Enterprise Auth

Identity-based access. Every cloud.

Crab Auth connects your corporate identity provider to your cloud storage. Developers authenticate once via SSO — the system handles credential vending, RBAC enforcement, and automatic rotation. No shared keys, no manual setup.

Read the Docs Contact Us

Two Modes of Authentication

From Solo Developer to Enterprise Team

Individual developers use their existing cloud credentials directly. Teams add centralized identity and access control through the credential vending service.

Developer Tier — FreeDirect cloud credential resolution

IAM Roles (AWS)

Assume AWS IAM roles for temporary, scoped credentials. Crab resolves roles automatically from instance metadata, environment variables, or CLI profiles.

Service Accounts (GCP)

Authenticate with GCP service accounts via workload identity or key files. Crab discovers credentials through the Application Default Credentials chain.

Managed Identities (Azure)

Use Azure managed identities for passwordless authentication. Crab connects to the instance metadata service to obtain tokens without configuration.

Credential Chains

A unified resolution strategy that walks environment variables, config files, instance metadata, and CLI profiles — stopping at the first valid credential.

Enterprise TierCentralized identity + credential vending

Short-Lived Scoped Credentials

Every credential is scoped to a specific S3/GCS/Azure prefix and expires in 1 hour by default. No long-lived keys to rotate or leak.

RBAC Policy Engine

YAML-based rules map identities and groups to repositories and operations. Deny rules are evaluated first, then first-match-wins for allow rules.

JWT Signature Verification

Every ID token is verified against your IdP's JWKS endpoint (RS256/ES256). Issuer, audience, and expiration claims are all validated.

Automatic Token Refresh

The crab CLI handles token refresh transparently. Developers authenticate once with crab login and credentials renew in the background.

Inline Session Policies

AWS credentials use inline session policies scoped to the exact bucket prefix. The vended credentials can never access more than the requested repo.

Self-Hosted & Stateless

Deploy in your VPC as a Docker container, AWS Lambda, SAM stack, or Cloud Run service. No database — the service is fully stateless.

Crab Auth Flow

From SSO sign-in to scoped cloud credentials — fully automatic.

How It Works

Four Steps to Secure Access

The credential vending protocol in action.

Developer Authenticates

crab login opens the browser for OIDC sign-in with your corporate IdP. Supports authorization code + PKCE and device code flows.

Token Exchanged

The CLI sends the signed JWT, repo URL, and operation to your crab-auth endpoint via POST /v1/credentials.

Policy Evaluated

crab-auth verifies the JWT signature, validates claims, and evaluates your RBAC policy to determine access.

Credentials Minted

Scoped cloud credentials are generated via STS AssumeRole (AWS), IAM Credentials API (GCP), or user-delegation SAS (Azure).

Inside crab-auth

Three-stage pipeline: verify the token, evaluate the policy, mint the credential.

Access Control

Declarative RBAC Policies

Define who can access which repositories and what operations they can perform. Policies are evaluated top-to-bottom with deny rules checked first. Supports identity matching by email, group membership, and glob patterns for repository paths.

Deny rules evaluated before allow rules
Match by email identity or IdP group membership
Glob patterns for repo paths (models/*, datasets/*)
Per-rule provider override (route repos to different clouds)

Works With Your Identity Provider

Any OIDC-compliant IdP with a standard discovery endpoint.

OktaOIDC + Device Code

Azure AD / Entra IDOIDC + Groups claim

Google WorkspaceOAuth2 Desktop flow

KeycloakOIDC + Device Code

Auth0OIDC compliant

Any OIDC ProviderStandard discovery endpoint

Deploy Anywhere

crab-auth is a stateless FastAPI service. Pick the deployment model that fits your infrastructure.

Docker / Kubernetes

Build the container image and deploy anywhere — ECS, EKS, GKE, or any container platform. Mount your policy.yaml as a volume.

AWS Lambda + Terraform

Serverless deployment with API Gateway. Auto-scaling, zero maintenance. Terraform module included with configurable variables.

AWS SAM

For teams already using SAM. sam build && sam deploy --guided gets you running in minutes.

Google Cloud Run

Deploy to Cloud Run with a single gcloud command. Scales to zero when idle, handles bursts automatically.

Auth Methods by Cloud Provider

Full compatibility matrix across AWS, GCP, and Azure.

