Run any Skill in Manus with one click

$pwd:

atmos-auth

Name: Atmos Auth
Author: cloudposse

// Use when authenticating with AWS via Atmos. Covers ATMOS_PROFILE setup, SSO login, and how Atmos automatically assumes the correct identity per stack. Use for authentication setup, SSO login issues, and permission errors.

Run Skill in Manus

$ git log --oneline --stat

stars:97

forks:34

updated:March 18, 2026 at 19:14

SKILL.md

readonly

name	atmos-auth
description	Use when authenticating with AWS via Atmos. Covers ATMOS_PROFILE setup, SSO login, and how Atmos automatically assumes the correct identity per stack. Use for authentication setup, SSO login issues, and permission errors.

Atmos Auth

Atmos Auth handles AWS authentication automatically based on your profile and the target stack.

Quick Start

# Set your profile (required for all atmos commands)
# Use your assigned profile: devops, developers, or managers
export ATMOS_PROFILE=<your-profile>

# Authenticate via SSO provider (preferred - triggers browser SSO)
atmos auth login --provider acme-sso

# Alternative: authenticate by specifying any identity (also triggers browser SSO)
atmos auth login --identity core-auto/terraform

# Run commands - Atmos auto-selects the correct identity per stack
atmos terraform plan vpc -s plat-use2-dev

How It Works

Set your profile: export ATMOS_PROFILE=<profile-name> (or prefix each command)
Authenticate when needed: Atmos authenticates per-stack automatically. If credentials are expired, it will launch the IDP to sign in, or you can manually trigger SSO login.
Run commands: Atmos automatically assumes the correct identity for each stack based on the stack name.

When you run atmos terraform plan <component> -s <stack>, Atmos:

Renders all stack config, then determines the default identity for the stack
If there's a single default identity (e.g., plat-dev/terraform), it's selected automatically
Looks up that identity name in your profile to get the actual credentials
Assumes the configured Permission Set in the target account
Runs the Terraform command with those credentials

Identity Configuration

Each stack defines its default identity in its _defaults.yaml file:

# stacks/orgs/acme/plat/dev/_defaults.yaml
auth:
  identities:
    plat-dev/terraform:
      default: true

The identity name (plat-dev/terraform) is resolved by your profile to determine the actual AWS credentials to use.

Profiles

Profiles are defined in profiles/<profile-name>/atmos.yaml. Each maps identities to Permission Sets:

Profile	Core Accounts	Platform Dev/Sandbox	Platform Staging/Prod
`devops`	TerraformApplyAccess	TerraformApplyAccess	TerraformApplyAccess
`developers`	TerraformStateAccess	TerraformApplyAccess	TerraformPlanAccess
`managers`	TerraformApplyAccess	TerraformApplyAccess	TerraformApplyAccess

Managers also have a RootAccess Permission Set for centralized root access to member accounts.

Permission Set capabilities:

TerraformApplyAccess - Full plan and apply
TerraformPlanAccess - Plan only (no apply)
TerraformStateAccess - Read state only (for cross-account references)

Identity Naming Convention

Identities follow the pattern: <tenant>-<stage>/terraform

Examples:

plat-dev/terraform - Platform dev account
core-auto/terraform - Core automation account
plat-prod/terraform - Platform production account

Special Cases

superadmin profile: IAM user (kind: aws/user) with MFA in the root account. Used for coldstart/bootstrap before SSO is deployed, or as breakglass access. Assumes OrganizationAccountAccessRole into member accounts via identity chaining. Switch to your assigned SSO profile once the identity layer is deployed.

github-plan profile: OIDC-based authentication for CI/CD plan operations. Uses planner roles with read-only access.

github-apply profile: OIDC-based authentication for CI/CD apply operations. Uses terraform roles with full access. Only used from main branch after PR merge.

Troubleshooting

If authentication fails:

Verify ATMOS_PROFILE is set: echo $ATMOS_PROFILE
Re-authenticate: atmos auth login --provider acme-sso (or --identity core-auto/terraform)
Check you have the required Permission Set in AWS IAM Identity Center
Verify the identity exists in profiles/$ATMOS_PROFILE/atmos.yaml

Debugging Authentication Issues

For authentication-specific debugging:

# Enable debug logging to see auth flow
ATMOS_LOGS_LEVEL=debug atmos terraform plan <component> -s <stack>

Look for:

Identity resolution (<tenant>-<stage>/terraform)
SSO token retrieval
Role assumption errors

For general Atmos debugging (configuration, variables, stack resolution), see the debugging-atmos skill.

related-skills.json

same repository

developing-components.md

from "cloudposse/docs"

Use when creating new Terraform/OpenTofu components or modifying existing ones. Covers required files, catalog defaults, stack configuration, and naming conventions.

2026-04-1697

developing-stacks.md

from "cloudposse/docs"

Use when deploying components via Atmos stacks, configuring stack YAML, or understanding inheritance patterns. Covers catalog defaults, abstract components, stack imports, and how to wire components into target stacks.

2026-02-2497

docs-build.md

from "cloudposse/docs"

Building, rendering library docs, and deploying docs.cloudposse.com. Use when working with the Docusaurus build process or regenerating auto-generated content.

