cloudposse/atmos v1.215.0-rc.5

on GitHub

• Fixed incorrect auth.identity: <name> syntax in the auth documentation to use the actual supported auth.identities.<name>.default: true syntax
• Updated both the "Component-Level Configuration" and "Component-Level Identity Selection" examples in website/docs/stacks/auth.mdx

why

• A user reported that component-level identity selection was not working. The root cause was that the documentation showed a non-existent auth.identity shorthand syntax.
• The ComponentAuthConfig struct in pkg/schema/schema_auth.go only supports identities (a map), and hasDefaultIdentity() in internal/exec/terraform_nested_auth_helper.go only checks for identities with default: true.
• Users following the docs were writing config that was silently ignored, causing components to run under the default identity instead of the intended one.

references

• Reported by a user in Slack who was trying to use component-level identity selection per https://atmos.tools/stacks/auth#component-level-identity-selection
• Working example syntax confirmed via cloudposse-examples/atmos-native-ci

Summary by CodeRabbit

• Documentation
  • Updated authentication configuration documentation for component-level settings. The auth block structure has been revised to use an identities map instead of a single identity field. This enables multiple identity configurations per component, with the ability to designate one identity as the default using default: true.

• Implement OAuth2 PKCE browser-based authentication as a third-tier fallback for aws/user identity
• Add interactive browser flow with local callback server and bubbletea spinner
• Add non-interactive mode that displays authorization URL and prompts for manual code entry
• Cache refresh tokens to XDG cache directory for 12-hour session reuse
• Automatically refresh temporary credentials every 15 minutes via refresh token grant

why

AWS recently introduced browser-based OAuth2 authentication for IAM users and root accounts, eliminating the need for static access keys. This implementation provides the same convenient web-based flow that SSO users already enjoy, as a fallback when YAML credentials and keychain credentials are unavailable. Refresh token support enables long-lived 12-hour sessions without requiring browser reopening.

references

• Closes ATMOS-162
• Related: AWS blog post on simplified developer access https://aws.amazon.com/blogs/security/simplified-developer-access-to-aws-with-aws-login/
• PRD: docs/prd/aws-browser-auth.md

Summary by CodeRabbit

• New Features

  • Browser-based AWS sign-in fallback (OAuth2 PKCE) enabled by default: automatic browser open with spinner, plain-URL/manual stdin fallback, refresh-token caching (12h), periodic credential refresh, and persisted AWS config/credentials.

• Bug Fixes

  • Clearer user-facing error paths and improved debug logging during webflow and credential resolution failures.

• Tests

  • Extensive test coverage for PKCE, callback/server behavior, token exchange/refresh, caching, UI flows, and error scenarios.

• Documentation

  • Blog post, docs, and roadmap updated; new config option to disable the browser fallback.

• Fixes a bug where atmos terraform plan-diff would not properly process templates, functions, or respect the --skip-init flag.
• Issue #2258

why

• Issue #2258

references

• closes #2258

Summary by CodeRabbit

• New Features
  • The plan-diff command now accepts additional configuration options for controlling Terraform template processing, function execution, and initialization behavior during plan operations.

• Fixes three related bugs in Atmos Auth identity resolution without breaking any existing auth functionality.
• Issue #2293: Teaches the stack auth scanner to follow import: chains recursively, so auth.identities.<name>.default: true declared in an imported _defaults.yaml is visible to every command — including multi-stack commands like describe stacks / describe affected / list affected.
• Discussion https://github.com/orgs/cloudposse/discussions/122%7C#122: Splits the pkg/auth entry points into a NO-SCAN variant (for commands with a stack-scoped merged auth config) and a SCAN variant (for multi-stack commands). The split makes the cross-stack default-identity leak structurally impossible for terraform/helmfile/describe-component flows.
• Issue 3 (component-level default override): When a component declares its own auth.identities.<name>.default: true and the global atmos.yaml also has a different default, the component-level default now wins cleanly instead of producing "multiple default identities" prompts.
• Keeps every previous auth fix intact, including the Approach 1 / Approach 2 design, the allAgree conflict-detection, the describe-affected AuthManager threading, and the MCP scoped-auth env-override flow.
• Adds two scenario fixtures (using mock AWS identities for CI), three CLI regression test cases, and extensive unit tests covering every new code path.

why

• Issue #2293 — imported defaults invisible: when auth.identities.<name>.default: true was declared in an imported _defaults.yaml (especially one listed under stacks.excluded_paths, which is the common reference-architecture layout), the pre-scanner never saw it. Users hit "No default identity configured" on commands that should have auto-authenticated. The exec-layer merge path already handled this correctly for terraform/helmfile/describe-component, but multi-stack commands (describe stacks, describe affected, list affected, workflows, aws security/compliance, MCP scoped auth) all failed.
• Discussion https://github.com/orgs/cloudposse/discussions/122%7C#122 — single stack default leaks globally: when a single stack manifest declared default: true, that identity silently propagated to every other stack across all tenants. Running atmos terraform plan eks -s plat-staging would pick up the data-staging default declared in an unrelated stack file. Reported to reproduce against Atmos 1.210, 1.211, and 1.213.
• Issue 3 — component-level default doesn't override global: when a component in a stack config declares a different identity as default: true than the global atmos.yaml default, both defaults survived the exec-layer deep merge in MergeComponentAuthConfig. Users were prompted to choose between multiple defaults (interactive) or got errors (CI). This broke the expected Atmos inheritance semantics where more-specific config overrides more-general.
• No regressions allowed: an earlier draft removed the pre-scanner entirely. That fixed Issues 1 and 2 for terraform * but regressed describe stacks, describe affected, list affected, list instances, aws security, aws compliance, and workflow execution — all of which were documented in docs/fixes/stack-level-default-auth-identity.md as intentionally using the pre-scanner (Approach 2). This PR preserves that Approach 2 code path while fixing all three bugs, so no existing user-visible functionality is removed.

references

• closes #2293
• design doc: docs/fixes/2026-04-08-atmos-auth-identity-resolution-fixes.md (full caller audit, rejected alternatives, coverage matrix)
• related: docs/fixes/stack-level-default-auth-identity.md (Approach 1 / Approach 2 design this PR preserves and extends)
• related: docs/fixes/2026-02-12-auth-realm-isolation-issues.md (Issue #2072 allAgree conflict-detection preserved unchanged)
• related: docs/fixes/2026-03-25-describe-affected-auth-identity-not-used.md (AuthManager threading through describe/list-affected preserved unchanged)
• related: docs/fixes/2026-04-06-mcp-server-env-not-applied-to-auth-setup.md (MCP scoped-auth flow now routes through the scan variant)

Summary by CodeRabbit

• Bug Fixes
  • Identity resolution now discovers defaults from imported stack files, prevents defaults leaking across stacks/commands, and ensures component-level defaults override global defaults.
• Refactor
  • Split auth manager flow into SCAN vs NO-SCAN paths and switched relevant commands to the SCAN variant for multi-stack/no-target contexts.
• Documentation
  • Added a detailed guide describing the identity-resolution fixes and routing.
• Tests
  • Added extensive unit, integration and CLI regression tests plus fixtures covering import-following, isolation, conflicts, and non-leakage.