Emits metadata for a single credential-storage backend. Secret config material is never included.
DESCRIBE CREDENTIAL STORAGE [IF EXISTS] <name>## Overview DESCRIBE CREDENTIAL STORAGE emits the full non-secret metadata for a single backend: id, display_name, backend_type, description, is_active, created_at, updated_at. Secret auth material (Azure client_secret, AWS access_key, GCP service_account_json) is stored separately in the OS Keychain and is never returned by this command. ## Behavior - The HTTP adapter fetches the full list of backends and filters by display_name. For a missing name, IF EXISTS returns a 'does not exist' message and DESCRIBE without IF EXISTS raises an error. - Output is a plain text message in v1 (multi-line, one key per line). Upgrading to Arrow is tracked separately. - Non-secret OPTIONS (key_vault_name, region, project_id, auth_method, secrets_manager_prefix) are included in the config_json field of the response and are surfaced in the output. ## Access Control Requires the admin role. The Control Plane enforces vault:read on GET /vault/backends. ## Compatibility DeltaForge extension. No standard SQL equivalent.
| Name | Type | Description |
|---|---|---|
name | Specifies the display_name of the backend to describe. | |
if_exists | When true, returns a 'does not exist' message instead of an error when the backend is missing. Without IF EXISTS, a missing backend raises a user-facing error. |
-- Describe the default keychain
DESCRIBE CREDENTIAL STORAGE 'OS Keychain';-- Describe a named cloud backend
DESCRIBE CREDENTIAL STORAGE prod_azure_kv;-- Safe invocation in cleanup scripts
DESCRIBE CREDENTIAL STORAGE IF EXISTS optional_backend;