Feature	AWS	GCP	Azure
IAM Roles / Instance Profiles
Service Accounts / Workload Identity
Managed Identities
Environment Variables
Config File Profiles
Instance Metadata
Credential Chain (auto-resolve)
Enterprise Credential Vending

Why Crab Auth

Compared to Shared Keys and LFS Servers

Identity-based credential vending eliminates the security gaps of shared IAM keys and the operational burden of LFS servers.

Feature	Crab Auth (Enterprise)	Shared IAM Keys	Git LFS + Server
No shared secrets
Per-repo access control			Server-dependent
Short-lived credentials
SSO / OIDC integration			Server-dependent
Audit trail (who accessed what)			Server-dependent
No server to manage	Stateless container or Lambda
Multi-cloud (AWS, GCP, Azure)		One provider at a time
Automatic credential rotation

Security Model

Defense in Depth

Every layer of the auth pipeline is designed to minimize blast radius and prevent credential leakage.

Cryptographic Verification

JWT signatures verified against IdP JWKS (RS256/ES256). Invalid, expired, or tampered tokens are rejected with 401.

Scoped Session Policies

AWS credentials use inline session policies intersected with the base role. Vended credentials can never exceed the requested repo prefix.

No Secrets in Logs

Token values are never logged. Only identity (email/sub) and operation metadata appear in structured log output.

Rate Limiting

Built-in token bucket rate limiter prevents credential enumeration and brute-force attacks against the endpoint.

Claims Validation

Issuer (iss), audience (aud), expiration (exp), and not-before (nbf) claims are all verified on every request.

Stateless Architecture

No database, no session store. The service can be restarted, scaled, or replaced without data loss or state corruption.

Frequently Asked Questions

Common questions about Crab Auth and credential vending.

Does crab-auth store my data?

No. crab-auth is a credential broker only. It verifies your identity, checks your RBAC policy, and returns short-lived cloud credentials. Your repository data flows directly between the crab CLI and your cloud bucket — crab-auth never sees or stores file content.

What happens if crab-auth goes down?

Developers with unexpired credentials continue working normally — the CLI talks directly to the object store. New credential requests will fail until the service recovers. Since crab-auth is stateless, recovery is as simple as restarting the container or letting Lambda spin up a new instance.

Can I use crab-auth with multiple cloud providers?

Yes. The RBAC policy supports a per-rule provider override. You can route some repos to AWS, others to GCP, and others to Azure — all through the same auth endpoint. The default_provider setting in policy.yaml controls the fallback.

How are credentials scoped?

For AWS, crab-auth uses STS AssumeRole with an inline session policy that restricts access to the specific S3 bucket prefix (repo path) requested. The vended credentials literally cannot access other repos, even if the base IAM role has broader permissions.

What IdPs are supported?

Any OIDC-compliant identity provider works. The service has been tested with Okta, Azure AD (Entra ID), Google Workspace, Keycloak, and Auth0. If your IdP publishes a .well-known/openid-configuration endpoint, it will work.

Do I need crab-auth for personal use?

No. Individual developers can use their existing cloud credentials directly (IAM roles, service accounts, managed identities, or environment variables). crab-auth is for teams that need centralized identity-based access control, SSO, and audit logging.

Secure your team's repositories.

Deploy crab-auth in your VPC and give every developer identity-based access to cloud storage — no shared keys, no manual rotation.

Deployment Guide Contact Us

Declarative RBAC Policies

Deny rules evaluated before allow rules

Match by email identity or IdP group membership

Glob patterns for repo paths (models/*, datasets/*)

Per-rule provider override (route repos to different clouds)

Feature

AWS

GCP

Azure

IAM Roles / Instance Profiles

Service Accounts / Workload Identity

Managed Identities

Environment Variables

Config File Profiles

Instance Metadata

Credential Chain (auto-resolve)

Enterprise Credential Vending

Feature

Crab Auth (Enterprise)

Shared IAM Keys

Git LFS + Server

No shared secrets

Per-repo access control

Server-dependent

Short-lived credentials

SSO / OIDC integration

Server-dependent

Audit trail (who accessed what)

Server-dependent

No server to manage

Stateless container or Lambda

Multi-cloud (AWS, GCP, Azure)

One provider at a time

Automatic credential rotation