Documentation Index
Fetch the complete documentation index at: https://guide.codepure.com/llms.txt
Use this file to discover all available pages before exploring further.
Common Misconfiguration
Organizations using multiple cloud providers often expose credentials for all platforms in a single configuration file or codebase.
Vulnerable Example
# VULNERABLE - config.yaml with all cloud credentials
clouds:
aws:
access_key_id: "AKIAIOSFODNN7EXAMPLE"
secret_access_key: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
region: "us-east-1"
azure:
tenant_id: "72f988bf-86f1-41af-91ab-2d7cd011eb47"
client_id: "ad7e1c3a-c8ae-4bc5-b461-f495c6c5b1a2"
client_secret: "8Q~.vR3fakeSecretHereXAMPLE"
subscription_id: "12345678-1234-1234-1234-123456789012"
gcp:
project_id: "my-project-123456"
service_account_key: |
{
"type": "service_account",
"private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIE..."
}
digitalocean:
access_token: "dop_v1_1234567890abcdef1234567890abcdef1234567890abcdef1234567890ab"
alibaba:
access_key_id: "LTAI4GKgob8jZ3Fake"
access_key_secret: "4eRd5tYuO9PfakeSecret123"
region: "cn-hangzhou"
# VULNERABLE - Multi-cloud class with hardcoded credentials
class MultiCloudManager:
def __init__(self):
# Never hardcode credentials!
self.clouds = {
'aws': {
'access_key': 'AKIAIOSFODNN7EXAMPLE',
'secret_key': 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY'
},
'azure': {
'tenant': '72f988bf-86f1-41af-91ab-2d7cd011eb47',
'client_id': 'ad7e1c3a-c8ae-4bc5-b461-f495c6c5b1a2',
'client_secret': '8Q~.vR3fakeSecretHere'
},
'gcp': {
'api_key': 'AIzaSyDaGmWKa4JsXZ-HjGw7ISLn_3namBGewQe'
},
'oracle': {
'user_ocid': 'ocid1.user.oc1..aaaaaaaa',
'fingerprint': 'aa:bb:cc:dd:ee:ff:00:11:22:33:44:55:66:77:88:99',
'key_file': '/path/to/api_key.pem'
}
}
Secure Example
# SECURE - Multi-cloud credential management with vault
import os
import hvac
from azure.identity import DefaultAzureCredential
from google.auth import default as gcp_default
import boto3
class SecureMultiCloudManager:
def __init__(self, vault_url=None):
self.vault_client = None
self.credentials = {}
self.initialize_vault(vault_url)
def initialize_vault(self, vault_url):
"""Initialize HashiCorp Vault for credential management"""
vault_url = vault_url or os.environ.get('VAULT_ADDR')
vault_token = os.environ.get('VAULT_TOKEN')
if vault_url and vault_token:
self.vault_client = hvac.Client(
url=vault_url,
token=vault_token
)
if not self.vault_client.is_authenticated():
raise Exception("Vault authentication failed")
def get_aws_credentials(self):
"""Get AWS credentials using IAM roles or Vault"""
if self.vault_client:
# Get dynamic AWS credentials from Vault
response = self.vault_client.read('aws/creds/my-role')
return {
'access_key': response['data']['access_key'],
'secret_key': response['data']['secret_key'],
'session_token': response['data']['security_token']
}
else:
# Use IAM role
session = boto3.Session()
credentials = session.get_credentials()
return {
'access_key': credentials.access_key,
'secret_key': credentials.secret_key,
'session_token': credentials.token
}
def get_azure_client(self):
"""Get Azure credentials using managed identity"""
# DefaultAzureCredential tries in order:
# 1. Environment variables
# 2. Managed Identity
# 3. Azure CLI
# 4. Interactive browser
credential = DefaultAzureCredential(
exclude_interactive_browser_credential=True,
exclude_visual_studio_code_credential=True
)
return credential
def get_gcp_credentials(self):
"""Get GCP credentials using ADC"""
credentials, project = gcp_default()
return credentials, project
def get_cloud_credential(self, provider):
