# Capitulo 06 Gerenciamento Secrets

Notebook gerado automaticamente a partir do código fonte python.


In [None]:
# -*- coding: utf-8 -*-
"""
capitulo_06_gerenciamento_secrets
"""

# capitulo_06_gerenciamento_secrets
import duckdb
import os

# Exemplo/Bloco 1
import duckdb
con = duckdb.connect(database=':memory:')

con.execute("""
-- Criar secret temporário
CREATE SECRET my_secret (
    TYPE s3,
    KEY_ID 'AKIAIOSFODNN7EXAMPLE',
    SECRET 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY',
    REGION 'us-east-1'
);
""")
print(con.fetchall()) # Inspect result

con.execute("""
-- Criar secret persistente
CREATE PERSISTENT SECRET my_persistent_secret (
    TYPE s3,
    KEY_ID 'AKIAIOSFODNN7EXAMPLE',
    SECRET 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY'
);
""")
print(con.fetchall()) # Inspect result

con.execute("""
-- Configurar diretório customizado
SET secret_directory = '/path/to/my_secrets_dir';

-- Verificar diretório atual
SELECT current_setting('secret_directory');
""")
print(con.fetchall()) # Inspect result

con.execute("""
-- Aplicável a todos os buckets S3
CREATE SECRET global_secret (
    TYPE s3,
    KEY_ID 'key1',
    SECRET 'secret1',
    SCOPE 's3://'
);
""")
print(con.fetchall()) # Inspect result

con.execute("""
-- Apenas para buckets específicos
CREATE SECRET bucket1_secret (
    TYPE s3,
    KEY_ID 'key_for_bucket1',
    SECRET 'secret_for_bucket1',
    SCOPE 's3://my-bucket-1'
);

CREATE SECRET bucket2_secret (
    TYPE s3,
    KEY_ID 'key_for_bucket2',
    SECRET 'secret_for_bucket2',
    SCOPE 's3://my-bucket-2'
);
""")
print(con.fetchall()) # Inspect result

con.execute("""
-- Secret para bucket de desenvolvimento
CREATE PERSISTENT SECRET dev_secret (
    TYPE s3,
    PROVIDER config,
    KEY_ID 'AKIA_DEV_KEY',
    SECRET 'dev_secret_key',
    REGION 'us-east-1',
    SCOPE 's3://my-dev-bucket'
);

-- Secret para bucket de produção
CREATE PERSISTENT SECRET prod_secret (
    TYPE s3,
    PROVIDER config,
    KEY_ID 'AKIA_PROD_KEY',
    SECRET 'prod_secret_key',
    REGION 'us-east-1',
    SCOPE 's3://my-prod-bucket'
);

-- Usar automaticamente o secret correto
SELECT * FROM 's3://my-dev-bucket/data.parquet';   -- Usa dev_secret
SELECT * FROM 's3://my-prod-bucket/data.parquet';  -- Usa prod_secret
""")
print(con.fetchall()) # Inspect result

con.execute("""
-- Scope para um caminho específico dentro do bucket
CREATE SECRET analytics_secret (
    TYPE s3,
    KEY_ID 'analytics_key',
    SECRET 'analytics_secret',
    SCOPE 's3://company-data/analytics'
);

-- Este usa analytics_secret
SELECT * FROM 's3://company-data/analytics/report.parquet';

-- Este NÃO usa analytics_secret (fora do scope)
SELECT * FROM 's3://company-data/raw/data.parquet';
""")
print(con.fetchall()) # Inspect result

con.execute("""
-- Ver qual secret será usado para um path
SELECT which_secret('s3://my-bucket/file.parquet', 's3');
""")
print(con.fetchall()) # Inspect result

con.execute("""
-- Verificar múltiplos paths
SELECT
    's3://bucket-a/file.parquet' as path,
    which_secret('s3://bucket-a/file.parquet', 's3') as secret
UNION ALL
SELECT
    's3://bucket-b/file.parquet',
    which_secret('s3://bucket-b/file.parquet', 's3')
UNION ALL
SELECT
    's3://bucket-c/file.parquet',
    which_secret('s3://bucket-c/file.parquet', 's3');
""")
print(con.fetchall()) # Inspect result

con.execute("""
-- Ver todos os secrets configurados
SELECT * FROM duckdb_secrets();
""")
print(con.fetchall()) # Inspect result

con.execute("""
-- Ver apenas secrets persistentes
SELECT * FROM duckdb_secrets() WHERE persist = true;

