Configure authentication and permissions for your providers to start using Kuba securely.

☁️

Google Cloud Platform

Secret Manager integration with service accounts and workload identity

☁️

AWS

Secrets Manager with IAM roles and access keys

☁️

Azure

Key Vault with service principals and managed identity

☁️

OpenBao

Self-hosted secrets with tokens and namespaces

🔐

Bitwarden Secrets Manager

Bitwarden Secrets Manager with cloud or self-hosted instances

🛠️

Local

Use for hard-coded non-sensitive values during development

Configure a Bitwarden Secrets Manager access token and organization ID:

export BITWARDEN_ACCESS_TOKEN="your-access-token"    # or ACCESS_TOKEN
export BITWARDEN_ORGANIZATION_ID="your-organization-id"

You can also set the organization ID in your kuba.yaml via the project field when using the bitwarden provider; that value is treated as the Bitwarden organization ID.

To use a self-hosted Bitwarden instance, configure the API and identity URLs:

export BITWARDEN_API_URL="https://your-bitwarden.example.com/api"
export BITWARDEN_IDENTITY_URL="https://your-bitwarden.example.com/identity"

Optional: if you want the Bitwarden SDK to reuse its own state between Kuba runs (for example, to avoid re-initializing some internal session data), you can point it at a state file. The SDK will create and maintain this file itself:

export BITWARDEN_STATE_FILE="$HOME/.local/share/kuba/bitwarden_state.json"

Treat this file as sensitive: keep it outside version control and in a user-scoped data directory (for example, ~/.local/share/kuba on Linux/macOS or %LOCALAPPDATA%\kuba on Windows). You still need a valid Bitwarden access token; the state file complements it rather than replacing it.

3. Configuration Example

In your kuba.yaml, use the bitwarden provider. The secret-key values must be Bitwarden secret IDs:

default:
  provider: bitwarden
  # Optional: if omitted, BITWARDEN_ORGANIZATION_ID must be set
  project: "your-bitwarden-organization-id"
  env:
    DATABASE_URL:
      secret-key: "bitwarden-secret-id-for-database-url"
    API_KEY:
      secret-key: "bitwarden-secret-id-for-api-key"
    SOME_HARD_CODED_ENV:
      value: "hard-coded-value"

Note: Bitwarden support in Kuba currently only supports secret-key mappings (by secret ID). secret-path mappings are not available for the bitwarden provider.

Application Default Credentials

Use gcloud for local development:

gcloud auth application-default login
OR

Service Account Key

Set the GOOGLE_APPLICATION_CREDENTIALS environment variable:

export GOOGLE_APPLICATION_CREDENTIALS="/path/to/service-account-key.json"
OR

Workload Identity

For GKE or other GCP services, use workload identity.

If running on Compute Engine, the default service account will be used automatically.

2. Enable Secret Manager API

Make sure the Secret Manager API is enabled in your GCP project:

gcloud services enable secretmanager.googleapis.com

3. IAM Permissions

Ensure your service account has the Secret Manager Secret Accessor role:

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member="serviceAccount:YOUR_SERVICE_ACCOUNT@PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/secretmanager.secretAccessor"

4. Configuration Example

default:
  provider: gcp
  project: 1337
  env:
    DATABASE_URL:
      secret-key: "database-connection-string"
    API_KEY:
      secret-key: "external-api-key"

Environment Variables

Set AWS credentials:

export AWS_ACCESS_KEY_ID="your-access-key"
export AWS_SECRET_ACCESS_KEY="your-secret-key"
export AWS_REGION="us-east-1"
OR

AWS Profile

Use a specific profile from your AWS credentials file:

export AWS_PROFILE="my-profile"
export AWS_REGION="us-east-1"
OR

IAM Roles

If running on EC2, ECS, or other AWS services, use IAM roles.

OR

AWS CLI

Use aws configure to set up your credentials.

