cloudposse/atmos v1.200.0-rc.3

on GitHub

Implements automatic provisioning of AWS SSO identities from AWS Identity Center, eliminating the need for manual configuration of every role/account combination. Users enable auto_provision_identities: true on their provider, and Atmos discovers all available identities during login.

What Changed

Implementation

• SSO Provisioning: Auto-discovers identities via AWS Identity Center APIs (ListAccounts, ListAccountRoles)
• Dynamic Config Generation: Writes discovered identities to XDG cache (~/.cache/atmos/aws/{provider}/provisioned-identities.yaml)
• Seamless Integration: Provisioned identities work across all Atmos commands
• Lifecycle Management: Cache generated on login, cleaned on logout
• Manual Override: Hand-configured identities in atmos.yaml take precedence

Documentation

• PRD: Complete design document (docs/prd/sso-role-auto-discovery.md)
• Standards: Tags vs labels classification (docs/prd/tags-and-labels-standard.md)
• CLI Docs: Updated auth command documentation with provisioning examples
• Blog Post: Getting started guide with real-world examples

Testing

• Comprehensive unit tests for provisioning, schema, writer, and logout behavior
• Integration tests covering end-to-end flows
• Test coverage for all new components

Usage

Enable auto-provisioning in atmos.yaml:

auth:
  providers:
    sso-prod:
      kind: aws/iam-identity-center
      start_url: https://my-org.awsapps.com/start
      region: us-east-1
      spec:
        auto_provision_identities: true

Login once to discover identities:

$ atmos auth login --provider sso-prod
✓ Authenticated with AWS SSO
✓ Provisioned 46 identities

All identities now available:

$ atmos terraform plan prod-vpc --identity production/AdministratorAccess
$ atmos auth list  # Shows all 46 provisioned identities

Key Features

• Zero Configuration: No manual identity mapping required
• Opt-in Design: Backward compatible, disabled by default
• Filtered Discovery: Optional account/role filters to limit scope
• Cache Management: Uses XDG cache directories, cleaned on logout
• Non-blocking: Provisioning failures warn but don't prevent authentication

Related Issues

Addresses the manual configuration burden for organizations with many AWS accounts and permission sets.

Summary by CodeRabbit

• New Features

  • Opt-in AWS SSO identity auto‑provisioning with local cache, injected import of provisioned identities, and a new --provider flag for provider-based login.

• Bug Fixes

  • Provisioned identities cache is removed on provider logout to avoid stale entries.

• Documentation

  • New PRDs, blog post, CLI docs and examples for auto‑provisioning, tags/labels standards, keyring/XDG defaults, and IAM permission guidance.

• UX

  • More actionable, contextual error messages across SSO and identity flows.

• Tests

  • Expanded test coverage for provisioning, caching, import injection, pagination, logout, and merge behaviors.

• Chores

  • Patch dependency updates and example version bumps.

_{✏️ Tip: You can customize this high-level summary in your review settings.}