Demo: Using atmos env with GitHub Provider
This example demonstrates how to use atmos env to export environment variables
for Terraform providers that authenticate via environment variables.
Overview
The GitHub Terraform provider authenticates using the GITHUB_TOKEN environment
variable. This example shows how to:
- Configure
GITHUB_TOKENinatmos.yamlusing the!execYAML function - Export it using
atmos env - See the token masked while normal variables remain visible
Prerequisites
- GitHub CLI - Install and authenticate:
gh auth login
- Terraform >= 1.0
- Atmos CLI
Usage
1. Export environment variables
# View what will be exportedatmos env# Export to your shell. Piped output stays raw so eval can use the value.eval "$(atmos env)"
2. Run Terraform via Atmos
# Planatmos terraform plan github-repo -s demo# Applyatmos terraform apply github-repo -s demo
3. View outputs
atmos terraform output github-repo -s demo
Example output:
default_branch = "main"description = "Universal Tool for DevOps and Cloud Automation"html_url = "https://github.com/cloudposse/atmos"repository = "cloudposse/atmos"
How It Works
The atmos.yaml configures GITHUB_TOKEN in the global env section:
env:GITHUB_TOKEN: !exec gh auth tokenDEMO_ENVIRONMENT: local-development
When you run eval $(atmos env), it:
- Executes
gh auth tokento get your GitHub token - Exports it as
GITHUB_TOKEN - Exports normal variables like
DEMO_ENVIRONMENT - Makes them available to all subsequent commands
The GitHub provider in Terraform automatically uses this environment variable for authentication.
GitHub Actions
For CI/CD, use --format=github to write directly to $GITHUB_ENV:
- name: Export Atmos environmentrun: atmos env --format=github- name: Run Terraformrun: atmos terraform apply github-repo -s demo --auto-approve
Security Considerations
This example demonstrates dynamic credential retrieval using !exec. While convenient
for development, consider these security practices:
-
Local development: Using
gh auth tokenis appropriate since the token is already stored securely by the GitHub CLI and retrieved on-demand. -
CI/CD environments: In GitHub Actions, prefer using the built-in
GITHUB_TOKENsecret or repository secrets instead of!exec:env:GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} -
Sensitive secrets: For highly sensitive credentials (API keys, database passwords), consider using dedicated secret managers (AWS Secrets Manager, HashiCorp Vault) via the
!storeYAML function instead of!exec. -
Output masking: Atmos automatically masks detected secrets in terminal output to prevent accidental exposure in logs.