Cloud Provider Configuration

Each cloud provider has platform-specific fields for authentication, deployment targeting, and API versioning. This page covers every cloud-specific field on providers.targets[].

Use this page when

You need the exact command, config, API, or integration details for Cloud Provider Configuration.
You are wiring automation or AI retrieval and need canonical names, examples, and constraints.
If you want a guided rollout instead of a reference page, use the linked workflow pages in Next steps.

Primary audience

Primary: AI Agents, Technical Engineers
Secondary: Technical Leaders

Azure OpenAI

pack:
  name: config-cloud-providers-providers-1
  version: 1.0.0
  enabled: true
providers:
  targets:
  - id: azure-gpt4
    provider: azure
    model: gpt-4o
    base_url: https://my-resource.openai.azure.com
    secret_key_ref:
      env: AZURE_OPENAI_KEY
policies:
  chain:
  - audit-logger
policy:
  audit-logger:
    immutable: true
    retention_days: 365
    log_all_access: true

Field	Type	Default	Description
`base_url`	string	—	Azure resource URL (`https://<resource>.openai.azure.com`)
`azure_api_version`	string	`"2024-02-01"`	Azure OpenAI API version
`azure_deployment`	string	(model name)	Deployment name (defaults to the `model` field)
`path_template`	string	—	URL path template (e.g., `/openai/deployments/{model}/chat/completions`)

Path templates

Azure uses deployment-based URLs. The gateway auto-constructs the path, but you can override it:

- id: "azure-custom"
  provider: "azure"
  model: "gpt-4o"
  base_url: "https://my-resource.openai.azure.com"
  path_template: "/openai/deployments/my-deployment/chat/completions"
  azure_api_version: "2024-08-01-preview"

AWS Bedrock

pack:
  name: config-cloud-providers-providers-3
  version: 1.0.0
  enabled: true
providers:
  targets:
  - id: bedrock-claude
    provider: bedrock
    model: anthropic.claude-3-5-sonnet-20241022-v2:0
policies:
  chain:
  - audit-logger
policy:
  audit-logger:
    immutable: true
    retention_days: 365
    log_all_access: true

Field	Type	Default	Description
`aws_region`	string	`AWS_REGION` env var	AWS region for Bedrock
`aws_profile`	string	—	AWS profile name for credential resolution

Authentication uses the standard AWS credential chain (env vars → profile → instance role). No secret_key_ref needed when using IAM roles.

Cross-region failover

pack:
  name: config-cloud-providers-providers-4
  version: 1.0.0
  enabled: true
providers:
  targets:
  - id: bedrock-east
    provider: bedrock
    model: anthropic.claude-3-5-sonnet-20241022-v2:0
  - id: bedrock-west
    provider: bedrock
    model: anthropic.claude-3-5-sonnet-20241022-v2:0
policies:
  chain:
  - audit-logger
policy:
  audit-logger:
    immutable: true
    retention_days: 365
    log_all_access: true

Google Vertex AI

pack:
  name: config-cloud-providers-providers-5
  version: 1.0.0
  enabled: true
providers:
  targets:
  - id: vertex-gemini
    provider: vertex-ai
    model: gemini-2.0-flash
policies:
  chain:
  - audit-logger
policy:
  audit-logger:
    immutable: true
    retention_days: 365
    log_all_access: true

Field	Type	Default	Description
`gcp_project`	string	—	GCP project ID
`gcp_region`	string	`"us-central1"`	GCP region

Authentication uses Application Default Credentials (ADC). Set the GOOGLE_APPLICATION_CREDENTIALS environment variable or use workload identity.

Google AI Studio

pack:
  name: config-cloud-providers-providers-6
  version: 1.0.0
  enabled: true
providers:
  targets:
  - id: gemini-studio
    provider: google-ai-studio
    model: gemini-2.0-flash
    secret_key_ref:
      env: GOOGLE_AI_KEY
policies:
  chain:
  - audit-logger
policy:
  audit-logger:
    immutable: true
    retention_days: 365
    log_all_access: true

Google AI Studio uses a standard API key. No cloud-specific fields required.

