Cloudflare R2
Configure Cloudflare R2 credentials
You can safely store your Cloudflare R2 credentials in MotherDuck for convenience by creating a SECRET object using the CREATE SECRET command.
See Cloudflare docs to create a Cloudflare access token.
Create a SECRET object
- SQL
- Python
- UI
CREATE SECRET IN MOTHERDUCK (
TYPE R2,
KEY_ID 'your_key_id',
SECRET 'your_secret_key',
ACCOUNT_ID 'your_account_id'
);
The ACCOUNT_ID can be found when generating the API token on the endpoint URL https://<ACCOUNT_ID>.r2.cloudflarestorage.com.
R2 buckets are regionless, so you do not need to specify a REGION parameter. If provided, it defaults to auto.
-- test the R2 credentials
SELECT count(*) FROM 'r2://[bucket]/[file]'
import duckdb
con = duckdb.connect('md:')
con.sql("CREATE SECRET IN MOTHERDUCK ( TYPE R2, KEY_ID 'your_key_id', SECRET 'your_secret_key', ACCOUNT_ID 'your_account_id' )");
# testing that our R2 credentials work
con.sql("SELECT count(*) FROM 'r2://[bucket]/[file]'").show()
Click on your profile to access the Settings panel and click on Secrets menu.
Then click on Add secret in the secrets section.
Select the Secret Type R2 and fill in the required fields.
Delete a SECRET object
- SQL
- UI
You can use the same method above, using the DROP SECRET command.
DROP SECRET <secret_name>;
Click on your profile and access the Settings menu. Click on the bin icon to delete the secret.
R2 credentials as temporary secrets
MotherDuck supports DuckDB syntax for providing R2 credentials.
CREATE SECRET (
TYPE R2,
KEY_ID 'your_key_id',
SECRET 'your_secret_key',
ACCOUNT_ID 'your_account_id'
);
Local/In-memory secrets are not persisted across sessions.
Even temporary, in-memory secrets are available to MotherDuck's cloud execution engine when you connect your local DuckDB instance to MotherDuck. When you query R2, the query runs on MotherDuck's servers, not your local machine, and MotherDuck uses the best-matching secret to authenticate, whether it is stored locally or in MotherDuck. For more details, see CREATE SECRET.