Skip to main content

atmos auth exec

Run any tool (Terraform, AWS CLI, kubectl, etc.) with the right cloud identity injected automatically into the environment. Use exec when you want a one-off command to inherit secure, temporary credentials without polluting your shell session.

atmos auth exec --help

Exec vs Shell

Use exec for single commands or automation. Use shell for interactive sessions where you'll run multiple commands.

Usage

atmos auth exec [--identity <name>] -- <command> [args...]

Arguments

command
The program to execute with authentication environment variables set.
args...
Arguments to pass through to the command.

Examples

AWS Examples

# Run terraform with authenticated env (uses default identity)
atmos auth exec -- terraform plan -var-file=env.tfvars

# Interactively select identity
atmos auth exec --identity -- aws sts get-caller-identity

# Use a specific identity
atmos auth exec --identity prod-admin -- aws sts get-caller-identity

# Inspect AWS env vars
atmos auth exec -- env | grep AWS

Azure Examples

# Run Azure CLI with authenticated identity
atmos auth exec --identity azure-dev -- az group list

# Run Terraform with Azure credentials
atmos auth exec --identity azure-prod -- terraform plan -var-file=azure.tfvars

# Verify Azure credentials
atmos auth exec --identity azure-dev -- az account show

# Inspect Azure env vars
atmos auth exec -- env | grep -E '^(AZURE_|ARM_)'

CI/CD Examples (Azure OIDC)

In GitHub Actions or other CI/CD environments with OIDC support:

# Run Terraform with Azure OIDC credentials
atmos auth exec --identity azure-prod -- terraform apply -auto-approve

# Run Azure CLI commands with OIDC identity
atmos auth exec --identity azure-prod -- az resource list --resource-group my-rg

Flags

--identity (alias -i)

Specify the identity to use. This flag has three modes:

  • With value (--identity admin): Use the specified identity
  • Without value (--identity): Show interactive selector to choose identity
  • Omitted: Use the default identity configured in atmos.yaml

Notes

  • -- is required to stop Atmos flag parsing; everything after is passed to the subcommand.