CREATE STORAGE CREDENTIAL

Creates a named storage credential that supplies authentication material to external locations.

Syntax

CREATE [OR REPLACE] STORAGE CREDENTIAL [IF NOT EXISTS] <name>
  TYPE = <credential_type>
  [OPTIONS (<key> = '<value>', ...)]
  [COMMENT '<description>']

Description

## Overview CREATE STORAGE CREDENTIAL registers a named credential used by external locations to authenticate to cloud object storage. Storage credentials are decoupled from external locations so a single credential can back multiple locations, and the credential's secret material can be rotated without touching location definitions. ## Behavior - The standalone executor stores the credential in an in-memory store keyed by name. Production deployments route storage-credential commands through the Control Plane API where credentials are persisted to the catalog and secret material is managed by the configured key store. - Existing credential with the same name: without OR REPLACE or IF NOT EXISTS, CREATE raises an error. With OR REPLACE, the existing entry is overwritten. With IF NOT EXISTS, CREATE returns success without modifying the existing entry. - The credential type is stored as an identifier and surfaced via DESCRIBE STORAGE CREDENTIAL. The parser does not enforce a closed enum of types; the runtime decides which types are honored. - External locations bind to the credential by name. The binding is validated at CREATE EXTERNAL LOCATION time; the credential must exist or the location creation fails. ## Access Control Requires the admin role. The Control Plane enforces credential management on its admin API surface. ## Compatibility DeltaForge extension. The shape resembles managed-credential registration in other catalogs but the syntax and supported types are DeltaForge specific.

Parameters

Name	Type	Description
name		Specifies the unique credential name. Must be unique across storage credentials.
credential_type		Specifies the credential kind. Conventional values: `AWS_IAM_ROLE`, `AWS_ACCESS_KEY`, `AZURE_MANAGED_IDENTITY`, `AZURE_SAS_TOKEN`, `GCS_SERVICE_ACCOUNT`. The parser accepts any identifier; the credential's runtime semantics depend on type.
options		Specifies type-specific configuration: role ARN, client id, account name, service-account JSON, and so on. Sensitive material should be supplied through the Control Plane API rather than embedded inline.
comment		Optional human-readable description shown in DESCRIBE STORAGE CREDENTIAL output.
or_replace		When true, replace an existing credential of the same name in place. The new options overwrite the previous options entirely.
if_not_exists		When true, skip silently if a credential with this name already exists.

Examples

-- AWS IAM role
CREATE STORAGE CREDENTIAL prod_aws_role
  TYPE = AWS_IAM_ROLE
  OPTIONS (role_arn = 'arn:aws:iam::123456789012:role/DataAccess')
  COMMENT 'Production data-lake read role';

-- Azure managed identity
CREATE STORAGE CREDENTIAL prod_azure_mi
  TYPE = AZURE_MANAGED_IDENTITY
  OPTIONS (client_id = '00000000-0000-0000-0000-000000000000');

-- GCS service account
CREATE STORAGE CREDENTIAL prod_gcs_sa
  TYPE = GCS_SERVICE_ACCOUNT
  OPTIONS (service_account_email = 'data-reader@my-project.iam.gserviceaccount.com');

-- Idempotent bootstrap
CREATE STORAGE CREDENTIAL IF NOT EXISTS prod_aws_role
  TYPE = AWS_IAM_ROLE
  OPTIONS (role_arn = 'arn:aws:iam::123456789012:role/DataAccess');

Pitfalls

• Embedding raw secret material directly in OPTIONS for non-managed-identity credential types stores the value in the catalog row. Prefer credential types that reference cloud-native auth (AWS_IAM_ROLE, AZURE_MANAGED_IDENTITY, GCS_SERVICE_ACCOUNT) or supply secrets through the Control Plane admin API which routes them to the configured secret store.

See Also

• ALTER_STORAGE_CREDENTIAL
• DROP_STORAGE_CREDENTIAL
• SHOW_STORAGE_CREDENTIALS
• DESCRIBE_STORAGE_CREDENTIAL
• CREATE_EXTERNAL_LOCATION
• GRANT_ON_STORAGE_CREDENTIAL