# atmos auth exec Run any tool (Terraform, AWS CLI, kubectl, etc.) with the right cloud identity injected automatically into the environment. Use `exec` when you want a one-off command to inherit secure, temporary credentials without polluting your shell session. _\[Video: atmos auth exec]_ :::tip Exec vs Shell Use `exec` for single commands or automation. Use [`shell`](/cli/commands/auth/shell) for interactive sessions where you'll run multiple commands. ::: ## Usage ```shell atmos auth exec [--identity ] -- [args...] ``` ## Arguments - **command** The program to execute with authentication environment variables set. - **args...** Arguments to pass through to the command. ## Examples ### AWS Examples ```shell # Run terraform with authenticated env (uses default identity) atmos auth exec -- terraform plan -var-file=env.tfvars # Interactively select identity atmos auth exec --identity -- aws sts get-caller-identity # Use a specific identity atmos auth exec --identity prod-admin -- aws sts get-caller-identity # Inspect AWS env vars atmos auth exec -- env | grep AWS ``` ### Azure Examples ```shell # Run Azure CLI with authenticated identity atmos auth exec --identity azure-dev -- az group list # Run Terraform with Azure credentials atmos auth exec --identity azure-prod -- terraform plan -var-file=azure.tfvars # Verify Azure credentials atmos auth exec --identity azure-dev -- az account show # Inspect Azure env vars atmos auth exec -- env | grep -E '^(AZURE_|ARM_)' ``` ### CI/CD Examples (Azure OIDC) In GitHub Actions or other CI/CD environments with OIDC support: ```shell # Run Terraform with Azure OIDC credentials atmos auth exec --identity azure-prod -- terraform apply -auto-approve # Run Azure CLI commands with OIDC identity atmos auth exec --identity azure-prod -- az resource list --resource-group my-rg ``` ## Flags - **`--identity` (alias `-i`)** Specify the identity to use. This flag has three modes: - **With value** (`--identity admin`): Use the specified identity - **Without value** (`--identity`): Show interactive selector to choose identity - **Omitted**: Use the default identity configured in `atmos.yaml` ## Notes - `--` is required to stop Atmos flag parsing; everything after is passed to the subcommand.