-- Ver apenas secrets S3
SELECT * FROM duckdb_secrets() WHERE type = 's3';

-- Ver secrets com scope específico
SELECT * FROM duckdb_secrets() WHERE scope LIKE 's3://my-bucket%';
""")
print(con.fetchall()) # Inspect result

con.execute("""
-- Atualizar secret existente
CREATE OR REPLACE SECRET my_secret (
    TYPE s3,
    PROVIDER config,
    KEY_ID 'NEW_KEY_ID',
    SECRET 'NEW_SECRET_KEY',
    REGION 'us-west-2'
);
""")
print(con.fetchall()) # Inspect result

con.execute("""
-- Atualizar e manter persistência
CREATE OR REPLACE PERSISTENT SECRET my_persistent_secret (
    TYPE s3,
    PROVIDER config,
    KEY_ID 'UPDATED_KEY',
    SECRET 'UPDATED_SECRET'
);
""")
print(con.fetchall()) # Inspect result

con.execute("""
-- Deletar secret da sessão atual
DROP SECRET my_secret;
""")
print(con.fetchall()) # Inspect result

con.execute("""
-- Deletar secret do disco
DROP PERSISTENT SECRET my_persistent_secret;
""")
print(con.fetchall()) # Inspect result

con.execute("""
-- Não há comando direto, mas você pode fazer manualmente:
-- 1. Listar secrets
SELECT name FROM duckdb_secrets() WHERE type = 's3';

-- 2. Deletar um por um
DROP SECRET secret1;
DROP SECRET secret2;
""")
print(con.fetchall()) # Inspect result

con.execute("""
-- Secret com auto-refresh
CREATE SECRET auto_refresh_secret (
    TYPE s3,
    PROVIDER credential_chain,
    REFRESH auto
);
""")
print(con.fetchall()) # Inspect result

con.execute("""
CREATE SECRET s3_secret (
    TYPE s3,
    PROVIDER config,
    KEY_ID 'AKIAIOSFODNN7EXAMPLE',
    SECRET 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY',
    REGION 'us-east-1'
);
""")
print(con.fetchall()) # Inspect result

con.execute("""
CREATE SECRET r2_secret (
    TYPE r2,
    KEY_ID 'AKIAIOSFODNN7EXAMPLE',
    SECRET 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY',
    ACCOUNT_ID 'my_account_id'
);
""")
print(con.fetchall()) # Inspect result

con.execute("""
CREATE SECRET gcs_secret (
    TYPE gcs,
    KEY_ID 'my_hmac_access_id',
    SECRET 'my_hmac_secret_key'
);
""")
print(con.fetchall()) # Inspect result

con.execute("""
-- Bearer token
CREATE SECRET http_auth (
    TYPE http,
    BEARER_TOKEN 'your_bearer_token'
);

-- Headers customizados
CREATE SECRET http_custom (
    TYPE http,
    EXTRA_HTTP_HEADERS MAP {
        'Authorization': 'Bearer token_value',
        'X-API-Key': 'api_key_value'
    }
);
""")
print(con.fetchall()) # Inspect result

con.execute("""
-- Empresa com múltiplos departamentos
CREATE PERSISTENT SECRET finance_secret (
    TYPE s3,
    PROVIDER config,
    KEY_ID 'finance_key',
    SECRET 'finance_secret',
    SCOPE 's3://company-finance'
);

CREATE PERSISTENT SECRET marketing_secret (
    TYPE s3,
    PROVIDER config,
    KEY_ID 'marketing_key',
    SECRET 'marketing_secret',
    SCOPE 's3://company-marketing'
);

