search
githubEdit

keyConfigure External or Delegated Credentials

Delegated credentials let you authorize Flashback using provider-native IAM identities and short-lived tokens instead of long-term static secrets.

In practice, this means:

  • Cloud Storage: grant access via provider IAM roles/policies at bucket/container scope.

  • AI/LLM: use provider-native identity flows (assumed roles, service accounts, managed identities, token exchanges) and pass endpoint + secret/token to Flashback's existing AI LLM configuration model.

hashtag
When to prefer delegated access

Use delegated access when you want stronger security controls in production:

  • avoid long-lived keys where possible,

  • centralize permissions in cloud IAM,

  • enforce least privilege at narrow scope,

  • rotate or expire credentials automatically,

  • improve auditability via cloud provider logs.

circle-info

Flashback configuration still uses product fields documented in Configure an AI LLM and Configure a Bucket. Delegated patterns in this section explain how to produce credentials/tokens securely on the provider side.

hashtag
Delegated Credentials for Cloud Storage

Provider
Description

Amazon Web Services (S3)

Configure delegated external access using IAM role assumption patterns.

Google Cloud Platform (GCS)

Configure delegated external access using service-account impersonation.

Microsoft Azure (Blob)

Configure delegated external access using Entra ID and RBAC role assignments.

hashtag
Delegated Credentials for AI / LLM (Cloud-hosted providers)

Provider
Description

AWS Bedrock

Use IAM role assumption and short-lived credentials for Bedrock invocation flows.

GCP Vertex AI

Use service accounts and short-lived OAuth tokens (or workload identity) for Vertex AI.

Azure OpenAI

Use Entra ID/RBAC or provider keys, then configure endpoint + secret/token in Flashback.

hashtag
Security recommendations

  • Grant only required actions (read-only, write-only, or specific inference scopes).

  • Prefer short-lived tokens over static keys in production.

  • Use separate identities for environments (dev, staging, prod).

  • Monitor provider audit trails (CloudTrail, Cloud Audit Logs, Azure Activity/Diagnostic logs).

  • Review and rotate trust relationships and role assignments regularly.

PreviousStart Vibe‑CodingNextConfigure S3 external access

Last updated

Was this helpful?