Skip to content
bino docs
GitHub

ConnectionSecret

ConnectionSecret manifests encapsulate credentials and tokens used by DuckDB to access external systems. They keep sensitive data out of datasource definitions and SQL queries.

Spec overview

Section titled “Spec overview”
apiVersion: rainbow.bino.bi/v1alpha1
kind: ConnectionSecret
metadata:
  name: exampleSecret
spec:
  type: postgres | mysql | s3 | gcs | http | r2 | azure | huggingface
  scope: ""       # optional path prefix
  provider: config # or credential_chain
  # one type-specific block: postgres, mysql, s3, gcs, http, r2, azure, huggingface

Type-specific blocks:

  • postgres – see postgresAuthSpec (password or passwordFromEnv).
  • mysql – see mysqlAuthSpec.
  • s3 – see s3AuthSpec (access keys, region, endpoint).
  • gcs – see gcsAuthSpec.
  • http – see httpAuthSpec (basic auth or bearer token).
  • r2 – see r2AuthSpec.
  • azure – see azureAuthSpec.
  • huggingface – see huggingfaceAuthSpec.

scope can be used to limit where a secret applies, for example s3://my-bucket.

PostgreSQL credentials via environment variable

Section titled “PostgreSQL credentials via environment variable”
---
apiVersion: rainbow.bino.bi/v1alpha1
kind: ConnectionSecret
metadata:
  name: postgresCredentials
spec:
  type: postgres
  postgres:
    passwordFromEnv: POSTGRES_PASSWORD

Use the secret from a datasource:

apiVersion: rainbow.bino.bi/v1alpha1
kind: DataSource
metadata:
  name: orders_pg
spec:
  type: postgres_query
  connection:
    host: ${DB_HOST:db.example.com}
    port: 5432
    database: analytics
    schema: public
    user: reporting
    secret: postgresCredentials
  query: |
    SELECT * FROM fact_orders;

S3 access key

Section titled “S3 access key”
---
apiVersion: rainbow.bino.bi/v1alpha1
kind: ConnectionSecret
metadata:
  name: s3Access
spec:
  type: s3
  scope: s3://my-report-bucket
  s3:
    keyIdFromEnv: AWS_ACCESS_KEY_ID
    secretFromEnv: AWS_SECRET_ACCESS_KEY
    region: eu-central-1

HTTP bearer token

Section titled “HTTP bearer token”
---
apiVersion: rainbow.bino.bi/v1alpha1
kind: ConnectionSecret
metadata:
  name: httpApi
spec:
  type: http
  http:
    bearerTokenFromEnv: API_TOKEN

Hugging Face token

Section titled “Hugging Face token”
---
apiVersion: rainbow.bino.bi/v1alpha1
kind: ConnectionSecret
metadata:
  name: huggingface
spec:
  type: huggingface
  huggingface:
    tokenFromEnv: HUGGINGFACE_TOKEN

Always prefer *FromEnv fields over inline secrets in manifests.