CREATE PERSISTENT SECRET operations_secret (
    TYPE s3,
    PROVIDER config,
    KEY_ID 'operations_key',
    SECRET 'operations_secret',
    SCOPE 's3://company-operations'
);

-- Queries usam automaticamente o secret correto
SELECT * FROM 's3://company-finance/reports/*.parquet';
SELECT * FROM 's3://company-marketing/campaigns/*.parquet';
SELECT * FROM 's3://company-operations/logs/*.parquet';
""")
print(con.fetchall()) # Inspect result

con.execute("""
-- Development
CREATE PERSISTENT SECRET dev (
    TYPE s3,
    PROVIDER config,
    KEY_ID 'dev_key',
    SECRET 'dev_secret',
    REGION 'us-east-1',
    SCOPE 's3://myapp-dev'
);

-- Staging
CREATE PERSISTENT SECRET staging (
    TYPE s3,
    PROVIDER config,
    KEY_ID 'staging_key',
    SECRET 'staging_secret',
    REGION 'us-east-1',
    SCOPE 's3://myapp-staging'
);

-- Production
CREATE PERSISTENT SECRET prod (
    TYPE s3,
    PROVIDER config,
    KEY_ID 'prod_key',
    SECRET 'prod_secret',
    REGION 'us-east-1',
    SCOPE 's3://myapp-prod'
);
""")
print(con.fetchall()) # Inspect result

con.execute("""
-- Primary region
CREATE SECRET us_east (
    TYPE s3,
    PROVIDER config,
    KEY_ID 'my_key',
    SECRET 'my_secret',
    REGION 'us-east-1',
    SCOPE 's3://myapp-us-east'
);

-- Secondary region
CREATE SECRET eu_west (
    TYPE s3,
    PROVIDER config,
    KEY_ID 'my_key',
    SECRET 'my_secret',
    REGION 'eu-west-1',
    SCOPE 's3://myapp-eu-west'
);
""")
print(con.fetchall()) # Inspect result

con.execute("""
CREATE SECRET prod_secret (
       TYPE s3,
       PROVIDER credential_chain
   );
""")
print(con.fetchall()) # Inspect result

con.execute("""
CREATE SECRET limited_secret (
       TYPE s3,
       PROVIDER config,
       KEY_ID 'key',
       SECRET 'secret',
       SCOPE 's3://specific-bucket/specific-path'
   );
""")
print(con.fetchall()) # Inspect result

con.execute("""
CREATE PERSISTENT SECRET trusted_env_secret (
       TYPE s3,
       PROVIDER credential_chain
   );
""")
print(con.fetchall()) # Inspect result

con.execute("""
CREATE SECRET temp_creds (
       TYPE s3,
       PROVIDER credential_chain,
       REFRESH auto
   );
""")
print(con.fetchall()) # Inspect result

con.execute("""
-- ❌ MAU: hardcoded no script
   CREATE SECRET bad_practice (
       TYPE s3,
       KEY_ID 'AKIAIOSFODNN7EXAMPLE',
       SECRET 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY'
   );
""")
print(con.fetchall()) # Inspect result

con.execute("""
-- ❌ MAU: acesso global
   CREATE SECRET too_broad (
       TYPE s3,
       PROVIDER config,
       KEY_ID 'key',
       SECRET 'secret',
       SCOPE 's3://'  -- Acesso a TODOS os buckets
   );
""")
print(con.fetchall()) # Inspect result

con.execute("""
-- ❌ MAU em servidor compartilhado
   CREATE PERSISTENT SECRET insecure (
       TYPE s3,
       PROVIDER config,
       KEY_ID 'key',
       SECRET 'secret'
   );
   -- Arquivo fica sem criptografia em ~/.duckdb/stored_secrets
""")
print(con.fetchall()) # Inspect result

con.execute("""
-- Listar secrets disponíveis
SELECT * FROM duckdb_secrets();