2. IAM Permissions

Ensure your AWS credentials have the secretsmanager:GetSecretValue permission:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "secretsmanager:GetSecretValue",
      "Resource": "arn:aws:secretsmanager:region:account:secret:secret-name-*"
    }
  ]
}

3. Configuration Example

default:
  provider: aws
  env:
    DATABASE_URL:
      secret-key: "database-connection-string"
    API_KEY:
      secret-key: "external-api-key"

Service Principal

Set the following environment variables:

export AZURE_KEY_VAULT_URL="https://yourvault.vault.azure.net/"
export AZURE_TENANT_ID="your-tenant-id"
export AZURE_CLIENT_ID="your-client-id"
export AZURE_CLIENT_SECRET="your-client-secret"
OR

Managed Identity

If running on Azure services with managed identity enabled.

OR

Default Azure Credential

Uses Azure CLI, Visual Studio Code, or other Azure tools.

2. Key Vault Permissions

Ensure your Azure credentials have the Get and List permissions for secrets in your Key Vault.

3. Configuration Example

default:
  provider: azure
  env:
    DATABASE_URL:
      secret-key: "database-connection-string"
    API_KEY:
      secret-key: "external-api-key"

1. Setup

Make sure you have an OpenBao server running and accessible.

Set up authentication using environment variables:

export OPENBAO_ADDR="http://localhost:8200"  # Required: OpenBao server address
export OPENBAO_TOKEN="your-openbao-token"    # Optional: Authentication token
export OPENBAO_NAMESPACE="your-namespace"     # Optional: Namespace (if using enterprise features)

3. Permissions

Ensure your OpenBao token has read permissions for the secrets you want to access.

4. Configuration Example

default:
  provider: openbao
  env:
    DATABASE_URL:
      secret-key: "secret/database-url"
    API_KEY:
      secret-key: "secret/api-key"

Note: OpenBao secrets are stored as key-value pairs. If a secret contains multiple keys, Kuba will return the first string value it finds.

Make sure to use the local provider only for non-sensitive values.

2. Configuration Example

default:
  provider: local
  env:
    LOG_ENV:
      value: "local"
    LOG_LEVEL:
      value: "debug"

Multi-Provider Configuration

Using Multiple Providers

You can use different cloud providers in the same configuration:

default:
  provider: gcp
  project: 1337
  env:
    GCP_SECRETS:
      secret-path: "app-config"
      provider: gcp
    AWS_SECRETS:
      secret-path: "app-config"
      provider: aws
    AZURE_SECRETS:
      secret-path: "app-config"
      provider: azure
      project: "my-azure-project"
    OPENBAO_SECRETS:
      secret-path: "app-config"
      provider: openbao
    BITWARDEN_DATABASE:
      # Bitwarden secrets are addressed by secret ID; this maps a single secret ID
      secret-key: "bitwarden-secret-id-for-database-url"
      provider: bitwarden

Security Best Practices

Authentication

  • Use service accounts with minimal permissions
  • Rotate credentials regularly
  • Use managed identities when possible
  • Avoid hardcoding credentials

Permissions

  • Follow principle of least privilege
  • Use role-based access control
  • Limit access to production secrets
  • Monitor access patterns

Network Security

  • Use private networks when possible
  • Enable VPC endpoints for AWS
  • Use private service connect for GCP
  • Restrict access by IP when applicable

Monitoring

  • Enable audit logging
  • Set up alerts for unusual access
  • Monitor secret rotation
  • Track usage patterns

Troubleshooting

Common Issues

Authentication Errors

Check your credentials and ensure they haven't expired. Verify the authentication method you're using.

Permission Errors

Ensure your credentials have the necessary permissions to access the secrets specified in your configuration.

Network Issues

Check your network connectivity and firewall settings. Ensure you can reach the cloud provider APIs.

Debug Mode

Enable debug mode to see detailed information about authentication and API calls:

kuba run --debug -- echo "Testing connection"

Next Steps

Configuration Guide

Learn how to set up your kuba.yaml configuration file.

Configuration Guide

Usage Examples

See practical examples of how to use your configured providers.

Examples Guide