist and must be provided every session.

If you configure Amazon S3 credentials using SET commands and have credentials stored in a SECRET object, MotherDuck will first try using credentials defined using the SET commands.

Create a SECRET object

You can safely store your Amazon S3 credentials in MotherDuck for convenience by creating a SECRET object using the CREATE SECRET command.

S3_ACCESS_KEY_ID 'access-key',
S3_SECRET_ACCESS_KEY 'secret-key',
S3_REGION 'us-east-1'

-- test the s3 credentials
SELECT count(*) FROM 's3://<bucket>/<file>';
  • You currently can only have one SECRET object.
  • You can only use permanent Amazon S3 secrets - temporary S3 secrets are not supported.
  • DDL syntax for managing SECRET objects is coming soon.

You can update your secret by executing CREATE OR REPLACE SECRET command to overwrite your secret.

Delete a SECRET object

You can use the same method above, using the DROP SECRET command.


Use SET commands for Amazon S3 credentials

MotherDuck supports DuckDB syntax for providing S3 credentials.

SET s3_access_key_id = '<AWS access key id>';
SET s3_secret_access_key = '<AWS secret access key>';
SET s3_region = 'us-east-1';

Setting credentials through SET commands are not persisted across sessions.