Install and load httpfs: INSTALL httpfs; LOAD httpfs
Create a persistent named secret using explicit credentials: CREATE SECRET my_s3 (TYPE s3, KEY_ID 'AKIA...', SECRET 'secret-key', REGION 'us-east-1')
To use instance/role credentials instead of static keys, use the credential_chain provider (requires the aws extension): CREATE SECRET my_s3 (TYPE s3, PROVIDER credential_chain)
Scope the secret to a specific bucket path if desired by adding SCOPE 's3://my-bucket/'
Verify by querying a file: SELECT count(*) FROM read_parquet('s3://my-bucket/data/*.parquet')
Known gotchas
DuckDB's secrets manager replaces the older SET s3_access_key_id / SET s3_secret_access_key approach; the old SET variables still work but take lower priority than secrets when both are present
CREATE SECRET stores credentials in DuckDB's secrets file on disk by default; use CREATE TEMPORARY SECRET to keep them only in memory for the session
The credential_chain provider requires the aws extension (INSTALL aws; LOAD aws) to be loaded before creating the secret; attempting it without the extension raises an unknown provider error
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp