Skip to main content
Traditional agents require AWS access keys, GCP service account JSON files, or Azure client secrets — either hardcoded, injected via environment variables, or managed by a secrets manager you operate yourself. Hexr replaces all of that with identity-based access: your agent’s SPIFFE certificate is automatically exchanged for short-lived cloud tokens at runtime, scoped to exactly the permissions that agent needs. This guide shows you how to access AWS S3, GCP BigQuery, and Azure Blob Storage from a single agent with zero credentials in your code.

The problem with credentials

# Without Hexr — credentials everywhere
import boto3
session = boto3.Session(
    aws_access_key_id="AKIA...",        # Leaked in git
    aws_secret_access_key="wJalr...",   # Rotated manually
)

Steps

1

Write your multi-cloud agent

Use hexr_tool to request any supported cloud service. The platform handles authentication automatically:
multi_cloud_agent.py
from hexr import hexr_agent, hexr_tool

@hexr_agent(name="multi-cloud-agent", tenant="acme-corp")
def main():
    # AWS — automatic STS credential exchange
    s3 = hexr_tool("aws_s3")
    obj = s3.get_object(Bucket="reports", Key="sales.csv")
    s3_data = obj["Body"].read()

    # GCP — automatic Workload Identity Federation
    bq = hexr_tool("gcp_bigquery")
    bq_data = bq.query("SELECT * FROM dataset.table LIMIT 10")

    # Azure — automatic federated identity
    blob_client = hexr_tool("azure_storage")
    blob = blob_client.get_blob_client(container="data", blob="report.pdf")
    blob_data = blob.download_blob().readall()
Zero credentials in your code. The platform exchanges your agent’s SPIFFE identity for short-lived cloud tokens automatically.
2

Configure cloud providers

Each cloud provider needs a one-time federation setup pointing to oidc.hexr.cloud. Expand the provider you’re configuring:
  1. Create an IAM OIDC Identity Provider pointing to oidc.hexr.cloud
  2. Create an IAM Role with a trust policy for your agent’s SPIFFE ID
  3. Configure the role ARN in your Helm values:
values.yaml
credentialInjector:
  aws:
    roleArn: arn:aws:iam::123456789:role/hexr-agent-role
  1. Create a Workload Identity Pool
  2. Add an OIDC Provider pointing to oidc.hexr.cloud
  3. Create a service account and grant the pool access
  4. Configure in your Helm values:
values.yaml
credentialInjector:
  gcp:
    workloadIdentityProvider: projects/123/locations/global/workloadIdentityPools/hexr/providers/spire
  1. Create an App Registration with Federated Identity Credentials
  2. Set the issuer to oidc.hexr.cloud
  3. Configure in your Helm values:
values.yaml
credentialInjector:
  azure:
    tenantId: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
    clientId: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
3

Build with multi-cloud flag

Pass the --multi-cloud flag to declare which providers your agent needs:
hexr build agent.py --tenant acme-corp --multi-cloud aws,gcp,azure
4

Push and deploy

hexr push && hexr deploy
Once deployed, your agent’s SPIFFE identity is automatically exchanged for cloud-specific tokens on each hexr_tool() call — no restarts, no manual rotation.

How it works

1

Agent requests an AWS tool

Your agent calls hexr_tool("aws_s3"). The request is intercepted by the Envoy sidecar and routed to the Credential Injector.
2

SPIFFE → AWS credential exchange

The Credential Injector calls AWS AssumeRoleWithWebIdentity using the agent’s JWT-SVID. AWS returns temporary credentials with a 15-minute TTL.
3

Agent requests a GCP tool

Your agent calls hexr_tool("gcp_bigquery"). The same flow runs through Envoy to the Credential Injector.
4

SPIFFE → GCP credential exchange

The Credential Injector calls GCP STS for a token exchange. GCP returns an access_token with a 60-minute TTL.
Credential flow
Agent → Envoy → Credential Injector → AWS STS (15min creds) / GCP STS (60min token)

Per-role cloud access in multi-agent frameworks

In a CrewAI crew, each role can have different cloud permissions — all enforced by OPA policies, with no code changes:
crewai_scoped_access.py
@hexr_agent(name="data-crew", tenant="acme", framework="crewai")
def main():
    # researcher → spiffe://.../data-crew/researcher → BigQuery read-only
    # writer → spiffe://.../data-crew/writer → S3 write-only
    # No code changes needed — OPA policies enforce the scoping
    ...
OPA policies are configured in your Helm values. You can scope cloud access to individual agent roles without modifying application code.

Next steps

Secure secrets

Store API keys and other secrets with SPIFFE-scoped access control.

Multi-framework agents

Use CrewAI or LangChain with per-role cloud permissions.

LLM observability

Track LLM costs alongside your cloud tool usage in a single dashboard.

SDK reference

Full reference for hexr_tool and supported cloud services.