LIST SECRETS
Secrets can be listed in the same way as in DuckDB by using the table function duckdb_secrets().
Syntax
FROM duckdb_secrets();
| name | type | provider | persistent | storage | scope | secret_string |
|---|---|---|---|---|---|---|
| __default_azure | azure | credential_chain | false | memory | [azure://, az://] | name=__default_azure;type=azure;provider=credential_chain;serializable=true;scope=azure://,az://;account_name=some-account |
| __default_s3 | s3 | credential_chain | false | memory | [s3://, s3n://, s3a://] | name=__default_s3;type=s3;provider=credential_chain;serializable=true;scope=s3://,s3n://,s3a://;endpoint=s3.amazonaws.com;key_id=AKIA3N4CIOGGCVTOBT4J;region=us-east-1;secret=redacted;session_token=redacted |
| __default_r2 | r2 | config | true | motherduck | [r2://] | name=__default_r2;type=r2;provider=config;serializable=true;scope=r2://;endpoint=my_account.r2.cloudflarestorage.com;key_id=my_key;region=us-east-1;s3_url_compatibility_mode=0;secret=redacted;session_token=redacted;url_style=path;use_ssl=1 |
| __default_gcs | gcs | config | true | motherduck | [gcs://, gs://] | name=__default_gcs;type=gcs;provider=config;serializable=true;scope=gcs://,gs://;endpoint=storage.googleapis.com;key_id=my_key;region=us-east-1;s3_url_compatibility_mode=0;secret=redacted;session_token=redacted;url_style=path;use_ssl=1 |
note
DuckDB allows you to specify redact when listing secrets (it's set to true by default). However, MotherDuck secrets are always redacted for security reasons despite the flag.
Example Usage
To inspect specific field(s) in secret_string:
select
name, storage,
list_filter(split(secret_string,';'), x -> starts_with(x, 'region'))[1]
from duckdb_secrets(redact=false) where name='__default_s3';