Skip to main content

CREATE SECRET

MotherDuck enables you to store your cloud storage credentials for convenience, using the CREATE SECRET statement. There are two ways to store credentials. The first is to include all of the properties in the CREATE SECRET statement.

CREATE [OR REPLACE] SECRET (
TYPE <S3,AZURE>,
<storage-specific properties>
);

The second option is to store credentials based on the current context of CLI environment variables or configuration previously declared using SET commands.

CREATE [OR REPLACE] SECRET (TYPE <S3,AZURE>) from CONFIGURATION;

Amazon S3 example

CREATE OR REPLACE SECRET (
TYPE S3,
S3_ACCESS_KEY_ID 'xxxxxxxx',
S3_SECRET_ACCESS_KEY 'xxxxxxxxxx',
S3_REGION 'us-east-1'
);

Azure example

CREATE OR REPLACE SECRET (
TYPE AZURE,
AZURE_STORAGE_CONNECTION_STRING 'xxxxxxxx'
);
note

See Azure docs on how to configure your Azure storage account connection string.

Google Cloud Storage example

To configure credentials for Google Cloud Storage, use the same syntax as Amazon S3.

note

You must enable Google Cloud Storage interoperability to access files using Amazon S3 compatible APIs. You must also configure s3_endpoint for Google Cloud Storage.

SET s3_endpoint = 'storage.googleapis.com';
CREATE OR REPLACE SECRET (
TYPE S3,
S3_ACCESS_KEY_ID 'xxxxxxxx',
S3_SECRET_ACCESS_KEY 'xxxxxxxxxx',
S3_REGION 'not-used-but-cannot-be-blank'
);