Secret Duck is a tool to convert a Keepass database into DuckDB secrets that may be loaded into DuckDB using its secret management feature. This enables secure remote resources to be queried more easily when processing data using DuckDB.
The tool will generate CREATE SECRET statements in SQL which define secrets used for DuckDB. For example:
CREATE OR REPLACE PERSISTENT SECRET my_secret (
TYPE S3,
KEY_ID '********',
SECRET '********',
SCOPE 's3://example.us-east-1.amazonaws.com'
);The tool may be installed from the Python Package Index (PyPI) using the package installer.
pip install secret-duckThe first required argument is the path of the Keepass file. You must also provide the type of secrets you want to generate e.g. S3, GCS, etc.
secret-duck --helpusage: secret-duck [-h] [--log_level {DEBUG,INFO,WARNING,ERROR,CRITICAL}] [--password PASSWORD] --type TYPE [--persistent] [--replace] [--if_not_exists] [--keys KEYS] keepass_file
positional arguments:
keepass_file Keepass database file
options:
-h, --help show this help message and exit
--log_level {DEBUG,INFO,WARNING,ERROR,CRITICAL}
--password PASSWORD
--type TYPE, -t TYPE DuckDB secret type e.g. S3
--persistent
--replace
--if_not_exists
--keys KEYS, -k KEYS JSON dictionary of key-value pairs e.g. {"region":"eu-west-2"}
To create AWS S3 secrets
secret-duck my_secrets.kdbx --type S3 --keys {\"endpoint\": \"s3.amazonaws.com\"}To create AWS S3 secrets and save the results to an SQL file
secret-duck my_secrets.kdbx --type S3 --persistent --replace --keys "{\"region\": \"eu-west-2\", \"endpoint\": \"s3.amazonaws.com\"}" > secrets.sql