Cloud Provider Configuration
Each cloud provider can add provider-specific fields on providers.targets[]. This page documents the fields provider config and authentication use today.
Replace every your-...-model and deployment placeholder below with an ID
enabled for that provider account and region.
Azure OpenAI
providers:
targets:
- id: azure-primary
provider: azure
provider_type: azure-openai
format: openai
model: your-azure-openai-model
base_url: https://replace-with-resource-name.openai.azure.com
secret_key_ref:
env: KEEPTRUSTS_AZURE_OPENAI_API_KEY
azure_api_version: your-supported-api-version
azure_deployment: your-azure-deployment
| Field | Type | Default | Notes |
|---|---|---|---|
base_url | string | — | Required unless derived by another provider-specific helper. |
azure_api_version | string | legacy runtime fallback: 2024-02-01 | Sent by the Azure auth builder. Set a version currently supported by your Azure deployment; do not rely on the fallback. |
azure_deployment | string | model | Falls back to the target model when omitted. |
path_template | string | runtime/profile default | Optional explicit request path template. |
AWS Bedrock
providers:
targets:
- id: bedrock-claude
provider: bedrock
provider_type: aws-bedrock
model: your-bedrock-model-id
aws_region: us-east-1
| Field | Type | Default | Notes |
|---|---|---|---|
aws_region | string | — | Required. AWS region used for Bedrock auth signing. Must be set explicitly in the provider target. |
aws_profile is parsed and stored but the Bedrock authentication path does not
read it. The current signer does not load AWS profiles, the AWS SDK default
credential chain, or instance-role credentials. Set AWS_ACCESS_KEY_ID and
AWS_SECRET_ACCESS_KEY in the gateway process environment, plus
AWS_SESSION_TOKEN for temporary credentials. The signer can also read direct
target credential material, but do not place literal secrets in YAML.
Bedrock targets can omit secret_key_ref because the provider type is treated
as self-credentialed during config parsing; the explicit AWS environment
variables above must still be available when the signer runs.
The current Bedrock adapter does not yet build a complete model request body. This snippet can be linted, but it is not a production-ready target. See Amazon Bedrock.
Google Vertex AI
providers:
targets:
- id: vertex-gemini
provider: vertex-ai
provider_type: google-vertex
format: google-gemini
model: your-gemini-model
gcp_project: my-gcp-project
gcp_region: us-central1
| Field | Type | Default | Notes |
|---|---|---|---|
gcp_project | string | — | Operationally required; it is embedded in the Vertex endpoint and lint warns when it is absent. |
gcp_region | string | us-central1 | GCP region passed to Vertex auth. Set it explicitly when your model runs elsewhere. |
Vertex targets can also omit secret_key_ref because they are treated as self-credentialed.
Google AI Studio
providers:
targets:
- id: gemini-studio
provider: google-ai-studio
provider_type: google-ai-studio
format: google-gemini
model: your-gemini-model
secret_key_ref:
env: KEEPTRUSTS_GEMINI_API_KEY
Google AI Studio uses the provider profile defaults (x-goog-api-key, google-gemini wire format) and does not require extra cloud-only fields.
Anthropic
:::warning Configuration-only target The schema accepts this provider metadata, but the current gateway does not have a runnable Anthropic request adapter. Use this block only to inspect or lint configuration, not as a production dispatch target. See Anthropic for the current boundary. :::
providers:
targets:
- id: anthropic-prod
provider: anthropic
provider_type: anthropic
format: anthropic
model: your-anthropic-model
secret_key_ref:
env: KEEPTRUSTS_ANTHROPIC_API_KEY
anthropic_version: 2023-06-01
| Field | Type | Default | Notes |
|---|---|---|---|
anthropic_version | string | 2023-06-01 | Added as the anthropic-version header when omitted from the request. |
api_key_header | string | provider-profile default | Anthropic defaults to x-api-key. |
api_key_prefix | string | provider-profile default | Anthropic defaults to an empty prefix. |
Cloudflare AI
providers:
targets:
- id: cloudflare-llm
provider: cloudflare-ai
provider_type: cloudflare-ai
format: openai
model: your-cloudflare-model
cloudflare_account_id: acct-123
secret_key_ref:
env: KEEPTRUSTS_CF_API_TOKEN
| Field | Type | Notes |
|---|---|---|
cloudflare_account_id | string | Used to derive https://api.cloudflare.com/client/v4/accounts/{account_id}/ai/v1 when base_url is omitted. |
cloudflare_account_id_env | string | Env-var name containing the account ID. |
Snowflake Cortex
providers:
targets:
- id: snowflake-llm
provider: snowflake-cortex
model: your-snowflake-model
snowflake_account_identifier: myorg-myaccount
secret_key_ref:
env: KEEPTRUSTS_SNOWFLAKE_API_KEY
| Field | Type | Notes |
|---|---|---|
snowflake_account_identifier | string | Used to derive https://{account_identifier}.snowflakecomputing.com when base_url is omitted. |
snowflake_account_identifier_env | string | Env-var name containing the account identifier. |
Explicit provider type
Use provider_type only when you need to override the type inferred from the provider profile.
