Configure authentication and permissions for your cloud providers to start using Kuba securely.
Google Cloud Platform
Secret Manager integration with service accounts and workload identity
AWS
Secrets Manager with IAM roles and access keys
Azure
Key Vault with service principals and managed identity
OpenBao
Self-hosted secrets with tokens and namespaces
1. Enable Secret Manager API
Make sure the Secret Manager API is enabled in your GCP project:
gcloud services enable secretmanager.googleapis.com2. Authentication Methods
Service Account Key
Set the GOOGLE_APPLICATION_CREDENTIALS environment variable:
export GOOGLE_APPLICATION_CREDENTIALS="/path/to/service-account-key.json"Application Default Credentials
Use gcloud for local development:
gcloud auth application-default loginWorkload Identity
For GKE or other GCP services, use workload identity.
Compute Engine
If running on Compute Engine, the default service account will be used automatically.
3. IAM Permissions
Ensure your service account has the Secret Manager Secret Accessor role:
gcloud projects add-iam-policy-binding PROJECT_ID \
--member="serviceAccount:YOUR_SERVICE_ACCOUNT@PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/secretmanager.secretAccessor"4. Configuration Example
default:
provider: gcp
project: your-project-id
mappings:
- environment-variable: "DATABASE_URL"
secret-key: "database-connection-string"
- environment-variable: "API_KEY"
secret-key: "external-api-key"1. Authentication Methods
Environment Variables
Set AWS credentials:
export AWS_ACCESS_KEY_ID="your-access-key"
export AWS_SECRET_ACCESS_KEY="your-secret-key"
export AWS_REGION="us-east-1"AWS Profile
Use a specific profile from your AWS credentials file:
export AWS_PROFILE="my-profile"
export AWS_REGION="us-east-1"IAM Roles
If running on EC2, ECS, or other AWS services, use IAM roles.
AWS CLI
Use aws configure to set up your credentials.
2. IAM Permissions
Ensure your AWS credentials have the secretsmanager:GetSecretValue permission:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "secretsmanager:GetSecretValue",
"Resource": "arn:aws:secretsmanager:region:account:secret:secret-name-*"
}
]
}3. Configuration Example
default:
provider: aws
mappings:
- environment-variable: "DATABASE_URL"
secret-key: "database-connection-string"
- environment-variable: "API_KEY"
secret-key: "external-api-key"1. Authentication Methods
Service Principal
Set the following environment variables:
export AZURE_KEY_VAULT_URL="https://yourvault.vault.azure.net/"
export AZURE_TENANT_ID="your-tenant-id"
export AZURE_CLIENT_ID="your-client-id"
export AZURE_CLIENT_SECRET="your-client-secret"Managed Identity
If running on Azure services with managed identity enabled.
Default Azure Credential
Uses Azure CLI, Visual Studio Code, or other Azure tools.
2. Key Vault Permissions
Ensure your Azure credentials have the Get and List permissions
for secrets in your Key Vault.
3. Configuration Example
default:
provider: azure
mappings:
- environment-variable: "DATABASE_URL"
secret-key: "database-connection-string"
- environment-variable: "API_KEY"
secret-key: "external-api-key"1. Setup
Make sure you have an OpenBao server running and accessible.
2. Authentication
Set up authentication using environment variables:
export OPENBAO_ADDR="http://localhost:8200" # Required: OpenBao server address
export OPENBAO_TOKEN="your-openbao-token" # Optional: Authentication token
export OPENBAO_NAMESPACE="your-namespace" # Optional: Namespace (if using enterprise features)3. Permissions
Ensure your OpenBao token has read permissions for the secrets you want to access.
4. Configuration Example
default:
provider: openbao
mappings:
- environment-variable: "DATABASE_URL"
secret-key: "secret/database-url"
- environment-variable: "API_KEY"
secret-key: "secret/api-key"Note: OpenBao secrets are stored as key-value pairs. If a secret contains multiple keys, Kuba will return the first string value it finds.
Multi-Provider Configuration
Using Multiple Providers
You can use different cloud providers in the same configuration:
default:
provider: gcp
project: 1337
mappings:
- environment-variable: "GCP_SECRETS"
secret-path: "app-config"
provider: gcp
- environment-variable: "AWS_SECRETS"
secret-path: "app-config"
provider: aws
- environment-variable: "AZURE_SECRETS"
secret-path: "app-config"
provider: azure
project: "my-azure-project"
- environment-variable: "OPENBAO_SECRETS"
secret-path: "app-config"
provider: openbaoSecurity Best Practices
Authentication
- Use service accounts with minimal permissions
- Rotate credentials regularly
- Use managed identities when possible
- Avoid hardcoding credentials
Permissions
- Follow principle of least privilege
- Use role-based access control
- Limit access to production secrets
- Monitor access patterns
Network Security
- Use private networks when possible
- Enable VPC endpoints for AWS
- Use private service connect for GCP
- Restrict access by IP when applicable
Monitoring
- Enable audit logging
- Set up alerts for unusual access
- Monitor secret rotation
- Track usage patterns
Troubleshooting
Common Issues
Authentication Errors
Check your credentials and ensure they haven't expired. Verify the authentication method you're using.
Permission Errors
Ensure your credentials have the necessary permissions to access the secrets specified in your configuration.
Network Issues
Check your network connectivity and firewall settings. Ensure you can reach the cloud provider APIs.
Debug Mode
Enable debug mode to see detailed information about authentication and API calls:
kuba run --debug -- echo "Testing connection"