Claude-skill-registry atmos-auth
install
source · Clone the upstream repo
git clone https://github.com/majiayu000/claude-skill-registry
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/majiayu000/claude-skill-registry "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/data/atmos-auth" ~/.claude/skills/majiayu000-claude-skill-registry-atmos-auth && rm -rf "$T"
manifest:
skills/data/atmos-auth/SKILL.mdsource content
Atmos Auth
Atmos Auth handles AWS authentication automatically based on your profile and the target stack.
Quick Start
# Set your profile (required for all atmos commands) # Use your assigned profile: devops, developers, or managers export ATMOS_PROFILE=<your-profile> # Authenticate via SSO provider (preferred - triggers browser SSO) atmos auth login --provider acme-sso # Alternative: authenticate by specifying any identity (also triggers browser SSO) atmos auth login --identity core-auto/terraform # Run commands - Atmos auto-selects the correct identity per stack atmos terraform plan vpc -s plat-use2-dev
How It Works
- Set your profile:
(or prefix each command)export ATMOS_PROFILE=<profile-name> - Authenticate when needed: Atmos authenticates per-stack automatically. If credentials are expired, it will launch the IDP to sign in, or you can manually trigger SSO login.
- Run commands: Atmos automatically assumes the correct identity for each stack based on the stack name.
When you run
atmos terraform plan <component> -s <stack>- Renders all stack config, then determines the default identity for the stack
- If there's a single default identity (e.g.,
), it's selected automaticallyplat-dev/terraform - Looks up that identity name in your profile to get the actual credentials
- Assumes the configured Permission Set in the target account
- Runs the Terraform command with those credentials
Identity Configuration
Each stack defines its default identity in its
_defaults.yaml# stacks/orgs/acme/plat/dev/_defaults.yaml auth: identities: plat-dev/terraform: default: true
The identity name (
plat-dev/terraformProfiles
Profiles are defined in
profiles/<profile-name>/atmos.yaml| Profile | Core Accounts | Platform Dev/Sandbox | Platform Staging/Prod |
|---|---|---|---|
| TerraformApplyAccess | TerraformApplyAccess | TerraformApplyAccess |
| TerraformStateAccess | TerraformApplyAccess | TerraformPlanAccess |
| TerraformStateAccess | TerraformPlanAccess | TerraformPlanAccess |
Permission Set capabilities:
- Full plan and applyTerraformApplyAccess
- Plan only (no apply)TerraformPlanAccess
- Read state only (for cross-account references)TerraformStateAccess
Identity Naming Convention
Identities follow the pattern:
<tenant>-<stage>/terraformExamples:
- Platform dev accountplat-dev/terraform
- Core automation accountcore-auto/terraform
- Platform production accountplat-prod/terraform
Special Cases
superadmin profile: IAM user with MFA for breakglass access. Avoid unless SSO is unavailable.
github-plan profile: OIDC-based authentication for CI/CD plan operations. Uses planner roles with read-only access.
github-apply profile: OIDC-based authentication for CI/CD apply operations. Uses terraform roles with full access. Only used from main branch after PR merge.
Troubleshooting
If authentication fails:
- Verify
is set:ATMOS_PROFILEecho $ATMOS_PROFILE - Re-authenticate:
(oratmos auth login --provider acme-sso
)--identity core-auto/terraform - Check you have the required Permission Set in AWS IAM Identity Center
- Verify the identity exists in
profiles/$ATMOS_PROFILE/atmos.yaml
Debugging Authentication Issues
For authentication-specific debugging:
# Enable debug logging to see auth flow ATMOS_LOGS_LEVEL=debug atmos terraform plan <component> -s <stack>
Look for:
- Identity resolution (
)<tenant>-<stage>/terraform - SSO token retrieval
- Role assumption errors
For general Atmos debugging (configuration, variables, stack resolution), see the
debugging-atmos