Next Friday - Get Started with MotherDuck with a Live Demo and Q&ASave Your Spot

Skip to main content

CREATE SECRET

MotherDuck enables you to store your cloud storage credentials for convenience, using the familiar DuckDB CREATE SECRET syntax. See DuckDB CREATE SECRET documentation.

Make sure to add either PERSISTENT or IN MOTHERDUCK keyword to create MotherDuck secrets. Secrets stored in MotherDuck are fully encrypted.

note

You can use the PERSISTENT keyword to create a local file persistent secret in DuckDB as well. It gets stored unencrypted in the ~/.duckdb/stored_secrets directory.

When you've loaded the MotherDuck extension, PERSISTENT secrets are stored encrypted in MotherDuck. Locally persisted secrets are not impacted.

You can still create locally persisted secrets when using MotherDuck by specifying the secret storage backend: CREATE SECRET IN LOCAL_FILE.

When using MotherDuck, the statement below creates a cloud-persistent secret stored in MotherDuck.

Syntax

CREATE [OR REPLACE] PERSISTENT SECRET [secret_name] (
TYPE <S3, GCS, R2, AZURE, HUGGINGFACE>,
<storage-specific properties>
);
CREATE [OR REPLACE] SECRET [secret_name] IN MOTHERDUCK (
TYPE <S3, GCS, R2, AZURE, HUGGINGFACE>,
<storage-specific properties>
);

Secret Paramters

Below is a complete list of the supported parameters for S3, GCS, and R2 secrets:

NameDescriptionSecretTypeDefault
ENDPOINTSpecify a custom S3 endpointS3, GCS, R2STRINGs3.amazonaws.com for S3,
KEY_IDThe ID of the key to useS3, GCS, R2STRING-
REGIONThe region for which to authenticate (should match the region of the bucket to query)S3, GCS, R2STRINGus-east-1
SECRETThe secret of the key to useS3, GCS, R2STRING-
SESSION_TOKENOptionally, a session token can be passed to use temporary credentialsS3, GCS, R2STRING-
URL_COMPATIBILITY_MODECan help when URLs contain problematic charactersS3, GCS, R2BOOLEANtrue
URL_STYLEEither vhost or pathS3, GCS, R2STRINGvhost for S3, path for R2 and GCS
USE_SSLWhether to use HTTPS or HTTPS3, GCS, R2BOOLEANtrue
ACCOUNT_IDThe R2 account ID to use for generating the endpoint URLR2STRING-
KMS_KEY_IDAWS KMS (Key Management Service) key for Server Side Encryption S3S3STRING-
SCOPEScope of secret resolution; In the case of multiple matching secrets, the longest prefix is chosenS3, GCS, R2STRING-
info

Because of SSL certificate verification requirements, S3 bucket names that contain dots (.) cannot be accessed using vhost style URLs. This is due to AWS's SSL wildcard certificate (*.s3.amazonaws.com) which only validates single-level subdomains. To resolve this SSL Issue: use URL_STYLE path in your secret.

Example Usage

To manually create a S3 secret in MotherDuck:

CREATE SECRET IN MOTHERDUCK (
TYPE S3,
KEY_ID 's3_access_key',
SECRET 's3_secret_key',
REGION 'us-east-1',
SCOPE 'my-bucket-path'
);

This creates a new secret with a default name (i.e. __default_s3) and a default scope (i.e. [s3://, s3n://, s3a://]) used for path matching explained below.

info

DuckDB uses the SCOPE parameter to determine which secret to use. When using persistent secrets or public buckets, scoping the secrets is important so that the databases use the correct secret. Imprecise scoping will lead to authentication errors.

You can learn more in the DuckDB documentation.

Secret Providers

MotherDuck supports the same secret providers as DuckDB.

To create a secret by automatically fetching credentials using mechanisms provided by the AWS SDK, see AWS CREDENTIAL_CHAIN provider.

To create a secret by automatically fetching credentials using mechanisms provided by the Azure SDK, see Azure CREDENTIAL_CHAIN provider.

To create a secret by automatically fetching credentials using mechanisms provided by the Hugging Face CLI, see Hugging Face CREDENTIAL_CHAIN provider.

To store a secret from a given secret provider in MotherDuck, simply specify PERSISTENT or IN MOTHERDUCK keyword in addition.

Example Usage

To store a secret configured through aws configure:

CREATE PERSISTENT SECRET aws_secret (
TYPE S3,
PROVIDER CREDENTIAL_CHAIN
);

To store a secret configured through az configure:

CREATE SECRET azure_secret IN MOTHERDUCK (
TYPE AZURE,
PROVIDER CREDENTIAL_CHAIN,
ACCOUNT_NAME 'some-account'
);

Querying with Secrets

Secret scope is supported in the same way as in DuckDB to allow multiple secrets of the same type to be stored in MotherDuck. When there are multiple local (i.e. in memory and store in local file) and remote (i.e. MotherDuck) secrets of the same type, scope matching (secret scope against the file path) happens to determine which secret to use to open a file. Both local and remote secrets are considered in scope matching.

In the case of multiple matching secrets, the secret with the longest matching scope prefix is chosen.

In the case of multiple secrets stored in different secret storages sharing the same scope (e.g. the default scope if not specified), matching secret is chosen based on the following order: local temp secret > local_file secret > MotherDuck secret.

To see which secret (either local or remote) is being used by MotherDuck, the DuckDB which_secret table function can be used, which takes a path and the secret type.

Example Usage

To see which secret is used to open a file:

FROM which_secret('s3://my-bucket/my_dataset.parquet', 's3');
┌───────────────────────┬────────────┬────────────┐
│ name │ persistent │ storage │
varcharvarcharvarchar
├───────────────────────┼────────────┼────────────┤
│ __default_s3 │ PERSISTENT │ motherduck │
└───────────────────────┴────────────┴────────────┘