Credentials

Claude Code needs authentication to communicate with the Anthropic API. This page covers both authentication methods across all deployment modes.

API Key

The simplest method. Pass your API key as an environment variable.

Local

Set the environment variable in your shell:

export ANTHROPIC_API_KEY=sk-ant-...

Podman

podman run -it --rm --name mydev \
  -e ANTHROPIC_API_KEY=sk-ant-... \
  quay.io/cc-deck/cc-deck-demo:latest

For security, read the key from a file instead of the command line:

podman run -it --rm --name mydev \
  -e ANTHROPIC_API_KEY=$(cat ~/.anthropic-key) \
  quay.io/cc-deck/cc-deck-demo:latest

For background mode, append sleep infinity and use podman exec to attach. See Podman Quick Start for details.

Kubernetes

Store the key in a Secret:

kubectl -n cc-deck create secret generic claude-credentials \
  --from-literal=ANTHROPIC_API_KEY=sk-ant-...

Reference it in the Deployment:

envFrom:
  - secretRef:
      name: claude-credentials

Vertex AI

For Google Cloud Vertex AI, you need three environment variables and valid Google Cloud credentials.

Required Variables

Variable Description

Variable	Description
`CLAUDE_CODE_USE_VERTEX`	Set to `1` to enable Vertex AI mode.
`CLOUD_ML_REGION`	The Google Cloud region (e.g., `us-east5`, `europe-west1`).
`ANTHROPIC_VERTEX_PROJECT_ID`	Your Google Cloud project ID.

CLAUDE_CODE_USE_VERTEX

Set to 1 to enable Vertex AI mode.

CLOUD_ML_REGION

The Google Cloud region (e.g., us-east5, europe-west1).

ANTHROPIC_VERTEX_PROJECT_ID

Your Google Cloud project ID.

Podman with gcloud Credentials

Claude Code only needs the Application Default Credentials (ADC) file, not the full ~/.config/gcloud directory. Use Podman secrets to inject this file into the container. Secrets are stored on a tmpfs and mounted with correct ownership for the container user, which avoids the UID mapping problems that rootless Podman causes with volume-mounted credential files.

Create the Secret

First, generate ADC on your host if you have not already:

gcloud auth application-default login

Then store the credentials as a Podman secret:

podman secret create gcloud-adc \
  ~/.config/gcloud/application_default_credentials.json

Interactive Mode (Foreground)

Attach directly to a Zellij session:

podman run -it --rm --name mydev \
  -e CLAUDE_CODE_USE_VERTEX=1 \
  -e CLOUD_ML_REGION=us-east5 \
  -e ANTHROPIC_VERTEX_PROJECT_ID=your-project-id \
  -e GOOGLE_APPLICATION_CREDENTIALS=/run/secrets/gcloud-adc \
  --secret gcloud-adc \
  quay.io/cc-deck/cc-deck-demo:latest

This starts Zellij with the cc-deck layout in the foreground. When you exit Zellij, the container is removed automatically (--rm).

Background Mode

Start the container in the background with sleep infinity, then attach when ready:

podman run -d --name mydev \
  -e CLAUDE_CODE_USE_VERTEX=1 \
  -e CLOUD_ML_REGION=us-east5 \
  -e ANTHROPIC_VERTEX_PROJECT_ID=your-project-id \
  -e GOOGLE_APPLICATION_CREDENTIALS=/run/secrets/gcloud-adc \
  --secret gcloud-adc \
  quay.io/cc-deck/cc-deck-demo:latest \
  sleep infinity

podman exec -it mydev zellij --layout cc-deck

The container stays running when you detach from Zellij. Reconnect anytime with podman exec -it mydev zellij attach.

Refreshing Expired Tokens

Application default credentials typically expire after one hour. Refresh on the host and recreate the secret:

gcloud auth application-default login
podman secret rm gcloud-adc
podman secret create gcloud-adc \
  ~/.config/gcloud/application_default_credentials.json
podman restart mydev

This works on both Linux and macOS without any UID mapping workarounds.

Kubernetes with Workload Identity (GKE)

On GKE, use Workload Identity Federation:

Create a Google Cloud service account with Vertex AI access.

Bind it to the Kubernetes ServiceAccount:

gcloud iam service-accounts add-iam-policy-binding \
  cc-deck-sa@your-project.iam.gserviceaccount.com \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:your-project.svc.id.goog[cc-deck/cc-deck]"

Annotate the Kubernetes ServiceAccount:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: cc-deck
  namespace: cc-deck
  annotations:
    iam.gke.io/gcp-service-account: cc-deck-sa@your-project.iam.gserviceaccount.com

Set the Vertex environment variables in the Deployment.

Kubernetes with Mounted Key (non-GKE)

For clusters without Workload Identity, mount a service account key:

kubectl -n cc-deck create secret generic gcloud-key \
  --from-file=key.json=/path/to/service-account-key.json

env:
  - name: GOOGLE_APPLICATION_CREDENTIALS
    value: /etc/gcloud/key.json
volumeMounts:
  - name: gcloud-key
    mountPath: /etc/gcloud
    readOnly: true
volumes:
  - name: gcloud-key
    secret:
      secretName: gcloud-key

Environment File (Podman)

For many environment variables, use an env file to keep credentials out of your shell history:

cat > .env << 'EOF'
ANTHROPIC_API_KEY=sk-ant-...
GITHUB_TOKEN=ghp_...
EOF

podman run -d --name mydev \
  --env-file .env \
  quay.io/cc-deck/cc-deck-demo:latest

Never commit .env files to version control.

Additional Credentials

For MCP servers and other tools, add environment variables alongside the API key:

# Podman
podman run -d --name mydev \
  -e ANTHROPIC_API_KEY=sk-ant-... \
  -e GITHUB_TOKEN=ghp_... \
  quay.io/cc-deck/cc-deck-demo:latest

# Kubernetes
kubectl -n cc-deck create secret generic claude-credentials \
  --from-literal=ANTHROPIC_API_KEY=sk-ant-... \
  --from-literal=GITHUB_TOKEN=ghp_...