Clanker Docs

Appearance

credentials

The credentials command manages cloud provider credentials stored in the clanker backend. This enables sharing credentials across machines by storing them securely in the clanker-cloud backend service, accessed via an API key.

Usage

bash
clanker credentials <subcommand> [flags]

Authentication

All credentials subcommands require a backend API key. You can provide it in two ways:

  • Flag: --api-key <your-key>
  • Environment variable: CLANKER_BACKEND_API_KEY

Subcommands

credentials store

Upload local credentials to the clanker backend for a specific provider. The command reads credentials from your local environment (CLI profiles, config files, environment variables) and stores them securely in the backend.

bash
clanker credentials store <provider> [flags]

Supported Providers

ProviderDescription
awsExports credentials from a local AWS CLI profile using aws configure export-credentials
gcpReads Application Default Credentials or a specified service account JSON file
cloudflareUses api_token and account_id from config or environment variables
hetznerUses api_token from config or HCLOUD_TOKEN
vercelUses api_token + optional team_id from config/env
verdaUses OAuth2 client_id + client_secret + optional project_id from config/env/~/.verda/credentials
k8sUploads kubeconfig file content (base64 encoded)

Flags

FlagTypeDefaultDescription
--profilestringdefaultAWS profile to export credentials from
--projectstringFrom config/envGCP project ID
--service-accountstringPath to GCP service account JSON file
--kubeconfigstring~/.kube/configPath to kubeconfig file
--contextstringKubernetes context name to use
--api-tokenstringFrom config/envVercel API token
--team-idstringFrom config/envVercel team ID
--client-idstringFrom config/envVerda OAuth2 client ID
--client-secretstringFrom config/envVerda OAuth2 client secret
--project-idstringFrom config/envVerda project UUID

Examples:

bash
# Store AWS credentials from a named profile
clanker credentials store aws --profile production

# Store AWS credentials from the default profile
clanker credentials store aws

# Store GCP credentials with a project ID
clanker credentials store gcp --project my-gcp-project

# Store GCP credentials using a service account file
clanker credentials store gcp --project my-gcp-project --service-account ./service-account.json

# Store Cloudflare credentials (reads from config or environment)
clanker credentials store cloudflare

# Store Verda credentials (reads from ~/.clanker.yaml, env, or ~/.verda/credentials)
clanker credentials store verda

# Store Verda credentials explicitly
clanker credentials store verda --client-id "$VERDA_CLIENT_ID" --client-secret "$VERDA_CLIENT_SECRET"

# Store Kubernetes credentials from a specific kubeconfig
clanker credentials store k8s --kubeconfig ~/.kube/production-config

# Store Kubernetes credentials for a specific context
clanker credentials store k8s --context production-cluster

WARNING

For AWS, make sure you are logged in to the desired profile before running the store command. If using SSO, run aws sso login --profile <profile> first.

credentials list

List all credentials currently stored in the clanker backend for your account. The output includes the provider name, creation and update timestamps, and masked field summaries.

bash
clanker credentials list

Example output:

Stored credentials (2):

Provider: aws
  Created: 2025-03-15 10:30:00
  Updated: 2025-03-20 14:22:00
  Fields:
    access_key_id: AKIA****XXXX
    region: us-east-1

Provider: cloudflare
  Created: 2025-03-16 09:00:00
  Updated: 2025-03-16 09:00:00
  Fields:
    api_token: ****xxxx

If no credentials are stored, the command displays guidance on how to store them:

No credentials stored.

To store credentials, use:
  clanker credentials store aws --profile <profile>
  clanker credentials store gcp --project <project>
  clanker credentials store cloudflare
  clanker credentials store k8s

credentials test

Test that credentials stored in the backend are valid and working. When a provider is specified, only that provider's credentials are tested. When called without arguments, all stored credentials are tested.

bash
clanker credentials test [provider]

The test performs a provider-specific validation:

ProviderValidation Method
awsRuns aws sts get-caller-identity with the stored credentials
gcpRuns gcloud projects describe with the stored service account or ADC
cloudflareVerifies the API token against the Cloudflare token verification endpoint
hetznerHits hcloud server list with the stored API token
vercelHits /v2/user with the stored token
verdaHits /v1/balance (cheapest authenticated endpoint) with the stored OAuth2 credentials
k8sRuns kubectl cluster-info with the stored kubeconfig

Examples:

bash
# Test all stored credentials
clanker credentials test

# Test only AWS credentials
clanker credentials test aws

# Test only GCP credentials
clanker credentials test gcp

# Test Cloudflare credentials
clanker credentials test cloudflare

# Test Kubernetes credentials
clanker credentials test k8s

Example output:

Testing 2 stored credential(s)...

Testing aws credentials...
  PASSED: Account 123456789012

Testing cloudflare credentials...
  PASSED: Token is active

credentials delete

Delete stored credentials for a specific provider from the clanker backend. This is a permanent action.

bash
clanker credentials delete <provider>

The <provider> argument accepts the same values as the store command: aws, gcp, cloudflare, and k8s.

Examples:

bash
# Delete stored AWS credentials
clanker credentials delete aws

# Delete stored GCP credentials
clanker credentials delete gcp

# Delete stored Cloudflare credentials
clanker credentials delete cloudflare

# Delete stored Kubernetes credentials
clanker credentials delete k8s

Typical Workflow

A common workflow for setting up credentials on a new machine or rotating them:

bash
# 1. Store your AWS credentials
clanker credentials store aws --profile production

# 2. Store Cloudflare credentials
clanker credentials store cloudflare

# 3. Verify everything works
clanker credentials test

# 4. List what is stored
clanker credentials list

When credentials expire or are rotated:

bash
# Re-login to AWS SSO
aws sso login --profile production

# Re-store the updated credentials
clanker credentials store aws --profile production

# Verify the new credentials work
clanker credentials test aws

See Also