diff --git a/documentation/high-availability/setup.md b/documentation/high-availability/setup.md
index 71c05a5d4..8dfebfe89 100644
--- a/documentation/high-availability/setup.md
+++ b/documentation/high-availability/setup.md
@@ -53,6 +53,17 @@ replication.object.store=s3::bucket=${BUCKET_NAME};root=${DB_INSTANCE_NAME};regi
 `DB_INSTANCE_NAME` can be any unique alphanumeric string (dashes allowed). Use
 the same value across all nodes in your replication cluster.
 
+:::tip[Using IAM roles]
+If your instance has an IAM role attached (EC2 instance profile, EKS pod identity,
+or ECS task role), you can omit the credentials:
+
+```ini
+replication.object.store=s3::bucket=${BUCKET_NAME};root=${DB_INSTANCE_NAME};region=${AWS_REGION};
+```
+
+QuestDB will automatically use the instance's IAM role for authentication.
+:::
+
 ### Azure Blob Storage
 
 Create a Storage Account following
@@ -72,6 +83,18 @@ then create a Blob Container.
 replication.object.store=azblob::endpoint=https://${STORE_ACCOUNT}.blob.core.windows.net;container=${BLOB_CONTAINER};root=${DB_INSTANCE_NAME};account_name=${STORE_ACCOUNT};account_key=${STORE_KEY};
 ```
 
+:::tip[Using Managed Identity]
+If your instance has a Managed Identity assigned (Azure VM, AKS pod identity,
+or Container Apps), you can omit the `account_key`:
+
+```ini
+replication.object.store=azblob::endpoint=https://${STORE_ACCOUNT}.blob.core.windows.net;container=${BLOB_CONTAINER};root=${DB_INSTANCE_NAME};account_name=${STORE_ACCOUNT};
+```
+
+QuestDB will automatically use the Managed Identity for authentication. Ensure
+the identity has the **Storage Blob Data Contributor** role on the container.
+:::
+
 ### Google Cloud Storage
 
 Create a GCS bucket, then create a service account with `Storage Admin` (or
@@ -89,6 +112,17 @@ replication.object.store=gcs::bucket=${BUCKET_NAME};root=/;credential=${BASE64_E
 
 Alternatively, use `credential_path` to reference the key file directly.
 
+:::tip[Using Workload Identity]
+If your instance uses Workload Identity (GKE) or runs on a GCE VM with a service
+account attached, you can omit the credentials entirely:
+
+```ini
+replication.object.store=gcs::bucket=${BUCKET_NAME};root=/;
+```
+
+QuestDB will automatically use Application Default Credentials for authentication.
+:::
+
 ### NFS
 
 Mount the shared filesystem on all nodes. Ensure the QuestDB user has read/write