Revamp DuckDB secret management#697
Merged
Merged
Conversation
Y--
force-pushed
the
yl/secrets-ddb-fdw
branch
4 times, most recently
from
96b42cd to
90f8916
Compare
JelteF
requested changes
Apr 14, 2025
| SELECT * FROM duckdb.query($$ | ||
| SELECT | ||
| name, | ||
| map_from_entries( |
Collaborator
Author
There was a problem hiding this comment.
It allows to have a cleaner output which makes it easier to test the expected output. Will probably simplify before merging.
Y--
force-pushed
the
yl/secrets-ddb-fdw
branch
4 times, most recently
from
107bbdf to
5fa66cd
Compare
JelteF
approved these changes
Apr 15, 2025
Collaborator
JelteF
left a comment
JelteF
left a comment
There was a problem hiding this comment.
Some small nitpicks really
But use global variable instead
Y--
force-pushed
the
yl/secrets-ddb-fdw
branch
2 times, most recently
from
7a4c33a to
999f808
Compare
JelteF
approved these changes
Apr 15, 2025
Y--
added a commit
that referenced
this pull request
Apr 23, 2025
Follow-up of #697: add support for `ALTER SERVER` syntax
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
In #668 we changed the configuration of MotherDuck tokens to use
FOREIGN SERVER+USER MAPPINGunder the hood, along with some helper functions for the most common usages to get people started.In this PR, we align our secrets management with the same mechanism. That way different PG users can use different S3 tokens to connect to the same bucket. We also introduce two helper functions
create_simple_secretandcreate_azure_secretfor the most basic usage.We are now validating secrets using DuckDB directly and store whatever the user provides as long as it leads to a valid secret creation. This allow to support virtually any kind of secrets type and their options that DuckDB supports.
Since
SERVERoptions are visible to any PG user, the sensitive ones such asconnection_string,secret,session_tokenandtokenare prohibited to in its definition and must be stored in theUSER MAPPING.DuckDB secrets are created by concatenating
SERVERandUSER MAPPINGoptions (if they exists).Implements #683
Fixes #104