Providers
Providers are the upstream systems that Atmos uses to obtain initial credentials. Configure providers in the auth.providers section of your atmos.yaml.
- AWS
- Azure
- GCP
IAM Identity Center (SSO)
The most common provider for AWS organizations using SSO.
atmos.yaml
kind- Required. Must be
aws/iam-identity-center. region- Required. AWS region for the Identity Center instance.
start_url- Required. Your AWS SSO start URL (e.g.,
https://company.awsapps.com/start). auto_provision_identities- Optional. When
true, Atmos automatically discovers all AWS accounts and permission sets assigned to the user and creates identities for them. This eliminates the need to manually configure each identity. Default:false. session.duration- Optional. Session duration for CLI credentials (e.g.,
1h,4h). Default varies by provider. console.session_duration- Optional. Web console session duration. Maximum 12 hours for AWS.
IAM Permissions for Identity Provisioning
When using automatic identity provisioning (auto_provision_identities: true), Atmos queries AWS Identity Center APIs during login to discover available permission sets across assigned accounts. This requires specific IAM permissions.
Required IAM Permissions
Basic Provisioning (Required)
These permissions are required for automatic identity provisioning to work:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sso:ListAccounts",
"sso:ListAccountRoles"
],
"Resource": "*"
}
]
}
APIs Used:
sso:ListAccounts- Enumerates all AWS accounts the user can accesssso:ListAccountRoles- Lists available permission sets (roles) for each account
How to Apply Permissions
These permissions should be attached to the IAM Identity Center permission set that users authenticate with, or to the IAM user/role if using static credentials. Without these permissions, identity provisioning will fail gracefully and fall back to manually configured identities.
SAML
For organizations using SAML-based identity providers like Okta, Google Apps, or ADFS.
atmos.yaml
kind- Required. Must be
aws/saml. region- Required. AWS region.
url- Required. SAML SSO URL from your identity provider.
driver- Optional. Authentication method:
Browser(default, requires Playwright),GoogleApps,Okta, orADFS.
The aws/saml provider requires the next identity to be of kind aws/assume-role, as the SAML authentication flow requires selecting a role to assume.
GitHub Actions OIDC
For CI/CD pipelines running in GitHub Actions.
atmos.yaml
kind- Required. Must be
github/oidc. region- Required. AWS region for STS endpoint.
spec.audience- Optional. OIDC audience. Defaults to STS endpoint for the region.
Device Code
For interactive browser-based authentication to Azure, similar to az login --use-device-code.
atmos.yaml
kind- Required. Must be
azure/device-code. spec.tenant_id- Required. Azure AD tenant ID.
spec.subscription_id- Optional. Default Azure subscription ID.
spec.location- Optional. Default Azure region (e.g.,
eastus,westeurope). spec.client_id- Optional. Azure AD application (client) ID. Defaults to Azure CLI's public client ID.
spec.cloud_environment- Optional. Azure cloud environment for sovereign clouds. Supported values:
public(default),usgovernment(Azure Government / GCC High),china(Azure China / Mooncake). When set, Atmos uses the correct login endpoints, API scopes, and blob storage URLs for the target cloud.
How it works:
- Atmos displays a device code and opens
https://microsoft.com/devicelogin - You enter the code and sign in (with MFA if configured)
- Atmos acquires tokens for Azure Resource Manager, Microsoft Graph, and Azure Key Vault
- Tokens are cached in
~/.azure/msal_token_cache.jsonfor Terraform compatibility
For a detailed walkthrough with examples, see the Azure Authentication Tutorial.
