# /etc/lakehouse/secrets-go.toml — per-bucket S3 credentials.
#
# Mode 0600, root-owned (storaged + queryd both need to read it; they
# run as the lakehouse user, so chgrp lakehouse + 0640 is fine if the
# group is restricted).
#
# Schema is one [s3.<bucket-logical-name>] block per bucket the
# storaged BucketRegistry should serve. G0 is single-bucket
# ("primary" — see cmd/storaged/main.go primaryBucket const). G2
# multi-bucket federation will add more entries here.
#
# This file is DELIBERATELY NOT in version control. Operators copy
# this template, fill in real credentials, and place at
# /etc/lakehouse/secrets-go.toml. The committed lakehouse.toml [s3]
# block has bucket=<logical-name> + endpoint=<url> + region=<region>
# — only the credentials live here.

[s3.primary]
access_key_id     = "REPLACE_ME"
secret_access_key = "REPLACE_ME"

# Future G2 example — multiple buckets:
# [s3.archive]
# access_key_id     = "..."
# secret_access_key = "..."