aws

package

v1.195.0 Latest Latest Go to latest Published: Oct 20, 2025 License: Apache-2.0 Imports: 16 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/cloudposse/atmos

Links

README ¶

AWS Cloud Package

This package provides AWS-specific functionality for the Atmos authentication system.

Custom Endpoint Resolver

The AWS cloud package supports custom endpoint resolvers, which is useful for testing with LocalStack or other AWS-compatible services.

Configuration

You can configure a custom endpoint resolver at either the identity or provider level:

Identity-Level Configuration

For identities, add the aws configuration to the credentials map:

auth:
  identities:
    localstack-superuser:
      kind: aws/user
      credentials:
        access_key_id: test
        secret_access_key: test
        region: us-east-1
        aws:
          resolver:
            url: "http://localhost:4566"

Provider-Level Configuration

For providers, add the aws configuration to the spec map:

auth:
  providers:
    localstack-sso:
      kind: aws/iam-identity-center
      start_url: https://localstack.awsapps.com/start/
      region: us-east-1
      spec:
        aws:
          resolver:
            url: "http://localhost:4566"

Precedence

When both identity and provider have resolver configurations, the identity resolver takes precedence.

Usage

The custom endpoint resolver is automatically applied when:

AWS identities authenticate (user, assume-role, permission-set)
AWS providers authenticate (SSO, SAML)

All AWS SDK calls will be directed to the configured endpoint URL.

LocalStack Example

For a complete LocalStack example, see:

/examples/demo-localstack/atmos.yaml

Implementation Details

The resolver is implemented using AWS SDK v2's config.WithBaseEndpoint:

return config.WithBaseEndpoint(url)

This ensures all AWS services (STS, SSO, etc.) use the custom endpoint. The base endpoint approach is the recommended method in AWS SDK v2 for setting custom endpoints.

Documentation ¶

Index ¶

Constants
Variables
func GetResolverConfigOption(identity *schema.Identity, provider *schema.Provider) config.LoadOptionsFunc
func LoadIsolatedAWSConfig(ctx context.Context, optFns ...func(*config.LoadOptions) error) (aws.Config, error)
func SetEnvironmentVariables(stackInfo *schema.ConfigAndStacksInfo, providerName, identityName string) error
func SetupFiles(providerName, identityName string, creds types.ICredentials) error
func WithIsolatedAWSEnv(fn func() error) error
type AWSConfig
type AWSFileManager
- func NewAWSFileManager() (*AWSFileManager, error)
type ResolverConfig

Constants ¶

View Source

const (
	PermissionRWX = 0o700
	PermissionRW  = 0o600
)

Variables ¶

View Source

var (
	ErrGetHomeDir                    = errors.New("failed to get home directory")
	ErrCreateCredentialsFile         = errors.New("failed to create credentials file")
	ErrCreateConfigFile              = errors.New("failed to create config file")
	ErrLoadCredentialsFile           = errors.New("failed to load credentials file")
	ErrLoadConfigFile                = errors.New("failed to load config file")
	ErrWriteCredentialsFile          = errors.New("failed to write credentials file")
	ErrWriteConfigFile               = errors.New("failed to write config file")
	ErrSetCredentialsFilePermissions = errors.New("failed to set credentials file permissions")
	ErrSetConfigFilePermissions      = errors.New("failed to set config file permissions")
	ErrProfileSection                = errors.New("failed to get profile section")
	ErrCleanupAWSFiles               = errors.New("failed to cleanup AWS files")
)

Functions ¶

func GetResolverConfigOption ¶ added in v1.195.0

func GetResolverConfigOption(identity *schema.Identity, provider *schema.Provider) config.LoadOptionsFunc

GetResolverConfigOption extracts the AWS resolver configuration from identity or provider and returns an AWS config option. Returns nil if no resolver is configured. Identity resolver takes precedence over provider resolver. AWS config is extracted from the Credentials map for identities and Spec map for providers.

func LoadIsolatedAWSConfig ¶ added in v1.195.0

func LoadIsolatedAWSConfig(ctx context.Context, optFns ...func(*config.LoadOptions) error) (aws.Config, error)

LoadIsolatedAWSConfig loads AWS configuration with problematic environment variables temporarily cleared to avoid conflicts with Atmos authentication.

This function wraps config.LoadDefaultConfig and ensures that external AWS environment variables don't interfere with the configuration loading process.

func SetEnvironmentVariables ¶

func SetEnvironmentVariables(stackInfo *schema.ConfigAndStacksInfo, providerName, identityName string) error

SetEnvironmentVariables sets the AWS_SHARED_CREDENTIALS_FILE and AWS_CONFIG_FILE environment variables.

func SetupFiles ¶

func SetupFiles(providerName, identityName string, creds types.ICredentials) error

SetupFiles sets up AWS credentials and config files for the given identity.

func WithIsolatedAWSEnv ¶ added in v1.195.0

func WithIsolatedAWSEnv(fn func() error) error

WithIsolatedAWSEnv temporarily clears problematic AWS environment variables, executes the provided function, then restores the original values.

This is used to prevent external AWS environment variables from interfering with Atmos's authentication flow. The AWS SDK reads these environment variables automatically, which can cause conflicts with Atmos-managed credentials.

Usage:

err := WithIsolatedAWSEnv(func() error {
    cfg, err := config.LoadDefaultConfig(ctx)
    return err
})

Types ¶

type AWSConfig ¶ added in v1.195.0

type AWSConfig struct {
	Resolver *ResolverConfig `yaml:"resolver,omitempty" json:"resolver,omitempty" mapstructure:"resolver"`
}

AWSConfig defines AWS-specific configuration for providers and identities.

type AWSFileManager ¶

type AWSFileManager struct {
	// contains filtered or unexported fields
}

AWSFileManager provides helpers to manage AWS credentials/config files.

func NewAWSFileManager ¶

func NewAWSFileManager() (*AWSFileManager, error)

NewAWSFileManager creates a new AWS file manager instance.

func (*AWSFileManager) Cleanup ¶

func (m *AWSFileManager) Cleanup(providerName string) error

Cleanup removes AWS files for the provider.

func (*AWSFileManager) GetConfigPath ¶

func (m *AWSFileManager) GetConfigPath(providerName string) string

GetConfigPath returns the path to the config file for the provider.

func (*AWSFileManager) GetCredentialsPath ¶

func (m *AWSFileManager) GetCredentialsPath(providerName string) string

GetCredentialsPath returns the path to the credentials file for the provider.

func (*AWSFileManager) GetEnvironmentVariables ¶

func (m *AWSFileManager) GetEnvironmentVariables(providerName, identityName string) []schema.EnvironmentVariable

GetEnvironmentVariables returns the AWS file environment variables as EnvironmentVariable slice.

func (*AWSFileManager) WriteConfig ¶

func (m *AWSFileManager) WriteConfig(providerName, identityName, region, outputFormat string) error

WriteConfig writes AWS config to the provider-specific file with identity profile.

func (*AWSFileManager) WriteCredentials ¶

func (m *AWSFileManager) WriteCredentials(providerName, identityName string, creds *types.AWSCredentials) error

WriteCredentials writes AWS credentials to the provider-specific file with identity profile.

type ResolverConfig ¶ added in v1.195.0

type ResolverConfig struct {
	URL string `yaml:"url" json:"url" mapstructure:"url"`
}

ResolverConfig defines custom endpoint resolver configuration for AWS services.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL