# atmos auth login

Authenticate with a configured identity using SSO, SAML, OIDC, or static credentials. Atmos retrieves and caches short-lived credentials so they can be reused until expiration, avoiding repeated logins for each command.

_\[Video: atmos auth login]_

## Usage

```shell
atmos auth login [--identity <name>]
```

## Examples

```shell
# Use default identity (prompts if no default is configured)
atmos auth login

# Interactively select identity (even if default is configured)
atmos auth login --identity

# Use specific identity
atmos auth login --identity admin

# Use short form of identity flag
atmos auth login -i admin

# Interactive selection with short form
atmos auth login -i
```

## Arguments

- **n/a**
  No positional arguments.

## Flags

- **`--identity` (alias `-i`)**

  Specify the identity to authenticate. This flag has three modes:
  - **With value** (`--identity admin`): Use the specified identity
  - **Without value** (`--identity`): Force interactive selector, even if a default identity is configured
  - **Omitted**: Automatic behavior based on configuration:
    - **Exactly one default identity**: Use it automatically
    - **No default identities** (interactive): Show selector with all available identities
    - **Multiple default identities** (interactive): Show selector with only the default identities
    - **No/multiple defaults** (CI/non-interactive): Return an error
  **Environment variables:** `ATMOS_IDENTITY` or `IDENTITY` (checked in that order)
- **`--provider` (alias `-p`)**

  Authenticate directly with a provider (bypassing identity selection). This is useful for:
  - **First-time login** with `auto_provision_identities: true` when no identities exist yet
  - **Provider-level authentication** without specifying a particular identity
  When no identities are configured and no `--provider` flag is specified, Atmos automatically
  falls back to provider authentication: a single provider is auto-selected, multiple providers
  prompt for selection (interactive) or require `--provider` flag (non-interactive).

## Interactive Identity Selection

Atmos provides an interactive identity selector in two scenarios:

1. **No default configured**: When no `--identity` flag is provided and no default identity is configured
2. **Explicit request**: When using `--identity` without a value (e.g., `atmos auth login --identity`)

This allows you to:

- Quickly choose an identity without remembering exact names
- Override the default identity temporarily without changing configuration
- Browse all available identities and make an informed selection

The interactive selector displays all configured identities with arrow key navigation and Enter to confirm. In CI/CD pipelines or non-interactive environments, you must either:

- Configure a default identity in your `atmos.yaml`
- Explicitly specify the identity using `--identity <name>` or environment variable

## Integrations (ECR & EKS)

When you authenticate with an identity, Atmos automatically triggers any **integrations** linked to that identity (when `auto_provision` is enabled, which is the default). Integrations provide client-only credential materializations for services like ECR and EKS.

```yaml
auth:
  identities:
    dev-admin:
      kind: aws/permission-set
      # ... identity config ...

  integrations:
    dev/ecr:
      kind: aws/ecr
      via:
        identity: dev-admin
      spec:
        registry:
          account_id: "123456789012"
          region: us-east-2

    dev/eks:
      kind: aws/eks
      via:
        identity: dev-admin
      spec:
        cluster:
          name: dev-cluster
          region: us-east-2
          alias: dev-eks
```

```bash
$ atmos auth login dev-admin
Successfully authenticated as dev-admin
✓ ECR login: 123456789012.dkr.ecr.us-east-2.amazonaws.com (expires in 11h59m)
✓ EKS kubeconfig: dev-eks → ~/.config/atmos/kube/config
```

Integration failures are non-blocking - your identity authentication succeeds even if an integration fails. You can retry integrations separately using [`atmos aws ecr login`](/cli/commands/aws/ecr-login) or [`atmos aws eks update-kubeconfig --integration`](/cli/commands/aws/eks/update-kubeconfig).

See [ECR Authentication Tutorial](/tutorials/ecr-authentication) and [EKS Kubeconfig Authentication Tutorial](/tutorials/eks-kubeconfig-authentication) for detailed configuration examples.

## Notes

- Prints provider, identity, account, region, and expiration when successful.
- Credentials are cached to avoid repeated logins until expiration.
- The interactive selector uses arrow keys for navigation and Enter to confirm selection.
- Using `--identity` without a value is useful when:
  - You have a default identity configured but want to temporarily use a different one
  - You want to browse available identities before selecting
  - You're working in a team environment with multiple configured identities
- For AWS SSO (IAM Identity Center), you will see a **verification code** displayed in the terminal. This is a device authorization user code (e.g., "WDDD-HRQV") that AWS generates for the device flow - **this is NOT an MFA token**. The code is displayed so you can visually verify it matches what AWS shows in the browser. Any MFA prompts will appear in the browser during authentication.
- For Azure device code authentication, you will see a similar **verification code** and URL to complete browser-based authentication. Atmos writes credentials to the Azure CLI MSAL cache, ensuring full compatibility with Terraform's Azure providers (azurerm, azuread, azapi).

## Authentication Methods

Atmos supports multiple authentication methods for different cloud providers:

### AWS

- IAM Identity Center (SSO)
- IAM Roles Anywhere (certificate-based)
- OIDC (GitHub Actions, GitLab CI)
- Static credentials
- Browser-based OAuth2 PKCE (automatic fallback for `aws/user` identities)

See [Migrating from Leapp](/tutorials/migrating-from-leapp) for AWS examples.

### Azure

- Device Code Flow (browser-based)
- OIDC (workload identity for CI/CD)
- Service Principals (client credentials)

See [Azure Authentication](/tutorials/azure-authentication) for detailed Azure configuration.

## See Also

- [AWS ECR Login Command](/cli/commands/aws/ecr-login) — Login to AWS ECR registries
- [AWS EKS Token Command](/cli/commands/aws/eks-token) — Generate EKS bearer tokens for kubectl
- [ECR Authentication Tutorial](/tutorials/ecr-authentication) — Step-by-step ECR setup guide
- [EKS Kubeconfig Authentication Tutorial](/tutorials/eks-kubeconfig-authentication) — Step-by-step EKS setup guide
- [Auth Providers Configuration](/cli/configuration/auth/providers) — Configure AWS SSO, SAML, and OIDC providers (including IAM permissions for identity provisioning)