Use DuckDB secret vs PRAGMA for MinIO

ghukill · ghukill · commit d1af9816fd69 · 2025-07-14T10:11:54.000-04:00
Why these changes are being introduced: While PRAGMA configurations worked for direct parquet file reading in a local MinIO S3 instance, it did not work for DuckDB ATTACH statements. How this addresses that need: By using a DuckDB secret, setting the MinIO S3 endpoint and credentials there, other statments like ATTACH work as expected. This is overall a better approach anyways! The PRAGMA approach seemed like the only option originally, but this edge case of ATTACH forced revisiting it and this use of secrets does in fact work. Side effects of this change: * None Relevant ticket(s): * https://mitlibraries.atlassian.net/browse/TIMX-515
diff --git a/timdex_dataset_api/metadata.py b/timdex_dataset_api/metadata.py
@@ -115,24 +115,28 @@ def _configure_s3_connection(self) -> None:
         if os.getenv("MINIO_S3_ENDPOINT_URL"):
             self.conn.execute(
                 f"""
-            PRAGMA s3_endpoint='{urlparse(os.environ["MINIO_S3_ENDPOINT_URL"]).netloc}';
-            PRAGMA s3_access_key_id='{os.environ["MINIO_USERNAME"]}';
-            PRAGMA s3_secret_access_key='{os.environ["MINIO_PASSWORD"]}';
-            PRAGMA s3_use_ssl=false;
-            PRAGMA s3_url_style='path';
-            """
+                create or replace secret minio_s3_secret (
+                    type s3,
+                    endpoint '{urlparse(os.environ["MINIO_S3_ENDPOINT_URL"]).netloc}',
+                    key_id '{os.environ["MINIO_USERNAME"]}',
+                    secret '{os.environ["MINIO_PASSWORD"]}',
+                    region 'us-east-1',
+                    url_style 'path',
+                    use_ssl false
+                );
+                """
             )
 
         else:
             self.conn.execute(
                 """
-            create or replace secret secret (
-                type s3,
-                provider credential_chain,
-                chain 'sso;env;config',
-                refresh true
-            );
-            """
+                create or replace secret aws_s3_secret (
+                    type s3,
+                    provider credential_chain,
+                    chain 'sso;env;config',
+                    refresh true
+                );
+                """
             )
 
     def _create_full_dataset_table(self) -> None:
