Skip to main content
The credentials command manages cloud provider credentials stored in the Clanker backend, allowing you to use the same credentials across multiple machines.

Usage

clanker credentials [subcommand] [flags]
All credentials commands require a backend API key via --api-key flag or the CLANKER_BACKEND_API_KEY environment variable.

Subcommands

store

Upload local credentials to the Clanker backend: 
# Store AWS credentials from a profile
clanker credentials store aws --profile dev

# Store from default profile
clanker credentials store aws

list

List all stored credentials: 
clanker credentials list
Example output: 
Stored credentials (3):

Provider: aws
  Created: 2026-03-01 10:30:45
  Updated: 2026-03-01 10:30:45
  Fields:
    region: us-east-1
    access_key: AKIA********ABCD

Provider: gcp
  Created: 2026-03-01 11:15:22
  Updated: 2026-03-01 11:15:22
  Fields:
    project_id: my-project-prod

Provider: cloudflare
  Created: 2026-03-01 12:00:00
  Updated: 2026-03-01 12:00:00
  Fields:
    account_id: 1234567890abcdef

test

Test that stored credentials are valid: 
# Test AWS credentials
clanker credentials test aws

# Test GCP credentials
clanker credentials test gcp

# Test Cloudflare credentials
clanker credentials test cloudflare

# Test Kubernetes credentials
clanker credentials test k8s
Example output: 
Testing AWS credentials...
  PASSED: Account 123456789012

Testing GCP credentials...
  PASSED: Project my-project-prod

Testing Cloudflare credentials...
  PASSED: Token is active

delete

Delete stored credentials: 
# Delete AWS credentials
clanker credentials delete aws

# Delete GCP credentials
clanker credentials delete gcp

# Delete Cloudflare credentials
clanker credentials delete cloudflare

# Delete Kubernetes credentials
clanker credentials delete k8s

Store command flags

AWS flags

--profile
string
AWS profile to export credentials from (default: default)

GCP flags

--project
string
GCP project ID (required)
--service-account
string
Path to GCP service account JSON file

Kubernetes flags

--kubeconfig
string
Path to kubeconfig file (default: ~/.kube/config)
--context
string
Kubernetes context name to use

How it works

AWS credentials

  1. Exports credentials from local AWS CLI profile using aws configure export-credentials
  2. Retrieves region from profile configuration
  3. Uploads access key, secret key, session token (if SSO), and region to backend
  4. Credentials are encrypted at rest in the backend
If using AWS SSO, make sure you’re logged in with aws sso login --profile <profile> before storing credentials.

GCP credentials

  1. Reads service account JSON file or Application Default Credentials
  2. Uploads project ID and service account JSON to backend
  3. Credentials are encrypted at rest in the backend
If no service account file is specified, Clanker attempts to read Application Default Credentials from:
  • $GOOGLE_APPLICATION_CREDENTIALS
  • ~/.config/gcloud/application_default_credentials.json

Cloudflare credentials

  1. Reads API token and account ID from config or environment:
    • cloudflare.api_token in ~/.clanker.yaml
    • CLOUDFLARE_API_TOKEN environment variable
    • CF_API_TOKEN environment variable
    • cloudflare.account_id in config
    • CLOUDFLARE_ACCOUNT_ID environment variable
  2. Uploads to backend
  3. Credentials are encrypted at rest

Kubernetes credentials

  1. Reads kubeconfig file from specified path or default location
  2. Base64 encodes the kubeconfig content
  3. Uploads encoded content and optional context name to backend
  4. Credentials are encrypted at rest in the backend

Testing credentials

The test command validates stored credentials by:

AWS

  • Calls aws sts get-caller-identity with stored credentials
  • Displays account ID and ARN if successful

GCP

  • Calls gcloud projects describe with stored credentials
  • Verifies project exists and credentials are valid

Cloudflare

  • Calls Cloudflare API’s token verification endpoint
  • Confirms token is active

Kubernetes

  • Writes kubeconfig to temporary file
  • Runs kubectl cluster-info to verify connectivity
  • Displays cluster information if successful

Security

  • All credentials are encrypted at rest in the backend
  • Credentials are transmitted over HTTPS
  • API key is required for all credential operations
  • Credentials are scoped to your account only
  • Masked values are shown in list output (e.g., AKIA********ABCD)

Examples

Store and test AWS credentials

# Store credentials from dev profile
clanker credentials store aws --profile dev

# List stored credentials
clanker credentials list

# Test the credentials
clanker credentials test aws

# Use stored credentials in queries
clanker ask "What EC2 instances are running?"

Store GCP credentials with service account

# Store with service account file
clanker credentials store gcp \
  --project my-project \
  --service-account ~/Downloads/sa-key.json

# Test GCP credentials
clanker credentials test gcp

# Use in queries
clanker ask --gcp "List all Cloud Run services"

Multi-cloud setup

# Store all provider credentials
clanker credentials store aws --profile prod
clanker credentials store gcp --project my-project
clanker credentials store cloudflare

# Test all credentials
clanker credentials test

# Now you can query any provider
clanker ask --aws "Show EC2 instances"
clanker ask --gcp "Show GKE clusters"
clanker ask --cloudflare "Show DNS zones"

See also

Build docs developers (and LLMs) love

Get started for freeTalk to us