Multi-Cloud
Audex supports AWS, GCP, Azure, and HashiCorp Vault. This guide covers setup and usage for each provider.
Prerequisites
Section titled “Prerequisites”- An IAM role that Audex can assume (with
sts:AssumeRolepermission) - AWS credentials configured locally (via
aws configureor environment variables)
# Set the role ARN that Audex should assumeexport AUDEX_ROLE_ARN="arn:aws:iam::123456789012:role/AudexAgentRole"
# Verify connectivitytryaudex health --check awsPermission Syntax
Section titled “Permission Syntax”AWS IAM actions use the format service:Action:
# Single actiontryaudex run --allow "s3:GetObject" -- aws s3 ls
# Multiple actionstryaudex run --allow "s3:GetObject,s3:ListBucket,s3:HeadObject" -- aws s3 ls
# Wildcardstryaudex run --allow "s3:*" -- aws s3 lstryaudex run --allow "lambda:Invoke*" -- aws lambda list-functionsResource Restrictions (Optional)
Section titled “Resource Restrictions (Optional)”Restrict credentials to specific ARNs:
# Read from a specific S3 bucket onlytryaudex run --allow "s3:GetObject" \ --resource "arn:aws:s3:::my-bucket/*" \ -- aws s3 ls s3://my-bucket/Environment Variables
Section titled “Environment Variables”| Variable | Purpose |
|---|---|
AUDEX_ROLE_ARN | IAM role to assume |
AWS_REGION | AWS region for STS (default: us-east-1) |
AWS_ACCESS_KEY_ID | AWS credentials (used to assume the role) |
AWS_SECRET_ACCESS_KEY | AWS credentials (used to assume the role) |
Prerequisites
Section titled “Prerequisites”- A GCP service account with permission to impersonate another service account
- GCP credentials configured locally
# Authenticate with GCPgcloud auth application-default login
# Set the service account to impersonateexport AUDEX_GCP_SERVICE_ACCOUNT="audex-agent@my-project.iam.gserviceaccount.com"
# Optional: set the project IDexport AUDEX_GCP_PROJECT="my-project"
# Verify connectivitytryaudex health --check gcpPermission Syntax
Section titled “Permission Syntax”GCP uses dot-separated permissions like service.resource.verb:
# Single permissiontryaudex run --provider gcp --allow "storage.objects.get" -- gsutil ls
# Multiple permissionstryaudex run --provider gcp \ --allow "storage.objects.get,storage.objects.list" \ -- gsutil ls gs://my-bucket/
# Wildcardstryaudex run --provider gcp --allow "storage.objects.*" -- gsutil lsEnvironment Variables
Section titled “Environment Variables”| Variable | Purpose |
|---|---|
AUDEX_GCP_SERVICE_ACCOUNT | Service account email to impersonate |
AUDEX_GCP_PROJECT | GCP project ID (for display/validation) |
Service Account Setup
Section titled “Service Account Setup”The source credentials (from gcloud auth application-default login) must have the iam.serviceAccounts.getAccessToken permission on the target service account:
# Grant the impersonation permissiongcloud iam service-accounts add-iam-policy-binding \ audex-agent@my-project.iam.gserviceaccount.com \ --member=serviceAccount:YOUR_SOURCE_SA@my-project.iam.gserviceaccount.com \ --role=roles/iam.serviceAccountTokenCreatorPrerequisites
Section titled “Prerequisites”- Azure CLI installed and authenticated (
az login) - Access to the subscription and resources
# Authenticate with Azureaz login
# Set the subscription and tenantexport AZURE_SUBSCRIPTION_ID="12345678-1234-1234-1234-123456789012"export AZURE_TENANT_ID="87654321-4321-4321-4321-210987654321"
# Verify connectivitytryaudex health --check azurePermission Syntax
Section titled “Permission Syntax”Azure uses Microsoft.Service/resource/action format:
# Single permissiontryaudex run --provider azure \ --allow "Microsoft.Storage/storageAccounts/read" \ -- az storage account list
# Multiple permissionstryaudex run --provider azure \ --allow "Microsoft.Storage/storageAccounts/read,Microsoft.Storage/storageAccounts/listKeys/action" \ -- az storage account keys list --account-name myaccount
# Wildcardstryaudex run --provider azure \ --allow "Microsoft.Storage/storageAccounts/*" \ -- az storage account listEnvironment Variables
Section titled “Environment Variables”| Variable | Purpose |
|---|---|
AZURE_SUBSCRIPTION_ID | Azure subscription ID |
AZURE_TENANT_ID | Azure tenant ID |
HashiCorp Vault (AWS Secrets Engine)
Section titled “HashiCorp Vault (AWS Secrets Engine)”Audex can issue AWS credentials from Vault’s AWS secrets engine, supporting Token, AppRole, and Kubernetes authentication methods.
