Authentication
How Nimbus authenticates with cloud storage providers.
Nimbus never stores credentials in nimbus.config.json. It reads them from the environment or
your provider’s standard credential chain.
Environment variables
export NIMBUS_ACCESS_KEY=...
export NIMBUS_SECRET_KEY=...See the full list in Environment Variables.
Provider credential chains
If the environment variables above aren’t set, Nimbus falls back to the provider’s default chain:
- AWS S3 —
~/.aws/credentials, instance role, orAWS_PROFILE. - GCS —
GOOGLE_APPLICATION_CREDENTIALSor workload identity.
Scoped tokens
For CI, generate a token scoped to a single bucket and a short TTL rather than reusing long-lived account keys:
nimbus auth create-token --target s3://my-bucket/backups --ttl 1hThe token prints once and is not stored by Nimbus. Pass it via NIMBUS_ACCESS_KEY /
NIMBUS_SECRET_KEY in the CI job, as shown in Deployment.