// Use when authenticating with AWS via Atmos. Covers ATMOS_PROFILE setup, SSO login, and how Atmos automatically assumes the correct identity per stack. Use for authentication setup, SSO login issues, and permission errors.
| name | atmos-auth |
| description | Use when authenticating with AWS via Atmos. Covers ATMOS_PROFILE setup, SSO login, and how Atmos automatically assumes the correct identity per stack. Use for authentication setup, SSO login issues, and permission errors. |
Atmos Auth handles AWS authentication automatically based on your profile and the target stack.
# Set your profile (required for all atmos commands)
# Use your assigned profile: devops, developers, or managers
export ATMOS_PROFILE=<your-profile>
# Authenticate via SSO provider (preferred - triggers browser SSO)
atmos auth login --provider acme-sso
# Alternative: authenticate by specifying any identity (also triggers browser SSO)
atmos auth login --identity core-auto/terraform
# Run commands - Atmos auto-selects the correct identity per stack
atmos terraform plan vpc -s plat-use2-dev
export ATMOS_PROFILE=<profile-name> (or prefix each command)When you run atmos terraform plan <component> -s <stack>, Atmos:
plat-dev/terraform), it's selected automaticallyEach stack defines its default identity in its _defaults.yaml file:
# stacks/orgs/acme/plat/dev/_defaults.yaml
auth:
identities:
plat-dev/terraform:
default: true
The identity name (plat-dev/terraform) is resolved by your profile to determine the actual AWS credentials to use.
Profiles are defined in profiles/<profile-name>/atmos.yaml. Each maps identities to Permission Sets:
| Profile | Core Accounts | Platform Dev/Sandbox | Platform Staging/Prod |
|---|---|---|---|
devops | TerraformApplyAccess | TerraformApplyAccess | TerraformApplyAccess |
developers | TerraformStateAccess | TerraformApplyAccess | TerraformPlanAccess |
managers | TerraformApplyAccess | TerraformApplyAccess | TerraformApplyAccess |
Managers also have a RootAccess Permission Set for centralized root access to member accounts.
Permission Set capabilities:
TerraformApplyAccess - Full plan and applyTerraformPlanAccess - Plan only (no apply)TerraformStateAccess - Read state only (for cross-account references)Identities follow the pattern: <tenant>-<stage>/terraform
Examples:
plat-dev/terraform - Platform dev accountcore-auto/terraform - Core automation accountplat-prod/terraform - Platform production accountsuperadmin profile: IAM user (kind: aws/user) with MFA in the root account. Used for coldstart/bootstrap
before SSO is deployed, or as breakglass access. Assumes OrganizationAccountAccessRole into member accounts
via identity chaining. Switch to your assigned SSO profile once the identity layer is deployed.
github-plan profile: OIDC-based authentication for CI/CD plan operations. Uses planner roles with read-only access.
github-apply profile: OIDC-based authentication for CI/CD apply operations. Uses terraform roles with full access. Only used from main branch after PR merge.
If authentication fails:
ATMOS_PROFILE is set: echo $ATMOS_PROFILEatmos auth login --provider acme-sso (or --identity core-auto/terraform)profiles/$ATMOS_PROFILE/atmos.yamlFor authentication-specific debugging:
# Enable debug logging to see auth flow
ATMOS_LOGS_LEVEL=debug atmos terraform plan <component> -s <stack>
Look for:
<tenant>-<stage>/terraform)For general Atmos debugging (configuration, variables, stack resolution), see the debugging-atmos skill.
Use when creating new Terraform/OpenTofu components or modifying existing ones. Covers required files, catalog defaults, stack configuration, and naming conventions.
Use when deploying components via Atmos stacks, configuring stack YAML, or understanding inheritance patterns. Covers catalog defaults, abstract components, stack imports, and how to wire components into target stacks.
Building, rendering library docs, and deploying docs.cloudposse.com. Use when working with the Docusaurus build process or regenerating auto-generated content.
Writing standards, React components, and MDX patterns for docs.cloudposse.com. Use when creating or editing documentation content.
CSS styles, color themes, and visual conventions for docs.cloudposse.com. Use when styling components, mermaid diagrams, or working with site theming.
Use when fixing legacy account-map component references or creating new components. Covers migration from dynamic account-map lookups to static account_map variable. Use when you see account-map remote-state references or need to set up provider configuration for a new component.