Atmos Auth Implementation

[Benbentwo]

Note

Opening a new PR to help Simplify Comments
closes #1424
closes #1452

what

This PR introduces a complete authentication system for Atmos, enabling secure multi-cloud authentication with support for AWS IAM Identity Center (SSO), SAML providers, assume role chains, and AWS user credentials. The system provides seamless integration with Terraform workflows while maintaining isolation from users' existing AWS configurations.

Features

Authentication Providers

• AWS IAM Identity Center (SSO) - Full SSO integration with session management
• AWS SAML - Browser-based SAML authentication with MFA support (Google Apps, Okta, ADFS)
• AWS Assume Role - Cross-account role assumption capabilities
• AWS User - Direct AWS access key authentication with MFA support

Identity Chaining

• Sequential authentication flows (e.g., SSO → Permission Set → Assume Role)
• Recursive provider resolution through identity chains
• Circular dependency detection and prevention

CLI Commands

• atmos auth login - Interactive authentication with identity selection
• atmos auth whoami - Display current authentication status
• atmos auth env - Export environment variables (export, json, dotenv formats)
• atmos auth exec - Execute commands with authentication context
• atmos auth validate - Comprehensive configuration validation
• atmos auth user configure - AWS user credential configuration

AWS Integration

• Isolated credential files: ~/.aws/atmos//credentials
• Separate config files: ~/.aws/atmos//config
• Automatic environment variable management (AWS_PROFILE, AWS_SHARED_CREDENTIALS_FILE, AWS_CONFIG_FILE)
• Terraform prehook integration for seamless workflow execution
• User's existing AWS files remain untouched

Architecture

Layout

internal/auth/
├── manager.go              # Core authentication manager
├── interfaces.go           # Core interfaces and types
├── factory.go             # Provider/identity factory functions
├── providers/aws/         # AWS authentication providers
│   ├── sso.go            # IAM Identity Center provider
│   ├── saml.go           # SAML provider with browser automation
│   └── assume_role.go    # Assume role provider
├── identities/aws/        # AWS identity implementations
│   ├── permission_set.go # Permission set identity
│   ├── assume_role.go    # Assume role identity
│   └── user.go           # AWS user identity
├── credentials/           # Secure credential storage
├── environment/           # AWS file management
├── config/               # Configuration merging
└── validation/           # Configuration validation

Key Components

AuthManager: Central authentication orchestrator
Provider/Identity Pattern: Extensible authentication architecture
Credential Store: Encrypted credential caching with expiration
AWS File Manager: Isolated AWS credential/config file management
Configuration Merger: Component-level auth overrides

why

Atmos Auth allows us to simplify our reference architecture and helps assist with consolidating the toolset that the typical DevOps user needs to manage Terraform.

Summary by CodeRabbit

• New Features

  • New top-level "auth" CLI (validate, whoami, env, exec, login, user configure), global --identity flag, per-component auth merging, Terraform pre-hook, OS keyring credential store, AWS file manager, and providers/identities for AWS SSO, SAML, GitHub OIDC, permission-set, assume-role, and aws user (MFA).

• Documentation

  • Auth User Guide, architecture PRD, CLI docs, and demo-auth example added.

• Tests

  • Extensive unit, integration, and snapshot tests for auth flows.

• Chores

  • Dependency updates and CI/workflow formatting tweaks.

[aknysh]

atmos auth user configure is not AWS specific?
If it's not, then we need to update the command description.
If it is, how we will handle other clouds?

[Benbentwo]

It's not specifically going to be AWS alone, but I think we should hold off on this until we decide on how we're going to structure the code and commands for other clouds as well.

[aknysh]

Suggested change

	type: real
	type: real

no need to use type: real (it's by default)

[aknysh]

we probably should not tie the command atmos auth user configure to just AWS (we will use other clouds).
In which case, we need to update the description and purpose of this command.

[Benbentwo]

I think that's fine. We eventually want to support multiple cloud users, and we can update the docs as we go. I think starting with just AWS and having a note is fine for now.

[aknysh]

looks good, please see comments

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

website/docs/cli/commands/auth/usage.mdx (1)

1-20: Action: Fix missing sections in auth docs

Script found missing required sections in these files:

• website/docs/cli/commands/auth/auth-user.mdx — Missing: ## Usage, ## Examples, ## Arguments, ## Flags, and

  .

• website/docs/cli/commands/auth/user-configure.mdx — Missing: ## Arguments.
• website/docs/cli/commands/auth/auth-env.mdx — Missing: ## Arguments.
• website/docs/cli/commands/auth/category.json — JSON category file (exclude from MDX section checks).

Add the missing sections (Usage → Examples → Arguments → Flags) and include a

for the Arguments/Flags sections where applicable.

🧹 Nitpick comments (4)

website/docs/cli/commands/auth/usage.mdx (4)

42-51: Add “Arguments” section and tighten flag descriptions (enforce docs ordering).

Per guidelines, insert “## Arguments” between “Examples” and “Flags”, and clarify --identity meaning; also document --verbose since you reference it below.

 ## Examples
 ...
-## Flags
+## Arguments
+
+<dl>
+  <dt>(none)</dt>
+  <dd>The auth root command takes no positional arguments. Use subcommands.</dd>
+</dl>
+
+## Flags
 ...
   <dt>`--identity` <em>(alias `-i`)</em></dt>
-  <dd>Specify the default identity for subcommands. Can be overridden per command.</dd>
+  <dd>Specify the identity to use for this invocation. Persistent on the auth root; can be overridden per subcommand.</dd>
 
   <dt>`--profile`</dt>
   <dd>Atmos profile used to resolve configuration when running auth subcommands.</dd>
+
+  <dt>`--verbose`</dt>
+  <dd>Global Atmos flag for verbose output and debug logs.</dd>
 </dl>

---

309-310: Remove duplicated dotenv example line.

