How to Open Parquet from S3 Privately in Your Browser
Query Parquet on AWS S3, Cloudflare R2, GCS, or MinIO without uploading files to a third-party viewer. viewparquet streams from the bucket with DuckDB-WASM — your credentials stay in the browser.
Most Parquet workflows eventually land in object storage — analytics buckets on AWS S3, exports on Cloudflare R2, or a MinIO cluster behind the firewall. The usual next step is a notebook or CLI script just to peek at schema and row counts. viewparquet lets you do that in the browser instead: point at the object, run SQL, and inspect results — without uploading the file to us.
This guide walks through every path in Open from S3 / URL and how to stay private while doing it.
What stays private
viewparquet never receives your dataset. When you open a remote source:
- DuckDB-WASM in your tab fetches byte ranges from the URL or bucket (HTTP range reads for Parquet footers and row groups).
- Access keys and session tokens are registered as an in-browser DuckDB secret — they sign requests locally and are not sent to viewparquet servers.
- Recent sources are remembered without secrets so you can reopen public URLs in one click; private buckets prompt you to re-enter keys.
You can confirm in DevTools → Network: traffic goes to your bucket or CDN, not to viewparquet.
Path 1: Public HTTPS or presigned URL
Best for: open datasets, short-lived presigned links, or any object already reachable over HTTPS.
- Open the [viewer](/viewer) and click Open from S3 / URL (or land with
?open=remote). - Choose the URL tab.
- Paste a full HTTPS URL, for example:
- Leave format on Auto-detect unless you know the type.
- Click Open.
DuckDB's httpfs extension loads inside WASM and streams the file. No credentials required.
Path 2: Public `s3://` objects
Best for: anonymously readable buckets (common for public datasets).
Use the URL tab with an s3:// URI:
s3://my-public-bucket/path/to/file.parquetDuckDB resolves the bucket in your chosen region (default us-east-1 for anonymous reads). If the object is not public, switch to the credentials path below.
Path 3: Private buckets (AWS, R2, GCS, MinIO)
Best for: production data that requires SigV4 signing.
- Open Open from S3 / URL → Credentials tab.
- Pick a provider preset:
- Enter the
s3://bucket/keypath to your Parquet (or CSV / JSON) object. - Optionally add a session token for temporary STS credentials.
- Click Open.
Keys exist only for the current browser session's DuckDB instance. They are not persisted in localStorage. Reopening a saved private source from Recent will ask for credentials again — by design.
After the file is open
Once loaded, the workbench behaves the same as a local file:
- SQL editor — full DuckDB syntax, multi-tab queries, exports
- Results grid — virtualized scrolling and column stats
- AI assistant (optional) — bring your own OpenRouter key; control data sharing in Settings → AI
Remote Parquet uses the same streaming pipeline as large local files: DuckDB reads row groups on demand instead of materializing the entire object up front.
Tips and troubleshooting
| Symptom | What to try |
|---|---|
| 403 / Access Denied | Check bucket policy, object ACL, or IAM permissions; confirm region and key scope |
| CORS errors on HTTPS URLs | The bucket must allow GET from browser origins, or use presigned URLs |
| Wrong format detected | Set format explicitly (Parquet, CSV, JSON, etc.) |
| R2 / GCS signing fails | Verify endpoint host (no https:// prefix) and path-style vs vhost defaults |
Compare to CLI DuckDB
If you already use DuckDB locally, the mental model is the same — read_parquet('s3://…') with a configured secret — except everything runs in WASM and the UI handles secrets through the dialog instead of a .duckdbrc file.
Try it
[Open the viewer](/viewer?open=remote) and connect your first bucket, or start with a [public Parquet sample](/) from disk to learn the SQL panel before pointing at S3.
Questions? See [Support](/support) or the [Parquet FAQ](/parquet-faq) entry on cloud storage.