Skip to content
credctl
Blog

Configuration reference

Overview

Section titled “Overview”

credctl stores device identity and cloud provider configuration in a single JSON file:

~/.credctl/config.json

This file is created by credctl init and updated by setup commands (credctl setup aws, credctl setup gcp). File permissions are 0600 (user read/write only). Use credctl reset to remove all configuration and start fresh.

Example configuration

Section titled “Example configuration”
{
  "version": 1,
  "device_id": "SHA256:aBcDeFg...",
  "key_tag": "com.crzy.credctl.device-key",
  "biometric": "any",
  "created_at": "2026-03-02T10:00:00Z",
  "enclave_type": "secure_enclave",
  "public_key_path": "~/.credctl/device.pub",
  "aws": {
    "role_arn": "arn:aws:iam::123456789012:role/credctl-device-role",
    "issuer_url": "https://d1234567890.cloudfront.net",
    "region": "us-east-1",
    "s3_bucket": "credctl-oidc-123456789012"
  },
  "gcp": {
    "project_number": "123456789",
    "workload_pool_id": "credctl-pool",
    "provider_id": "credctl-provider",
    "service_account_email": "credctl@my-project.iam.gserviceaccount.com",
    "issuer_url": "https://d1234567890.cloudfront.net",
    "credential_file_path": "~/.credctl/gcp-credentials.json"
  }
}

Top-level fields

Section titled “Top-level fields”
FieldTypeRequiredDefaultDescription
versionintegerYes (auto-generated)1Configuration schema version.
device_idstringYes (auto-generated)SHA-256 fingerprint of the device public key. Set by credctl init.
key_tagstringYes (auto-generated)com.crzy.credctl.device-keyKeychain application tag for the Secure Enclave key. Override with credctl init --key-tag.
biometricstringYes (auto-generated)anyBiometric policy for signing operations. Values: any (Touch ID with passcode fallback), fingerprint (Touch ID only — key invalidated if fingerprints change), none (no user verification). Set by credctl init --biometric. Cannot be changed after key creation; requires credctl init --force to change.
enclave_typestringYes (auto-generated)Hardware type. Currently secure_enclave only. tpm support planned for a future release.
created_atstring (RFC 3339)Yes (auto-generated)Timestamp of device identity creation.
public_key_pathstringYes (auto-generated)~/.credctl/device.pubPath to the exported public key PEM file.
awsobjectNoAWS configuration block. Set by credctl setup aws. See below.
gcpobjectNoGCP configuration block. Set by credctl setup gcp. See below.

AWS configuration fields

Section titled “AWS configuration fields”

The aws block contains the configuration for OIDC federation with AWS. These fields are set automatically by credctl setup aws.

FieldTypeRequiredDefaultDescription
role_arnstringYesIAM role ARN to assume via AssumeRoleWithWebIdentity. Must match arn:aws:iam::\d{12}:role/.+
issuer_urlstringYesOIDC issuer URL. Can be a CloudFront URL (setup aws), S3 URL (setup aws-oidc), or GCS URL (setup gcp-oidc). Must be HTTPS.
regionstringNoAWS region for the STS endpoint. Must be a valid AWS region code (e.g., us-east-1).
s3_bucketstringNoS3 bucket name where OIDC documents are published.
  • Credential TTL is determined by the IAM role’s maximum session duration, not by credctl configuration.

GCP configuration fields

Section titled “GCP configuration fields”

The gcp block contains the configuration for Workload Identity Federation with GCP. These fields are set automatically by credctl setup gcp.

FieldTypeRequiredDefaultDescription
project_numberstringYesGCP project number (numeric). Retrieved automatically by credctl setup gcp.
workload_pool_idstringYesWorkload Identity Pool ID.
provider_idstringYesWorkload Identity Provider ID within the pool.
service_account_emailstringYesEmail of the GCP service account to impersonate. Must match *@*.iam.gserviceaccount.com.
issuer_urlstringYesOIDC issuer URL. Can be the same as the AWS issuer URL, or a GCS URL from setup gcp-oidc.
credential_file_pathstringNoPath to the generated GCP credential config file. Set by credctl setup gcp-cred-file.

The audience for JWT signing is derived automatically from project_number, workload_pool_id, and provider_id:

//iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/providers/{provider_id}
  • Azure configuration will be added in a future release.

File permissions

Section titled “File permissions”
PathPermissionsNotes
~/.credctl/0700Directory — user access only
~/.credctl/config.json0600Configuration — user read/write only
~/.credctl/device.pub0644Public key — safe to share
~/.credctl/oidc/0700OIDC documents directory

File layout

Section titled “File layout”
~/.credctl/
├── config.json                     # Device and cloud configuration (0600)
├── device.pub                      # Public key PEM (0644)
├── gcp-credentials.json            # GCP credential config (0600, if configured)
└── oidc/                           # OIDC discovery documents (0700)
    ├── .well-known/
    │   └── openid-configuration    # OIDC discovery document
    └── keys.json                   # JWKS (JSON Web Key Set)

Managing configuration

Section titled “Managing configuration”
  • credctl setup aws — sets up all AWS infrastructure (OIDC hosting, IAM resources, AWS CLI profile) and writes the aws configuration block
  • credctl setup gcp — sets up all GCP infrastructure (OIDC hosting, WIF resources, credential config file) and writes the gcp configuration block
  • credctl reset — removes all configuration and tears down cloud resources
  • Manual editing is possible but not recommended (risk of malformed JSON or incorrect values)
Section titled “Related”