OIDC (Workload Identity Federation)
For CI/CD pipelines using federated identity tokens (GitHub Actions, Azure DevOps, etc.).
atmos.yaml
kind- Required. Must be
azure/oidc. spec.tenant_id- Required. Azure AD tenant ID.
spec.client_id- Required. Azure AD application (client) ID with federated credentials configured.
spec.subscription_id- Optional. Default Azure subscription ID.
spec.location- Optional. Default Azure region.
spec.audience- Optional. OIDC audience for token exchange.
spec.token_file_path- Optional. Path to file containing the OIDC token. If not set, uses environment variables (
ACTIONS_ID_TOKEN_REQUEST_URLin GitHub Actions). spec.cloud_environment- Optional. Azure cloud environment for sovereign clouds. Supported values:
public(default),usgovernment(Azure Government / GCC High),china(Azure China / Mooncake). When set, Atmos uses the correct login endpoints, API scopes, and blob storage URLs for the target cloud.
GitHub Actions Setup
.github/workflows/deploy.yaml
CLI
For using existing Azure CLI credentials from az login.
atmos.yaml
kind- Required. Must be
azure/cli. spec.tenant_id- Required. Azure AD tenant ID.
spec.subscription_id- Optional. Default Azure subscription ID.
spec.location- Optional. Default Azure region.
spec.cloud_environment- Optional. Azure cloud environment for sovereign clouds. Supported values:
public(default),usgovernment(Azure Government / GCC High),china(Azure China / Mooncake). When set, Atmos uses the correct login endpoints, API scopes, and blob storage URLs for the target cloud.
The azure/cli provider requires existing Azure CLI credentials. Run az login first.
Sovereign Clouds (GCC High, China)
Azure sovereign clouds use different authentication endpoints and API scopes than Azure Commercial (public). Set cloud_environment in your provider spec to target the correct cloud:
atmos.yaml (Azure Government / GCC High)
atmos.yaml (Azure China / Mooncake)
When cloud_environment is set, Atmos automatically adjusts:
- Login endpoint (e.g.,
login.microsoftonline.usfor GCC High,login.chinacloudapi.cnfor China) - API scopes (Azure Resource Manager, Microsoft Graph, KeyVault)
- Blob storage URLs used by
!terraform.stateYAML functions - Portal URLs for
atmos auth console
| Cloud | cloud_environment | Login Endpoint | Blob Storage Suffix |
|---|---|---|---|
| Commercial | public (default) | login.microsoftonline.com | blob.core.windows.net |
| US Government / GCC High | usgovernment | login.microsoftonline.us | blob.core.usgovcloudapi.net |
| China (Mooncake) | china | login.chinacloudapi.cn | blob.core.chinacloudapi.cn |
Sovereign cloud support also affects the Terraform azurerm backend. Set environment in your backend configuration to match:
backend:
azurerm:
storage_account_name: mystorageaccount
container_name: tfstate
key: terraform.tfstate
environment: usgovernment # Matches Terraform azurerm backend "environment" field
This ensures !terraform.state YAML functions use the correct blob storage endpoint.
Application Default Credentials
For local development using existing gcloud authentication.
atmos.yaml
kind- Required. Must be
gcp/adc. project_id- Optional. GCP project ID. If not set, uses the project from
gcloud config. region- Optional. Default GCP region for resources.
scopes- Optional. OAuth scopes for the access token. Defaults to
https://www.googleapis.com/auth/cloud-platform.
The gcp/adc provider requires existing Application Default Credentials. Run gcloud auth application-default login first.
Workload Identity Federation
For CI/CD pipelines using OIDC tokens (e.g., GitHub Actions).
