Skip to main content

Required Identities for Multi-Account Components

· 2 min read
Erik Osterman
Erik Osterman
Founder @ Cloud Posse

Atmos identities now support required: true, enabling automatic authentication of multiple identities before Terraform runs — without prompting.

The Problem

When Terraform components use multiple AWS provider aliases for multi-account patterns (e.g., hub-spoke networking), each provider assumes a different IAM role. In CI environments with OIDC authentication, only the primary identity's profile was written to the shared credentials file. The additional provider aliases failed because their AWS profiles didn't exist.

The Solution

Identities can now be marked as required: true. Before Terraform runs, Atmos automatically authenticates every required identity and writes their profiles to the shared credentials file — no prompting, no selection.

The required field is orthogonal to default:

  • default: true — sets the PRIMARY identity (AWS_PROFILE, credential env vars). Only one allowed.
  • required: true — auto-authenticate without prompting. Multiple allowed.

Example

auth:
  identities:
    core-network:
      kind: aws/assume-role
      default: true       # Primary identity
      required: true      # Auto-authenticate
      # ... via, principal, etc. (see full identity config below)
    plat-prod:
      kind: aws/assume-role
      required: true      # Auto-authenticate as secondary
      # ... via, principal, etc.
    plat-staging:
      kind: aws/assume-role
      required: true      # Auto-authenticate as secondary
      # ... via, principal, etc.

This snippet highlights the default and required fields only. Each identity also needs via and principal configuration — see the full identities documentation for complete aws/assume-role examples.

How It Works

  1. Atmos authenticates the default identity as the primary (sets AWS_PROFILE and default credentials).
  2. Atmos finds all identities with required: true and authenticates each one.
  3. All profiles are written to the shared credentials file, making them available for Terraform provider aliases.
  4. Failures for non-primary required identities are non-fatal — Atmos logs a warning and continues.
  5. Terraform runs with all profiles available, so multi-account provider aliases resolve correctly.

The --identity CLI flag takes precedence over default for primary selection, but required identities are still authenticated as secondary.