The atmos auth env --format dotenv line appears twice.

-AtmOS auth env --format dotenv
-atmos auth env --format dotenv
+atmos auth env --format dotenv

---

88-90: Prefer account ID in examples for consistency and auditability.

Elsewhere you recommend using specific account IDs. Align this snippet.

-        account:
-          name: "account-name"
+        account:
+          name: "123456789012"

---

44-50: Minor copy tweak: avoid “default identity” phrasing.

“Default” can imply it changes config. Your flag selects the runtime identity. Wording change included in the earlier diff.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between db69aec and 77d0b08.

📒 Files selected for processing (1)

• website/docs/cli/commands/auth/usage.mdx (1 hunks)

🧰 Additional context used

📓 Path-based instructions (2)

website/**

📄 CodeRabbit inference engine (.cursor/rules/atmos-rules.mdc)

website/**: Update website documentation in the website/ directory when adding new features
Follow the website's documentation structure and style
Keep website code in the website/ directory
Follow the existing website architecture and style
Document new features on the website
Include examples and use cases in website documentation

Files:

• website/docs/cli/commands/auth/usage.mdx

website/docs/cli/commands/*/*.mdx

📄 CodeRabbit inference engine (CLAUDE.md)

website/docs/cli/commands/*/*.mdx: All new commands/flags/parameters must have Docusaurus docs at website/docs/cli/commands//.mdx.
Use definition lists

for arguments/flags in MDX docs (no tables).
Follow Docusaurus frontmatter and section ordering: Usage → Examples → Arguments → Flags; include purpose note and screengrab.

Files:

• website/docs/cli/commands/auth/usage.mdx

🧠 Learnings (6)

📚 Learning: 2025-09-07T15:13:17.831Z

Learnt from: CR
PR: cloudposse/atmos#0
File: CLAUDE.md:0-0
Timestamp: 2025-09-07T15:13:17.831Z
Learning: Applies to website/docs/cli/commands/*/*.mdx : Follow Docusaurus frontmatter and section ordering: Usage → Examples → Arguments → Flags; include purpose note and screengrab.

Applied to files:

• website/docs/cli/commands/auth/usage.mdx

📚 Learning: 2025-09-13T16:39:20.007Z

Learnt from: samtholiya
PR: cloudposse/atmos#1466
File: cmd/markdown/atmos_toolchain_aliases.md:2-4
Timestamp: 2025-09-13T16:39:20.007Z
Learning: In the cloudposse/atmos repository, CLI documentation files in cmd/markdown/ follow a specific format that uses " $ atmos command" (with leading space and dollar sign prompt) in code blocks. This is the established project convention and should not be changed to comply with standard markdownlint rules MD040 and MD014.

Applied to files:

• website/docs/cli/commands/auth/usage.mdx

📚 Learning: 2025-09-07T15:13:17.831Z

Learnt from: CR
PR: cloudposse/atmos#0
File: CLAUDE.md:0-0
Timestamp: 2025-09-07T15:13:17.831Z
Learning: Applies to website/docs/cli/commands/*/*.mdx : All new commands/flags/parameters must have Docusaurus docs at website/docs/cli/commands/<command>/<subcommand>.mdx.

Applied to files:

• website/docs/cli/commands/auth/usage.mdx

📚 Learning: 2025-09-10T17:34:52.568Z

Learnt from: Benbentwo
PR: cloudposse/atmos#1475
File: pkg/auth/providers/github/oidc.go:96-100
Timestamp: 2025-09-10T17:34:52.568Z
Learning: The ATMOS_ environment variable binding guideline applies to Atmos configuration variables, not external service-required environment variables like GitHub Actions OIDC variables (GITHUB_ACTIONS, ACTIONS_ID_TOKEN_*) which must use their standard names.

Applied to files:

• website/docs/cli/commands/auth/usage.mdx

📚 Learning: 2025-09-07T18:07:00.549Z

Learnt from: Benbentwo
PR: cloudposse/atmos#1452
File: cmd/auth_login.go:43-44
Timestamp: 2025-09-07T18:07:00.549Z
Learning: In the atmos project, the identity flag is defined as a persistent flag on the auth root command (cmd/auth.go), making it available to all auth subcommands without needing to be redefined in each individual subcommand.

Applied to files:

• website/docs/cli/commands/auth/usage.mdx

📚 Learning: 2025-04-25T20:54:19.701Z

Learnt from: mcalhoun
PR: cloudposse/atmos#963
File: website/docs/core-concepts/projects/configuration/stores.mdx:286-286
Timestamp: 2025-04-25T20:54:19.701Z
Learning: For the AWS SSM Parameter Store implementation in Atmos, support for `read_role_arn` and `write_role_arn` options is essential to enable cross-account access, allowing users to run operations like `terraform plan` in multiple accounts while accessing values across keystores. Azure Key Vault would need similar capabilities for cross-tenant/subscription authentication.

Applied to files:

• website/docs/cli/commands/auth/usage.mdx

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: Build (windows-latest, windows)
• GitHub Check: Build (ubuntu-latest, linux)
• GitHub Check: Analyze (go)
• GitHub Check: Lint (golangci)
• GitHub Check: Summary

🔇 Additional comments (3)

website/docs/cli/commands/auth/usage.mdx (3)

52-55: Subcommands index looks good.

DocCardList is the right choice here.

---

291-317: CLI examples are solid; dedupe and keep prompts consistent.

After removing the dotenv duplicate, the section reads well. No further changes needed.

---

285-286: No change needed — link target exists.
Verified website/docs/cli/commands/auth/user-configure.mdx (id: user-configure); /cli/commands/auth/user-configure is valid.