Prerequisites
Section titled “Prerequisites”- HashiCorp Vault server running and accessible
- AWS secrets engine configured on Vault
- Vault credentials (token, AppRole, or Kubernetes service account)
Setup - Token Auth
Section titled “Setup - Token Auth”# Set Vault server addressexport VAULT_ADDR="https://vault.example.com:8200"
# Set Vault token (from Vault admin)export VAULT_TOKEN="hvs.CAESIFoo..."
# Verify connectivitytryaudex health --check vaultSetup - AppRole Auth
Section titled “Setup - AppRole Auth”AppRole is recommended for team/server deployments:
# Create a configuration file at ~/.config/audex/vault-config.toml[vault]address = "https://vault.example.com:8200"auth = { method = "approle", role_id = "my-role-id", secret_id = "my-secret-id" }mount = "aws" # AWS secrets engine mount pathrole = "my-vault-role" # Vault role for generating AWS credentialsThen run:
export VAULT_ADDR="https://vault.example.com:8200"export VAULT_ROLE_ID="my-role-id"export VAULT_SECRET_ID="my-secret-id"
tryaudex run --provider vault --allow "s3:GetObject" -- aws s3 lsSetup - Kubernetes Auth
Section titled “Setup - Kubernetes Auth”For Kubernetes clusters:
# Vault configuration[vault]address = "https://vault.example.com:8200"auth = { method = "kubernetes", role = "my-k8s-role" }mount = "aws"role = "my-vault-role"Audex automatically uses the pod’s service account token from /var/run/secrets/kubernetes.io/serviceaccount/token.
Permission Syntax
Section titled “Permission Syntax”Vault issues AWS credentials, so use AWS permission syntax:
tryaudex run --provider vault \ --allow "s3:GetObject,s3:ListBucket" \ -- aws s3 lsEnvironment Variables
Section titled “Environment Variables”| Variable | Purpose |
|---|---|
VAULT_ADDR | Vault server address |
VAULT_TOKEN | Vault authentication token |
VAULT_ROLE_ID | AppRole role ID |
VAULT_SECRET_ID | AppRole secret ID |
VAULT_NAMESPACE | Vault Enterprise namespace (optional) |
Choosing a Provider
Section titled “Choosing a Provider”| Provider | When to Use | Pros | Cons |
|---|---|---|---|
| AWS | AWS workloads | Native, short setup | AWS-only |
| GCP | GCP workloads | Fine-grained scoping | Requires service account setup |
| Azure | Azure workloads | Role-based access | Limited to Azure CLI permissions |
| Vault | Multi-cloud, team mode | Centralized, flexible auth | Extra infrastructure |
Policy Profiles
Section titled “Policy Profiles”Instead of specifying actions each time, use predefined profiles:
# Built-in profiles (e.g. s3-readonly, s3-readwrite, gcs-readonly, azure-storage-readonly)tryaudex run --profile s3-readonly -- aws s3 ls
# See all available profilestryaudex policies listSee Policies for the full list of profiles and how to create custom ones.
Universal Policy Syntax
Section titled “Universal Policy Syntax”Audex supports a cloud-agnostic syntax that expands to the appropriate provider format:
# Universal syntax (expands based on --provider)tryaudex run --provider aws --allow "storage:read" -- aws s3 lstryaudex run --provider gcp --allow "storage:read" -- gsutil lstryaudex run --provider azure --allow "storage:read" -- az storage account list
# Each expands to the provider-specific actions internallySee Policies for the full universal syntax reference.