23.1. Creating a Simple Secret (duckdb.create_simple

23.1. Creating a Simple Secret (`duckdb.create_simple_secret`)
Prev	Up	Chapter 23. Secrets	Home	Next

23.1. Creating a Simple Secret (`duckdb.create_simple_secret`) #

You can only create one simple secret for an S3 storage.

Execute the following command:

  SELECT duckdb.create_simple_secret(
      type := 'S3',
      key_id := 'access_key',
      secret := 'secret_access_key',
      session_token := 'session_security_token',
      region := 'region',
      url_style := 'URL_style',
      provider := 'credentials_provider',
      endpoint := 'endpoint_URL',
      scope := 'scope_restriction',
      validation := '',
      use_ssl := 'true_or_false'
  );

Where:

access_key and secret_access_key: The access key and secret access key for connecting to the S3 storage.
session_security_token: A temporary security session token required when using short-lived credentials (STS).
Default value: '' (empty string) — a permanent access key is used.
Optional parameter.
region: The region where the S3 storage is located.
Optional parameter.
URL_style: The URL format used to access the bucket within the S3 storage.
Possible values:
path: The bucket name is included in the path of the URL, for example, storage.example.com/my-bucket.
Optional parameter.
credentials_provider: Specifies how the access key and secret access key are provided.
Possible values:
'' (empty string): Use the provided access_key and secret_access_key.
Optional parameter.
endpoint_URL: The endpoint URL of the S3 storage.
Optional parameter.
scope_restriction: A bucket path prefix that restricts the scope of the secret to a specific location in the S3 storage.
Default value: '' (empty string) — the secret applies to all paths in the S3 storage.
Optional parameter.
validation: A service parameter, leave it empty.
true_or_false: Specifies whether to encrypt communication between Postgres Pro AXE and the S3 storage.
Optional parameter.

Postgres Pro AXE performs the following actions:

Creates a foreign server (simple_s3_secret) using the specified public S3 storage connection parameters:

  CREATE SERVER simple_s3_secret
    TYPE 'S3'
    FOREIGN DATA WRAPPER duckdb
    OPTIONS (
      region      'region',
      url_style   'URL_style',
      provider    'credentials_provider',
      endpoint    'endpoint_URL',
      scope       'scope_restriction',
      validation  '',
      use_ssl     'true_or_false'
    );

Creates a user mapping for the PUBLIC role using the specified private S3 storage connection parameters:

  CREATE USER MAPPING FOR PUBLIC
    SERVER simple_s3_secret
    OPTIONS (
      key_id        'access_key',
      secret        'secret_access_key',
      session_token 'session_security_token'
    );

Outputs the name of the created simple secret.

Example 23.1. Calling the duckdb.create_simple_secret() function

  SELECT duckdb.create_simple_secret(
      type      := 'S3',
      key_id    := 'AKIAIOSFODNN7EXAMPLE',
      secret    := 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY',
      region    := 'us-east-1',
      url_style := 'path',
      endpoint  := 'minio.example.com:9000',
      use_ssl   := 'false'
  );

Inside the function call:

  CREATE SERVER simple_s3_secret
    TYPE 'S3'
    FOREIGN DATA WRAPPER duckdb
    OPTIONS (region 'us-east-1', endpoint 'minio.example.com:9000', url_style 'path', use_ssl 'false');

  CREATE USER MAPPING FOR PUBLIC
    SERVER simple_s3_secret
    OPTIONS (
      key_id 'AKIAIOSFODNN7EXAMPLE',
      secret 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY'
    );

23.1. Creating a Simple Secret (duckdb.create_simple_secret) #

23.1. Creating a Simple Secret (`duckdb.create_simple_secret`) #