In GitHub Actions, token_source is auto-detected — you only need the WIF pool configuration:
atmos.yaml
When running in GitHub Actions (detected via ACTIONS_ID_TOKEN_REQUEST_URL), Atmos automatically:
- Sets
token_source.typetourl - Uses
ACTIONS_ID_TOKEN_REQUEST_URLas the token endpoint - Uses
ACTIONS_ID_TOKEN_REQUEST_TOKENas the bearer token - Constructs the OIDC
audiencefromproject_number,workload_identity_pool_id, andworkload_identity_provider_id - Validates the token URL against known GitHub Actions OIDC hosts (
*.actions.githubusercontent.com)
For non-GitHub environments, configure token_source explicitly:
atmos.yaml (non-GitHub)
kind- Required. Must be
gcp/workload-identity-federation. project_id- Optional. GCP project ID for the resulting credentials.
project_number- Required. GCP project number (numeric) where WIF is configured.
workload_identity_pool_id- Required. Workload Identity Pool ID.
workload_identity_provider_id- Required. Workload Identity Provider ID within the pool.
service_account_email- Optional. Service account to impersonate after federation. If not set, uses the federated token directly.
token_source- Optional in GitHub Actions (auto-detected). Required for other OIDC providers.
token_source.type- Token source type:
url,file, orenvironment. Auto-detected asurlin GitHub Actions. token_source.environment_variable- For
type: environment. Environment variable containing the OIDC token. token_source.file_path- For
type: file. Path to file containing the OIDC token. token_source.url- For
type: url. URL to fetch OIDC token. In GitHub Actions, defaults toACTIONS_ID_TOKEN_REQUEST_URL. token_source.request_token- For
type: url. Bearer token for authenticating to the OIDC token endpoint. In GitHub Actions, defaults toACTIONS_ID_TOKEN_REQUEST_TOKEN. token_source.audience- Optional. Audience for the OIDC token request. In GitHub Actions, auto-constructed from
project_number,workload_identity_pool_id, andworkload_identity_provider_id. token_source.allowed_hosts- For
type: url. Allowed hostnames for the token endpoint. Not needed in GitHub Actions (validated against known GitHub hosts automatically). scopes- Optional. OAuth scopes for the access token.
GitHub Actions Setup
In GitHub Actions, the only requirement is id-token: write permission. No token_source configuration is needed:
.github/workflows/deploy.yaml
Multiple Providers
You can configure multiple providers for different use cases and cloud platforms:
atmos.yaml
Each provider can be referenced by name in identity configurations using the via.provider field.
Using Profiles for Different Environments
Use Atmos profiles to swap provider implementations while keeping the same provider name. This allows your identities to reference a single provider (e.g., acme-corp) that behaves differently depending on the active profile:
- Developers authenticate via SSO in their browser
- CI/CD pipelines authenticate via GitHub OIDC tokens
- Platform engineers use SSO with extended session durations
Because the provider name stays consistent, your identity configurations work unchanged across all environments.
Create a directory for each profile:
profiles/
├── dev/
│ └── auth.yaml
├── ci/
│ └── auth.yaml
└── platform/
└── auth.yaml
- profiles/dev/auth.yaml
- profiles/ci/auth.yaml
- profiles/platform/auth.yaml
# Profile for local development (SSO)
auth:
providers:
acme-corp:
kind: aws/iam-identity-center
region: us-east-1
start_url: https://acme.awsapps.com/start
# Profile for CI/CD pipelines (OIDC)
auth:
providers:
acme-corp:
kind: github/oidc
region: us-east-1
# Profile for platform engineers (SSO with extended sessions)
auth:
providers:
acme-corp:
kind: aws/iam-identity-center
region: us-east-1
start_url: https://acme.awsapps.com/start
session:
duration: 8h
Activate a profile with --profile or the ATMOS_PROFILE environment variable:
# Use the CI profile in GitHub Actions
ATMOS_PROFILE=ci atmos terraform apply myapp -s prod
# Use the platform profile for extended sessions
atmos --profile platform auth login
Related Commands
📄️ atmos auth login
Authenticate with a configured provider
📄️ atmos auth validate
Validate provider configuration
📄️ atmos auth console
Open cloud console in browser
📄️ atmos auth list
List available identities and providers
Tutorials
- Azure Authentication — Complete guide for Azure device code, OIDC, and CLI authentication
See Also
- Identities — Configure identities that use these providers
- Profiles — Environment-specific configuration overrides
