# Configure External or Delegated Credentials Delegated credentials let you authorize Flashback using provider-native IAM identities and short-lived tokens instead of long-term static secrets. In practice, this means: * **Cloud Storage**: grant access via provider IAM roles/policies at bucket/container scope. * **AI/LLM**: use provider-native identity flows (assumed roles, service accounts, managed identities, token exchanges) and pass endpoint + secret/token to Flashback's existing AI LLM configuration model. ## When to prefer delegated access Use delegated access when you want stronger security controls in production: * avoid long-lived keys where possible, * centralize permissions in cloud IAM, * enforce least privilege at narrow scope, * rotate or expire credentials automatically, * improve auditability via cloud provider logs. {% hint style="info" %} Flashback configuration still uses product fields documented in [Configure an AI LLM](/guides/setup-the-cloud-and-ai-gateway/start-with-cloud-storage/create-a-bucket-1.md) and [Configure a Bucket](/guides/setup-the-cloud-and-ai-gateway/start-with-cloud-storage/create-a-bucket.md). Delegated patterns in this section explain how to produce credentials/tokens securely on the provider side. {% endhint %} ## Delegated Credentials for Cloud Storage | Provider | Description | | ----------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------- | | [**Amazon Web Services (S3)**](/guides/configure-external-delegated-credentials/configure-external-access-for-aws-s3.md) | Configure delegated external access using IAM role assumption patterns. | | [**Google Cloud Platform (GCS)**](/guides/configure-external-delegated-credentials/configuring-external-access-for-gcss-buckets.md) | Configure delegated external access using service-account impersonation. | | [**Microsoft Azure (Blob)**](/guides/configure-external-delegated-credentials/configure-external-access-for-azure-blob.md) | Configure delegated external access using Entra ID and RBAC role assignments. | ## Delegated Credentials for AI / LLM (Cloud-hosted providers) | Provider | Description | | --------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------- | | [**AWS Bedrock**](/guides/configure-external-delegated-credentials/configure-delegated-access-for-aws-bedrock.md) | Use IAM role assumption and short-lived credentials for Bedrock invocation flows. | | [**GCP Vertex AI**](/guides/configure-external-delegated-credentials/configure-delegated-access-for-gcp-vertex-ai.md) | Use service accounts and short-lived OAuth tokens (or workload identity) for Vertex AI. | | [**Azure OpenAI**](/guides/configure-external-delegated-credentials/configure-delegated-access-for-azure-openai.md) | Use Entra ID/RBAC or provider keys, then configure endpoint + secret/token in Flashback. | ## Security recommendations * Grant only required actions (read-only, write-only, or specific inference scopes). * Prefer short-lived tokens over static keys in production. * Use separate identities for environments (dev, staging, prod). * Monitor provider audit trails (CloudTrail, Cloud Audit Logs, Azure Activity/Diagnostic logs). * Review and rotate trust relationships and role assignments regularly. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.flashback.tech/guides/configure-external-delegated-credentials.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.