providers:
targets:
- id: custom-openai-compatible
provider: my-custom-provider
provider_type: openai
base_url: https://llm.example.com
model: your-provider-model
secret_key_ref:
env: KEEPTRUSTS_CUSTOM_PROVIDER_KEY
Supported explicit values are:
openaianthropiccoherehuggingfacereplicatedatabrickswatsonxaws-bedrockgoogle-ai-studiogoogle-vertexsagemakerazure-openaicloudflare-aisnowflake-cortexgeneric
Wire format translation
providers:
targets:
- id: anthropic-explicit-format
provider: anthropic
provider_type: anthropic
format: anthropic
model: your-anthropic-model
secret_key_ref:
env: KEEPTRUSTS_ANTHROPIC_API_KEY
This wire-format example is also configuration-only; selecting
format: anthropic does not add the missing runtime adapter.
Supported format values are:
openaianthropiccoherehuggingfacereplicatewatsonxgoogle-gemini
Other provider-level fields
| Field | Type | Default | Notes |
|---|---|---|---|
allow_insecure_tls | boolean | false | Skip TLS verification for this target. |
region | string | — | Routing metadata. |
weight | number | — | Used by weighted routing. |
timeout_seconds | integer | 30 | Parsed into the target timeout. |
stream_timeout_seconds | integer | — | Optional streaming override. |
quantizations | string[] | — | Supported target values: fp32, fp16, bf16, int8, int4, awq, gptq, gguf. Routing filters use their own narrower accepted set. |
Complete example
pack:
name: multi-cloud
version: 1.0.0
enabled: true
providers:
targets:
- id: azure-prod
provider: azure
provider_type: azure-openai
format: openai
model: your-azure-openai-model
base_url: https://replace-with-resource-name.openai.azure.com
secret_key_ref:
env: KEEPTRUSTS_AZURE_OPENAI_API_KEY
azure_deployment: your-azure-deployment
azure_api_version: your-supported-api-version
- id: vertex-eu
provider: vertex-ai
provider_type: google-vertex
format: google-gemini
model: your-gemini-model
gcp_project: keeptrusts-prod
gcp_region: europe-west4
- id: cloudflare-edge
provider: cloudflare-ai
provider_type: cloudflare-ai
format: openai
model: your-cloudflare-model
cloudflare_account_id: acct-123
secret_key_ref:
env: KEEPTRUSTS_CF_API_TOKEN
routing:
strategy: ordered
policies:
chain:
- audit-logger
policy:
audit-logger: {}
Ordered routing already considers later eligible targets using the gateway's
default trigger list. This runnable example omits a fallback block because it
does not override that list. Use the canonical trigger_on key when you need a
different list. enabled and max_fallback_attempts do not currently control
dispatch. See
Multi-Provider Fallback. Replace every
placeholder with an account- and region-supported value before running it.
Best practices
- Use the canonical snake_case provider-specific fields.
- Set explicit
provider_typeonly when the provider profile inference is not what you want. - Keep
formataligned with the wire protocol you expect the gateway to translate. - Use only the currently accepted quantization values.
Next steps
- Providers Configuration — routing strategies and fallback behavior
- Execution Targets — execution families and adapters
- Data Policies — per-provider data handling controls