-- Criar o secret se não existir
CREATE SECRET my_secret (
    TYPE s3,
    PROVIDER credential_chain
);
""")
print(con.fetchall()) # Inspect result

con.execute("""
-- Verificar secrets com scope conflitante
SELECT * FROM duckdb_secrets() WHERE scope LIKE '%bucket-name%';

-- Solução: Use scopes mais específicos
DROP SECRET ambiguous_secret1;
CREATE SECRET specific_secret1 (
    TYPE s3,
    PROVIDER config,
    KEY_ID 'key1',
    SECRET 'secret1',
    SCOPE 's3://bucket-name/path1'
);
""")
print(con.fetchall()) # Inspect result

con.execute("""
-- Verificar qual secret está sendo usado
SELECT which_secret('s3://my-bucket/file.parquet', 's3');

-- Se retornar NULL, nenhum secret corresponde ao path
-- Criar secret com scope correto
CREATE SECRET correct_scope (
    TYPE s3,
    PROVIDER config,
    KEY_ID 'key',
    SECRET 'secret',
    SCOPE 's3://my-bucket'
);
""")
print(con.fetchall()) # Inspect result

con.execute("""
-- 1. Criar secret temporário
CREATE SECRET temp_test (
    TYPE s3,
    PROVIDER config,
    KEY_ID 'test_key',
    SECRET 'test_secret'
);

-- 2. Verificar
SELECT * FROM duckdb_secrets() WHERE name = 'temp_test';

-- 3. Fechar e reabrir DuckDB
-- 4. Verificar novamente (não deve existir)
SELECT * FROM duckdb_secrets() WHERE name = 'temp_test';

-- 5. Criar persistente
CREATE PERSISTENT SECRET persist_test (
    TYPE s3,
    PROVIDER config,
    KEY_ID 'test_key',
    SECRET 'test_secret'
);

-- 6. Fechar e reabrir DuckDB
-- 7. Verificar (deve existir)
SELECT * FROM duckdb_secrets() WHERE name = 'persist_test';

-- 8. Limpar
DROP PERSISTENT SECRET persist_test;
""")
print(con.fetchall()) # Inspect result

con.execute("""
-- 1. Criar secrets com diferentes scopes
CREATE SECRET bucket_a (
    TYPE s3,
    PROVIDER config,
    KEY_ID 'key_a',
    SECRET 'secret_a',
    SCOPE 's3://bucket-a'
);

CREATE SECRET bucket_b (
    TYPE s3,
    PROVIDER config,
    KEY_ID 'key_b',
    SECRET 'secret_b',
    SCOPE 's3://bucket-b'
);

-- 2. Verificar qual secret é usado
SELECT which_secret('s3://bucket-a/file.parquet', 's3');
SELECT which_secret('s3://bucket-b/file.parquet', 's3');
SELECT which_secret('s3://bucket-c/file.parquet', 's3');

-- 3. Limpar
DROP SECRET bucket_a;
DROP SECRET bucket_b;
""")
print(con.fetchall()) # Inspect result

con.execute("""
-- 1. Criar múltiplos secrets
CREATE PERSISTENT SECRET secret1 (TYPE s3, PROVIDER credential_chain, SCOPE 's3://bucket1');
CREATE PERSISTENT SECRET secret2 (TYPE s3, PROVIDER credential_chain, SCOPE 's3://bucket2');
CREATE SECRET secret3 (TYPE s3, PROVIDER credential_chain, SCOPE 's3://bucket3');

-- 2. Listar todos
SELECT name, type, scope, persist FROM duckdb_secrets();

-- 3. Atualizar um
CREATE OR REPLACE PERSISTENT SECRET secret1 (
    TYPE s3,
    PROVIDER config,
    KEY_ID 'new_key',
    SECRET 'new_secret',
    SCOPE 's3://bucket1'
);

-- 4. Deletar temporário
DROP SECRET secret3;

-- 5. Deletar persistentes
DROP PERSISTENT SECRET secret1;
DROP PERSISTENT SECRET secret2;
""")
print(con.fetchall()) # Inspect result


