---
sidebar_position: 1
title: Google Cloud Storage
description: Query files from private Google Cloud Storage buckets using the GCS S3-compatible connection.
---

import Tabs from "@theme/Tabs";
import TabItem from "@theme/TabItem";
import CloudExecutionCallout from "./_cloud-execution-callout.mdx";

With MotherDuck, you can access files in a private Google Cloud Storage (GCS) bucket. This leverages the GCS S3 compatible connection.

## Google Cloud Storage connection process

1. Create an [HMAC key](https://docs.cloud.google.com/storage/docs/authentication/hmackeys) for the service account: Cloud Storage → Settings → Interoperability → Create a key for a service account
2. Save the Access ID and Secret (shown once)
3. Create the DuckDB secret using the HMAC credentials as described below

## Configure Google Cloud Storage credentials

You can safely store your Google Cloud Storage credentials in MotherDuck for convenience by creating a `SECRET` object using the [CREATE SECRET](/sql-reference/motherduck-sql-reference/create-secret.md) command.

### Create a SECRET object

You can safely store your Google Cloud Storage credentials in MotherDuck for convenience by creating a `SECRET` object using the [CREATE SECRET](/sql-reference/motherduck-sql-reference/create-secret.md) command.

<Tabs>
<TabItem value="sql" label="SQL">

```sql
CREATE SECRET IN MOTHERDUCK (
    TYPE GCS,
	KEY_ID 'HMAC_ACCESS_ID',
    SECRET 'HMAC_SECRET'
);

-- test GCS credentials
SELECT count(*) FROM 'gcs://<bucket>/<file>';
```

</TabItem>
<TabItem value="python" label="Python">

```python
import duckdb

con = duckdb.connect('md:')
con.sql("CREATE SECRET IN MOTHERDUCK (TYPE GCS, KEY_ID 'access_key', SECRET 'secret_key')");

# test GCS
con.sql("SELECT count(*) FROM 'gcs://<bucket>/<file>'").show()
# 42
```

</TabItem>
<TabItem value="ui" label="UI">

Click on your profile to access the `Settings` panel and click on `Secrets` menu.

![menu_1](./img/settings_access.png)
![menu_2](./img/settings_panel.png)

Then click on `Add secret` in the secrets section.

![menu_3](./img/settings_secrets_panel.png)

You will then be prompted to enter your Amazon S3 credentials.

![menu_3](./img/settings_secrets_pop_up.png)

</TabItem>
</Tabs>

You can update your secret by executing [CREATE OR REPLACE SECRET](/sql-reference/motherduck-sql-reference/create-secret.md) command to overwrite your secret.

### Delete a SECRET object

<Tabs>
<TabItem value="sql" label="SQL">

You can use the same method above, using the [DROP SECRET](/sql-reference/motherduck-sql-reference/delete-secret.md) command.

```sql
DROP SECRET <secret_name>;
```

</TabItem>

<TabItem value="ui" label="UI">

Click on your profile and access the `Settings` menu. Click on the bin icon to delete your current secrets.

![menu_4](./img/secrets_delete_4.png)

</TabItem>

</Tabs>

### Google Cloud Storage credentials as **temporary** secrets

MotherDuck supports DuckDB syntax for providing GCS credentials.

```sql
CREATE SECRET (
    TYPE GCS,
    KEY_ID 's3_access_key',
    SECRET 's3_secret_key'
);
```

:::note
Local/In-memory secrets are not persisted across sessions.
:::

<CloudExecutionCallout provider="GCS" />

## Additional resources

- [Using the S3 compatible connection in GCS](https://docs.cloud.google.com/storage/docs/aws-simple-migration)
- [HMAC Keys in Google Cloud](https://docs.cloud.google.com/storage/docs/authentication/hmackeys)