2025-12-2097

docs-conventions.md

from "cloudposse/docs"

Writing standards, React components, and MDX patterns for docs.cloudposse.com. Use when creating or editing documentation content.

2025-12-2097

docs-styles.md

from "cloudposse/docs"

CSS styles, color themes, and visual conventions for docs.cloudposse.com. Use when styling components, mermaid diagrams, or working with site theming.

2025-12-2097

account-map-migration.md

from "cloudposse/docs"

Use when fixing legacy account-map component references or creating new components. Covers migration from dynamic account-map lookups to static account_map variable. Use when you see account-map remote-state references or need to set up provider configuration for a new component.

2025-12-1297

package.json

"author": "cloudposse"

"repository": "cloudposse/docs"

View GitHub Repository View Creator Repositories

$ install --global

$ download --local

Run Skill in Manus

$ useful --forSOC

Network and Computer Systems AdministratorsComputer and Mathematical Occupations15-1244L4

name	atmos-auth
description	Use when authenticating with AWS via Atmos. Covers ATMOS_PROFILE setup, SSO login, and how Atmos automatically assumes the correct identity per stack. Use for authentication setup, SSO login issues, and permission errors.

Atmos Auth

Atmos Auth handles AWS authentication automatically based on your profile and the target stack.

Quick Start

# Set your profile (required for all atmos commands)
# Use your assigned profile: devops, developers, or managers
export ATMOS_PROFILE=<your-profile>

# Authenticate via SSO provider (preferred - triggers browser SSO)
atmos auth login --provider acme-sso

# Alternative: authenticate by specifying any identity (also triggers browser SSO)
atmos auth login --identity core-auto/terraform

# Run commands - Atmos auto-selects the correct identity per stack
atmos terraform plan vpc -s plat-use2-dev

How It Works

Set your profile: export ATMOS_PROFILE=<profile-name> (or prefix each command)
Authenticate when needed: Atmos authenticates per-stack automatically. If credentials are expired, it will launch the IDP to sign in, or you can manually trigger SSO login.
Run commands: Atmos automatically assumes the correct identity for each stack based on the stack name.

When you run atmos terraform plan <component> -s <stack>, Atmos:

Renders all stack config, then determines the default identity for the stack
If there's a single default identity (e.g., plat-dev/terraform), it's selected automatically
Looks up that identity name in your profile to get the actual credentials
Assumes the configured Permission Set in the target account
Runs the Terraform command with those credentials

Identity Configuration

Each stack defines its default identity in its _defaults.yaml file:

# stacks/orgs/acme/plat/dev/_defaults.yaml
auth:
  identities:
    plat-dev/terraform:
      default: true

The identity name (plat-dev/terraform) is resolved by your profile to determine the actual AWS credentials to use.

Profiles

Profiles are defined in profiles/<profile-name>/atmos.yaml. Each maps identities to Permission Sets:

Profile	Core Accounts	Platform Dev/Sandbox	Platform Staging/Prod
`devops`	TerraformApplyAccess	TerraformApplyAccess	TerraformApplyAccess
`developers`	TerraformStateAccess	TerraformApplyAccess	TerraformPlanAccess
`managers`	TerraformApplyAccess	TerraformApplyAccess	TerraformApplyAccess

Managers also have a RootAccess Permission Set for centralized root access to member accounts.

Permission Set capabilities:

TerraformApplyAccess - Full plan and apply
TerraformPlanAccess - Plan only (no apply)
TerraformStateAccess - Read state only (for cross-account references)

Identity Naming Convention

Identities follow the pattern: <tenant>-<stage>/terraform

Examples:

plat-dev/terraform - Platform dev account
core-auto/terraform - Core automation account
plat-prod/terraform - Platform production account

Special Cases

github-plan profile: OIDC-based authentication for CI/CD plan operations. Uses planner roles with read-only access.

github-apply profile: OIDC-based authentication for CI/CD apply operations. Uses terraform roles with full access. Only used from main branch after PR merge.

Troubleshooting

If authentication fails:

Verify ATMOS_PROFILE is set: echo $ATMOS_PROFILE
Re-authenticate: atmos auth login --provider acme-sso (or --identity core-auto/terraform)
Check you have the required Permission Set in AWS IAM Identity Center
Verify the identity exists in profiles/$ATMOS_PROFILE/atmos.yaml

Debugging Authentication Issues

For authentication-specific debugging:

# Enable debug logging to see auth flow
ATMOS_LOGS_LEVEL=debug atmos terraform plan <component> -s <stack>

Look for:

Identity resolution (<tenant>-<stage>/terraform)
SSO token retrieval
Role assumption errors

For general Atmos debugging (configuration, variables, stack resolution), see the debugging-atmos skill.

atmos-auth

Atmos Auth

Quick Start

How It Works

Identity Configuration

Profiles

Identity Naming Convention

Special Cases

Troubleshooting

Debugging Authentication Issues

More from this repository

More from this repository

Atmos Auth

Quick Start

How It Works

Identity Configuration

Profiles

Identity Naming Convention

Special Cases

Troubleshooting

Debugging Authentication Issues