atmos auth login

Authenticate with a configured identity using SSO, SAML, OIDC, or static credentials. Atmos retrieves and caches short-lived credentials so they can be reused until expiration, avoiding repeated logins for each command.

atmos auth login --help

Usage

atmos auth login [--identity <name>]

Examples

# Use default identity (prompts if no default is configured)
atmos auth login

# Interactively select identity (even if default is configured)
atmos auth login --identity

# Use specific identity
atmos auth login --identity admin

# Use short form of identity flag
atmos auth login -i admin

# Interactive selection with short form
atmos auth login -i

Arguments

n/a

No positional arguments.

Flags

--identity (alias -i)

Specify the identity to authenticate. This flag has three modes:

• With value (--identity admin): Use the specified identity
• Without value (--identity): Force interactive selector, even if a default identity is configured
• Omitted: Automatic behavior based on configuration:
  • Exactly one default identity: Use it automatically
  • No default identities (interactive): Show selector with all available identities
  • Multiple default identities (interactive): Show selector with only the default identities
  • No/multiple defaults (CI/non-interactive): Return an error

Environment variables: ATMOS_IDENTITY or IDENTITY (checked in that order)

--provider (alias -p)

Authenticate directly with a provider (bypassing identity selection). This is useful for:

• First-time login with auto_provision_identities: true when no identities exist yet
• Provider-level authentication without specifying a particular identity

When no identities are configured and no --provider flag is specified, Atmos automatically falls back to provider authentication: a single provider is auto-selected, multiple providers prompt for selection (interactive) or require --provider flag (non-interactive).

Interactive Identity Selection

Atmos provides an interactive identity selector in two scenarios:

1. No default configured: When no --identity flag is provided and no default identity is configured
2. Explicit request: When using --identity without a value (e.g., atmos auth login --identity)

This allows you to:

• Quickly choose an identity without remembering exact names
• Override the default identity temporarily without changing configuration
• Browse all available identities and make an informed selection

The interactive selector displays all configured identities with arrow key navigation and Enter to confirm. In CI/CD pipelines or non-interactive environments, you must either:

• Configure a default identity in your atmos.yaml
• Explicitly specify the identity using --identity <name> or environment variable

Integrations (ECR, EKS)

When you authenticate with an identity, Atmos automatically triggers any integrations linked to that identity (when auto_provision is enabled, which is the default). Integrations provide client-only credential materializations for services like ECR and EKS.

auth:
  identities:
    dev-admin:
      kind: aws/permission-set
      # ... identity config ...

  integrations:
    dev/ecr:
      kind: aws/ecr
      via:
        identity: dev-admin    # Links to the identity above
      spec:
        registry:
          account_id: "123456789012"
          region: us-east-2

$ atmos auth login dev-admin
Successfully authenticated as dev-admin
✓ ECR login: 123456789012.dkr.ecr.us-east-2.amazonaws.com (expires in 11h59m)

Integration failures are non-blocking - your identity authentication succeeds even if an integration fails. You can retry integrations separately using atmos auth ecr-login.

See ECR Authentication Tutorial for detailed configuration examples.

Notes

• Prints provider, identity, account, region, and expiration when successful.
• Credentials are cached to avoid repeated logins until expiration.
• The interactive selector uses arrow keys for navigation and Enter to confirm selection.
• Using --identity without a value is useful when:
  • You have a default identity configured but want to temporarily use a different one
  • You want to browse available identities before selecting
  • You're working in a team environment with multiple configured identities
• For AWS SSO (IAM Identity Center), you will see a verification code displayed in the terminal. This is a device authorization user code (e.g., "WDDD-HRQV") that AWS generates for the device flow - this is NOT an MFA token. The code is displayed so you can visually verify it matches what AWS shows in the browser. Any MFA prompts will appear in the browser during authentication.
• For Azure device code authentication, you will see a similar verification code and URL to complete browser-based authentication. Atmos writes credentials to the Azure CLI MSAL cache, ensuring full compatibility with Terraform's Azure providers (azurerm, azuread, azapi).

Authentication Methods

Atmos supports multiple authentication methods for different cloud providers:

AWS

• IAM Identity Center (SSO)
• IAM Roles Anywhere (certificate-based)
• OIDC (GitHub Actions, GitLab CI)
• Static credentials

See Migrating from Leapp for AWS examples.

Azure

• Device Code Flow (browser-based)
• OIDC (workload identity for CI/CD)
• Service Principals (client credentials)

See Azure Authentication for detailed Azure configuration.

See Also

• Auth ECR Login Command — Login to AWS ECR registries
• ECR Authentication Tutorial — Step-by-step ECR setup guide
• Auth Providers Configuration — Configure AWS SSO, SAML, and OIDC providers (including IAM permissions for identity provisioning)