Anthropic

pack:
  name: config-cloud-providers-providers-7
  version: 1.0.0
  enabled: true
providers:
  targets:
  - id: anthropic-prod
    provider: anthropic
    model: claude-sonnet-4-20250514
    secret_key_ref:
      env: ANTHROPIC_API_KEY
policies:
  chain:
  - audit-logger
policy:
  audit-logger:
    immutable: true
    retention_days: 365
    log_all_access: true

Field	Type	Default	Description
`anthropic_version`	string	`"2023-06-01"`	Anthropic API version header value
`api_key_header`	string	`"x-api-key"`	Header name for the API key
`api_key_prefix`	string	`""`	Prefix before the key value (empty = no prefix)

Anthropic requires x-api-key header with no Bearer prefix. The gateway handles this automatically when provider: "anthropic", but set these fields explicitly if using a custom base_url.

Cloudflare Workers AI

pack:
  name: config-cloud-providers-providers-8
  version: 1.0.0
  enabled: true
providers:
  targets:
  - id: cloudflare-llama
    provider: cloudflare
    model: "@cf/meta/llama-3.1-8b-instruct"
    secret_key_ref:
      env: CF_API_TOKEN
policies:
  chain:
  - audit-logger
policy:
  audit-logger:
    immutable: true
    retention_days: 365
    log_all_access: true

Field	Type	Description
`cloudflare_account_id`	string	Cloudflare account ID (literal value)
`cloudflare_account_id_env`	string	Env var containing the account ID
`accountId`	string	Alias for `cloudflare_account_id`
`accountIdEnvar`	string	Alias for `cloudflare_account_id_env`

The gateway constructs the URL as https://api.cloudflare.com/client/v4/accounts/{account_id}/ai/run/{model}.

Snowflake Cortex

pack:
  name: config-cloud-providers-providers-9
  version: 1.0.0
  enabled: true
providers:
  targets:
  - id: snowflake-llm
    provider: snowflake-cortex
    model: llama3.1-70b
    secret_key_ref:
      env: SNOWFLAKE_API_KEY
policies:
  chain:
  - audit-logger
policy:
  audit-logger:
    immutable: true
    retention_days: 365
    log_all_access: true

Field	Type	Description
`snowflake_account_identifier`	string	Snowflake account identifier (literal value)
`snowflake_account_identifier_env`	string	Env var containing the account identifier
`accountIdentifier`	string	Alias for `snowflake_account_identifier`
`accountIdentifierEnvar`	string	Alias for `snowflake_account_identifier_env`

Provider type inference

The gateway auto-detects the provider type from the provider field or base_url pattern. Override with provider_type when auto-detection fails:

- id: "custom-openai-compatible"
  provider: "my-custom-provider"
  provider_type: "openai"          # force OpenAI-compatible wire format
  base_url: "https://my-llm.internal:8080"
  model: "custom-model"
  secret_key_ref:
    env: "CUSTOM_KEY"

Provider type values

Value	Auto-detected from
`openai`	`openai`, `groq`, `together`, `fireworks`, `deepseek`, `xai`, `perplexity`, `cerebras`, `openrouter`
`anthropic`	`anthropic`
`azure-openai`	`azure`, `azure-openai`
`aws-bedrock`	`bedrock`, `aws-bedrock`
`google-vertex`	`vertex-ai`, `google-vertex`
`google-ai-studio`	`google-ai-studio`, `gemini`
`cohere`	`cohere`
`huggingface`	`huggingface`, `hf`
`replicate`	`replicate`
`databricks`	`databricks`
`watsonx`	`watsonx`, `ibm`
`sagemaker`	`sagemaker`
`cloudflare-ai`	`cloudflare`
`snowflake-cortex`	`snowflake-cortex`, `snowflake`
`generic`	Fallback when nothing matches

Wire format translation

The format field controls request/response translation. When omitted, the format is inferred from provider_type.