"""Unified interface for getting cloud credentials"""
providers = {
'aws': self.get_aws_credentials,
'azure': self.get_azure_client,
'gcp': self.get_gcp_credentials
}
if provider not in providers:
raise ValueError(f"Unsupported cloud provider: {provider}")
return providers[provider]()
# SECURE - Multi-cloud infrastructure as code (Terraform)
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
azurerm = {
source = "hashicorp/azurerm"
version = "~> 3.0"
}
google = {
source = "hashicorp/google"
version = "~> 5.0"
}
vault = {
source = "hashicorp/vault"
version = "~> 3.0"
}
}
}
# Configure providers using environment variables
provider "aws" {
# Uses AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, or IAM role
}
provider "azurerm" {
features {}
# Uses Azure CLI, Managed Identity, or Service Principal from env
}
provider "google" {
# Uses GOOGLE_APPLICATION_CREDENTIALS or ADC
}
# Vault for secret management
resource "vault_auth_backend" "aws" {
type = "aws"
}
resource "vault_aws_secret_backend" "aws" {
access_key = var.aws_access_key # From secure variable
secret_key = var.aws_secret_key # From secure variable
default_lease_ttl_seconds = 3600
max_lease_ttl_seconds = 86400
}
resource "vault_aws_secret_backend_role" "role" {
backend = vault_aws_secret_backend.aws.path
name = "my-role"
credential_type = "assumed_role"
role_arns = ["arn:aws:iam::ACCOUNT:role/MyRole"]
}
# SECURE - Kubernetes multi-cloud setup (External Secrets)
apiVersion: v1
kind: ConfigMap
metadata:
name: cloud-config
data:
AWS_REGION: us-east-1
AZURE_TENANT_ID: ${AZURE_TENANT_ID}
GCP_PROJECT_ID: my-project
---
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: multi-cloud-store
spec:
provider:
vault:
server: "[https://vault.example.com:8200](https://vault.example.com:8200)"
path: "secret"
version: "v2"
auth:
kubernetes:
mountPath: "kubernetes"
role: "app-role"
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: cloud-credentials
spec:
secretStoreRef:
name: multi-cloud-store
kind: SecretStore
target:
name: cloud-credentials
data:
- secretKey: aws-access-key
remoteRef:
key: aws/creds/my-role
property: access_key
- secretKey: azure-client-secret
remoteRef:
key: azure/creds
property: client_secret
Detection Patterns
- AWS Access Key ID:
`(AKIA|ASIA)[0-9A-Z]{16}`
- AWS Secret Access Key:
`[A-Za-z0-9/+=]{40}`
- Azure Client Secret:
`[A-Za-z0-9~._-]{30,}`
- GCP API Key:
`AIza[0-9A-Za-z\\-_]{35}`
- GCP Service Account:
`"private_key":\s*"-----BEGIN (RSA|EC) PRIVATE KEY-----"`
- DigitalOcean Token:
`dop_v1_[a-f0-9]{64}`
- Alibaba Access Key ID:
`LTAI[a-zA-Z0-9]{15,}`
- OCI API Key Fingerprint:
`([0-9a-f]{2}:){15}[0-9a-f]{2}`
Prevention Best Practices
- Use Native Identity: Use cloud-native identity services (AWS IAM, Azure Managed Identity, GCP ADC/Workload Identity) whenever possible.
- Centralize Secrets: Implement a centralized secret management system (like HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, or GCP Secret Manager).
- Federate Identity: Use identity federation (like OIDC) to grant external systems access without static keys.
- Least Privilege: Enforce least-privilege principles across all cloud environments.
- Per-Environment Credentials: Use completely separate credentials and roles for development, staging, and production.
- Enable MFA: Enforce Multi-Factor Authentication (MFA) for all human cloud accounts.
- Use CSPM: Implement a Cloud Security Posture Management (CSPM) tool to continuously monitor for misconfigurations.
- Regular Audits: Conduct regular multi-cloud security audits to find and remediate exposed credentials.
