Atmos Auth Implementation

[Benbentwo]

Note

Opening a new PR to help Simplify Comments
closes #1424
closes #1452

what

This PR introduces a complete authentication system for Atmos, enabling secure multi-cloud authentication with support for AWS IAM Identity Center (SSO), SAML providers, assume role chains, and AWS user credentials. The system provides seamless integration with Terraform workflows while maintaining isolation from users' existing AWS configurations.

Features

Authentication Providers

• AWS IAM Identity Center (SSO) - Full SSO integration with session management
• AWS SAML - Browser-based SAML authentication with MFA support (Google Apps, Okta, ADFS)
• AWS Assume Role - Cross-account role assumption capabilities
• AWS User - Direct AWS access key authentication with MFA support

Identity Chaining

• Sequential authentication flows (e.g., SSO → Permission Set → Assume Role)
• Recursive provider resolution through identity chains
• Circular dependency detection and prevention

CLI Commands

• atmos auth login - Interactive authentication with identity selection
• atmos auth whoami - Display current authentication status
• atmos auth env - Export environment variables (export, json, dotenv formats)
• atmos auth exec - Execute commands with authentication context
• atmos auth validate - Comprehensive configuration validation
• atmos auth user configure - AWS user credential configuration

AWS Integration

• Isolated credential files: ~/.aws/atmos//credentials
• Separate config files: ~/.aws/atmos//config
• Automatic environment variable management (AWS_PROFILE, AWS_SHARED_CREDENTIALS_FILE, AWS_CONFIG_FILE)
• Terraform prehook integration for seamless workflow execution
• User's existing AWS files remain untouched

Architecture

Layout

internal/auth/
├── manager.go              # Core authentication manager
├── interfaces.go           # Core interfaces and types
├── factory.go             # Provider/identity factory functions
├── providers/aws/         # AWS authentication providers
│   ├── sso.go            # IAM Identity Center provider
│   ├── saml.go           # SAML provider with browser automation
│   └── assume_role.go    # Assume role provider
├── identities/aws/        # AWS identity implementations
│   ├── permission_set.go # Permission set identity
│   ├── assume_role.go    # Assume role identity
│   └── user.go           # AWS user identity
├── credentials/           # Secure credential storage
├── environment/           # AWS file management
├── config/               # Configuration merging
└── validation/           # Configuration validation

Key Components

AuthManager: Central authentication orchestrator
Provider/Identity Pattern: Extensible authentication architecture
Credential Store: Encrypted credential caching with expiration
AWS File Manager: Isolated AWS credential/config file management
Configuration Merger: Component-level auth overrides

why

Atmos Auth allows us to simplify our reference architecture and helps assist with consolidating the toolset that the typical DevOps user needs to manage Terraform.

Summary by CodeRabbit

• New Features

  • Introduces a full "auth" CLI (validate, login, whoami, env [bash/json/dotenv], exec, user configure), per-component auth merging, Terraform --identity (-i) option, Terraform auth pre-hooks, demo-auth example, credential/keyring store, and AWS file helpers.

• Documentation

  • Full Auth docs: architecture, user guide, CLI reference, examples and demo.

• Tests

  • Extensive unit, integration and snapshot coverage for auth flows, providers, identities, hooks and CLI.

• Bug Fixes

  • Unified cross-platform URL opener; docs-open message now printed to stderr.