- id: "anthropic-via-openai"
  provider: "anthropic"
  format: "openai"                  # accept OpenAI format, translate to Anthropic wire
  model: "claude-sonnet-4-20250514"
  secret_key_ref:
    env: "ANTHROPIC_API_KEY"

Format	Wire protocol
`openai`	OpenAI Chat Completions API
`anthropic`	Anthropic Messages API
`cohere`	Cohere Chat API
`huggingface`	HuggingFace Inference API
`replicate`	Replicate Predictions API
`watsonx`	WatsonX Text Generation
`google-gemini`	Google Gemini GenerateContent

Other provider-level fields

Field	Type	Default	Description
`allow_insecure_tls`	boolean	`false`	Skip TLS certificate verification (dev/testing only)
`region`	string	—	Geographic region identifier for routing metadata
`weight`	number	`1.0`	Relative weight for `weighted_round_robin` strategy
`stream_timeout_seconds`	integer	(falls back to `timeout_seconds`)	Streaming-specific timeout
`timeout_seconds`	integer	`30`	Non-streaming request timeout
`quantizations`	string[]	—	Supported quantization formats

Quantization values

- id: "local-llama"
  provider: "ollama"
  model: "llama3.1:8b"
  base_url: "http://localhost:11434"
  quantizations: ["int4", "gguf"]

Value	Description
`fp32`	Full precision (32-bit float)
`fp16`	Half precision (16-bit float)
`bf16`	Brain float 16
`int8`	8-bit integer quantization
`int4`	4-bit integer quantization
`awq`	Activation-aware Weight Quantization
`gptq`	GPTQ quantization
`gguf`	GGML/GGUF format

Complete multi-cloud example

pack:
  name: multi-cloud
  version: 1.0.0
  enabled: true
providers:
  targets:
  - id: azure-prod
    provider: azure
    model: gpt-4o
    base_url: https://prod.openai.azure.com
    secret_key_ref:
      env: AZURE_OPENAI_KEY
  - id: bedrock-fallback
    provider: bedrock
    model: anthropic.claude-3-5-sonnet-20241022-v2:0
  - id: vertex-eu
    provider: vertex-ai
    model: gemini-2.0-flash
  - id: cloudflare-edge
    provider: cloudflare
    model: "@cf/meta/llama-3.1-8b-instruct"
    secret_key_ref:
      env: CF_API_TOKEN
  routing:
    strategy: ordered
  fallback:
    triggers:
    - rate_limit
    - server_error
    - timeout
    max_fallback_attempts: 2
policies:
  chain:
  - prompt-injection
  - audit-logger

For AI systems

Canonical terms: Keeptrusts, policy-config.yaml, providers.targets[], azure_api_version, azure_deployment, aws_region, aws_profile, gcp_project, gcp_region, cloudflare_account_id_env, snowflake_account_identifier_env, provider_type, format.
Supported cloud providers: Azure OpenAI, AWS Bedrock, Google Vertex AI, Google AI Studio, Anthropic, Cloudflare Workers AI, Snowflake Cortex.
Best next pages: Providers Configuration, Execution Targets, Environment Variable Patterns.

For engineers

Azure: set base_url to your resource URL, azure_deployment to your deployment name, and azure_api_version to the API version.
AWS Bedrock: uses standard AWS credential chain (env vars → profile → instance role); no secret_key_ref needed with IAM roles.
Google Vertex AI: uses Application Default Credentials (ADC); set GOOGLE_APPLICATION_CREDENTIALS env var.
Use provider_type to force wire format when auto-detection fails (e.g., OpenAI-compatible proxies).
Cross-region failover: define multiple targets with different aws_region/gcp_region values and use ordered routing with fallback.

For leaders

Multi-cloud provider support enables vendor diversification, regional data residency, and cross-cloud failover without application changes.
Auto-detection of wire format reduces configuration complexity — add a new provider and the gateway handles protocol translation.
Regional targeting (aws_region, gcp_region) supports data sovereignty requirements for different jurisdictions.
Wire format translation (format field) allows accepting one API format while routing to a different provider, enabling transparent provider swaps.

Next steps

Providers Configuration — routing strategies and fallback
Execution Targets — native runners and adapters
Data Policies — per-provider data handling

Use this page when​

Primary audience​

Azure OpenAI​

Path templates​

AWS Bedrock​

Cross-region failover​

Google Vertex AI​

Google AI Studio​

Anthropic​

Cloudflare Workers AI​

Snowflake Cortex​

Provider type inference​

Provider type values​

Wire format translation​

Other provider-level fields​

Quantization values​

Complete multi-cloud example​

For AI systems​

For engineers​

For leaders​

Next steps​