DuckDB secrets
DuckDB's secrets manager is the built-in mechanism for storing and reusing credentials, such as S3 keys or Azure connection strings, needed to authenticate with cloud storage and remote services.
Overview
Before DuckDB introduced a secrets manager, credentials for accessing cloud storage (S3, Azure, GCS) had to be set as individual configuration variables per session, which was repetitive and easy to leak into scripts or notebooks. CREATE SECRET centralizes credential management: secrets are named, typed objects that DuckDB automatically matches to the relevant queries based on type and, optionally, a URL scope.
Creating a secret
Copy code
CREATE SECRET my_s3_secret (
TYPE s3,
KEY_ID 'AKIA...',
SECRET 'wJalrXUtnFEMI...',
REGION 'us-east-1'
);
By default, secrets created with CREATE SECRET are temporary (in-memory for the session). Adding PERSISTENT writes the secret to disk (in ~/.duckdb/stored_secrets by default) so it's available in future sessions:
Copy code
CREATE PERSISTENT SECRET my_persistent_secret (
TYPE s3,
KEY_ID 'AKIA...',
SECRET 'wJalrXUtnFEMI...'
);
Credential chains and scoping
Rather than hardcoding keys, a secret can use a credential provider chain to pick up credentials from the environment, AWS config files, or an instance's IAM role:
Copy code
CREATE OR REPLACE SECRET s3_secret (
TYPE s3,
PROVIDER credential_chain,
REGION 'eu-west-1'
);
Secrets can also be scoped to specific paths, so that different buckets or accounts use different credentials automatically:
Copy code
CREATE SECRET bucket_a_secret (
TYPE s3,
KEY_ID 'key1',
SECRET 'secret1',
SCOPE 's3://bucket-a'
);
Why it matters
The secrets manager supports S3, Azure, GCS, and Hugging Face, among others, and is the recommended way to authenticate httpfs-based reads and writes — it keeps credential logic out of individual queries and, with the credential chain provider, avoids embedding raw keys in SQL or scripts at all.
Related terms
The httpfs extension is DuckDB's built-in module for reading and writing files directly over HTTP(S) and from S3-compatible object storage, Azure, and Google Cloud Storage, without downloading them first.
Reading files in DuckDB →DuckDB can read CSV, Parquet, JSON, and other file formats directly with SQL table functions, whether the files are local, remote over HTTP/S3, or matched in bulk with a glob pattern.
Cloud Storage →Cloud storage refers to a model of data storage where digital information is kept on remote servers accessed through the internet, rather than on local hard…
Temporary table →A temporary table is a table scoped to a single session (or transaction) that is automatically dropped when the session ends, used for intermediate results that don't need to persist.
Object storage →Object storage is a data storage architecture that manages data as discrete objects — each with data, metadata, and a unique identifier — in a flat namespace, accessed over HTTP APIs rather than a traditional file system hierarchy.
FAQS
Persistent secrets are written unencrypted to disk by default in ~/.duckdb/stored_secrets, so file-level access control on that directory matters. Temporary (default) secrets exist only in memory for the current session.
Yes, using the SCOPE parameter when creating the secret, which lets you configure different credentials for different buckets or path prefixes and have DuckDB pick the right one automatically.
