Chapter 23. Secrets

Chapter 23. Secrets
Prev	Up	Part IV. Administration	Home	Next

Table of Contents

23.1. Creating a Simple Secret (duckdb.create_simple_secret)
23.2. Retrieving Information About a Simple Secret (duckdb.show_simple_secret)
23.3. Deleting a Simple Secret (duckdb.drop_simple_secret)
23.4. Scenario: Secret Management
23.5. Scenario: Separating Read and Write Access to an S3 Storage

Postgres Pro AXE uses secrets to store credentials for connecting to S3 storages, such as MinIO.

All S3 storage operations require a secret, including:

Secrets are stored in Postgres Pro system tables using the Foreign Data Wrapper (FDW) mechanism, which is the standard Postgres Pro method for storing information about external data sources. The key components of this mechanism are:

Foreign server (simple_s3_secret): The object that stores public S3 storage connection parameters.
User mapping: The object that stores private S3 storage connection parameters for the PUBLIC role.

A secret only provides the technical ability to connect to an S3 storage, whereas the actual access to pgpro_metastore objects in this storage is managed using Postgres Pro AXE privileges (refer to the diagram below).

Figure 23.1. Two-level access management

Prev	Up	Next
22.5. Privilege Management Scenario	Home	23.1. Creating a Simple Secret (`duckdb.create_simple_secret`)