Skip to main content

Connection Parameters

Introduced or updated: v1.2.294

Connection parameters are key-value pairs used to establish secure links to external storage services like Amazon S3. These parameters are crucial for tasks such as creating stages, copying data into Databend, and querying external files.

For specific connection details per storage service, see the tables below.

The following table lists connection parameters for accessing an Amazon S3-like storage service:

ParameterRequired?Description
endpoint_urlYesEndpoint URL for Amazon S3-like storage service.
access_key_idYesAccess key ID for identifying the requester.
secret_access_keyYesSecret access key for authentication.
enable_virtual_host_styleNoWhether to use virtual host-style URLs. Defaults to false.
master_keyNoOptional master key for advanced data encryption.
regionNoAWS region where the bucket is located.
security_tokenNoSecurity token for temporary credentials.
note

  • If the endpoint_url parameter is not specified in the command, Databend will create the stage on Amazon S3 by default. Therefore, when you create an external stage on an S3-compatible object storage or other object storage solutions, be sure to include the endpoint_url parameter.

  • The region parameter is not required because Databend can automatically detect the region information. You typically don't need to manually specify a value for this parameter. In case automatic detection fails, Databend will default to using 'us-east-1' as the region. When deploying Databend with MinIO and not configuring the region information, it will automatically default to using 'us-east-1', and this will work correctly. However, if you receive error messages such as "region is missing" or "The bucket you are trying to access requires a specific endpoint. Please direct all future requests to this particular endpoint", you need to determine your region name and explicitly assign it to the region parameter.

Examples
CREATE STAGE my_s3_stage
  's3://my-bucket'
  CONNECTION = (
    ACCESS_KEY_ID = '<your-ak>',
    SECRET_ACCESS_KEY = '<your-sk>'
  );
  
CREATE STAGE my_minio_stage
  's3://databend'
  CONNECTION = (
    ENDPOINT_URL = 'http://localhost:9000',
    ACCESS_KEY_ID = 'ROOTUSER',
    SECRET_ACCESS_KEY = 'CHANGEME123'
  );

To access your Amazon S3 buckets, you can also specify an AWS IAM role and external ID for authentication. By specifying an AWS IAM role and external ID, you can provide more granular control over which S3 buckets a user can access. This means that if the IAM role has been granted permissions to access only specific S3 buckets, then the user will only be able to access those buckets. An external ID can further enhance security by providing an additional layer of verification. For more information, see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html

The following table lists connection parameters for accessing Amazon S3 storage service using AWS IAM role authentication:

ParameterRequired?Description
endpoint_urlNoEndpoint URL for Amazon S3.
role_arnYesARN of the AWS IAM role for authorization to S3.
external_idNoExternal ID for enhanced security in role assumption.
Examples
CREATE STAGE my_s3_stage
  's3://my-bucket'
  CONNECTION = (
    ROLE_ARN = 'arn:aws:iam::123456789012:role/my-role',
    EXTERNAL_ID = 'my-external-id'
  );
Did this page help you?
Yes
No
Join our growing community
GitHub
🌟 7.9K Stars
Slack
Twitter
YouTube