📣
TiDB Cloud Premium is now in public preview. Unlimited growth, instant elasticity, advanced security for enterprise workloads. Try it out →

CREATE CONNECTION



Creates a connection to external storage.

Syntax

CREATE [ OR REPLACE ] CONNECTION [ IF NOT EXISTS ] <connection_name> STORAGE_TYPE = '<type>' [ <storage_params> ]
ParameterDescription
STORAGE_TYPEType of storage service. Possible values include: s3, azblob, gcs, oss, and cos.
storage_paramsVary based on storage type and authentication method. See Connection Parameters for the complete list.

Connection Parameters

Connections encapsulate the credentials and configuration for a specific storage backend. Choose the appropriate STORAGE_TYPE and provide the required parameters when creating the connection. The table highlights common options:

STORAGE_TYPETypical parametersDescription
s3ACCESS_KEY_ID/SECRET_ACCESS_KEY, or ROLE_ARN/EXTERNAL_ID, optional ENDPOINT_URL, REGIONAmazon S3 and S3-compatible services (MinIO, Cloudflare R2, etc.).
azblobACCOUNT_NAME, ACCOUNT_KEY, ENDPOINT_URLAzure Blob Storage.
gcsCREDENTIAL (base64-encoded service account key)Google Cloud Storage.
ossACCESS_KEY_ID, ACCESS_KEY_SECRET, ENDPOINT_URLAlibaba Cloud Object Storage Service.
cosSECRET_ID, SECRET_KEY, ENDPOINT_URLTencent Cloud Object Storage.
hfREPO_TYPE, REVISION, optional TOKENHugging Face Hub datasets and models.

For parameter meanings, optional flags, and additional storage types, refer to Connection Parameters. Expand the tabs below to see storage-specific examples:

    Choose an authentication method for Amazon S3 and S3-compatible services:

      CREATE CONNECTION <connection_name> STORAGE_TYPE = 's3' ACCESS_KEY_ID = '<your-access-key-id>' SECRET_ACCESS_KEY = '<your-secret-access-key>';
      ParameterDescription
      ACCESS_KEY_IDYour AWS access key ID.
      SECRET_ACCESS_KEYYour AWS secret access key.
      CREATE CONNECTION <connection_name> STORAGE_TYPE = 's3' ROLE_ARN = '<your-role-arn>';
      ParameterDescription
      ROLE_ARNThe Amazon Resource Name (ARN) of the IAM role that TiDB Cloud Lake will assume to access your S3 resources.
      CREATE CONNECTION <connection_name> STORAGE_TYPE = 'azblob' ACCOUNT_NAME = '<account-name>' ACCOUNT_KEY = '<account-key>' ENDPOINT_URL = 'https://<account-name>.blob.core.windows.net';
      CREATE CONNECTION <connection_name> STORAGE_TYPE = 'gcs' CREDENTIAL = '<base64-encoded-service-account>';
      CREATE CONNECTION <connection_name> STORAGE_TYPE = 'oss' ACCESS_KEY_ID = '<your-ak>' ACCESS_KEY_SECRET = '<your-sk>' ENDPOINT_URL = 'https://<region-id>[-internal].aliyuncs.com';
      CREATE CONNECTION <connection_name> STORAGE_TYPE = 'cos' SECRET_ID = '<your-secret-id>' SECRET_KEY = '<your-secret-key>' ENDPOINT_URL = '<your-endpoint-url>';
      CREATE CONNECTION <connection_name> STORAGE_TYPE = 'hf' REPO_TYPE = 'dataset' REVISION = 'main' TOKEN = '<optional-access-token>';

      Omit TOKEN for public repositories; include it for private or rate-limited assets.

      Access control requirements

      PrivilegeObject TypeDescription
      CREATE CONNECTIONGlobalCreates a connection.

      To create a connection, the user performing the operation or the current_role must have the CREATE CONNECTION privilege.

      Update Table Connections

      To switch an existing table to a new connection, use ALTER TABLE ... CONNECTION. This command rebinds external tables to a different connection without recreating the table.

      Examples

      Using Access Keys

      This example creates a connection to Amazon S3 named 'toronto' and establishes an external stage named 'my_s3_stage' linked to the 's3://lake-toronto' URL, using the 'toronto' connection. For more practical examples about connection, see Usage Examples.

      CREATE CONNECTION toronto STORAGE_TYPE = 's3' ACCESS_KEY_ID = '<your-access-key-id>' SECRET_ACCESS_KEY = '<your-secret-access-key>'; CREATE STAGE my_s3_stage URL = 's3://lake-toronto' CONNECTION = (CONNECTION_NAME = 'toronto');

      Using AWS IAM Role

      This example creates a connection to Amazon S3 using an IAM role and then creates a stage that uses this connection. This approach is more secure as it doesn't require storing access keys in TiDB Cloud Lake.

      CREATE CONNECTION lake_test STORAGE_TYPE = 's3' ROLE_ARN = 'arn:aws:iam::987654321987:role/lake-test'; CREATE STAGE lake_test URL = 's3://test-bucket-123' CONNECTION = (CONNECTION_NAME = 'lake_test'); -- You can now query data from your S3 bucket SELECT * FROM @lake_test/test.parquet LIMIT 1;

      Was this page helpful?