auth

package

v1.202.1 Latest Latest Go to latest Published: Dec 21, 2025 License: Apache-2.0 Imports: 23 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/cloudposse/atmos

Links

Open Source Insights

Documentation ¶

Index ¶

func AuthConfigToMap(authConfig *schema.AuthConfig) (map[string]any, error)
func CopyGlobalAuthConfig(globalAuth *schema.AuthConfig) *schema.AuthConfig
func CreateTestAuthConfig() *schema.AuthConfig
func CreateTestCredentials(accessKeyID, secretKey, region string) *types.AWSCredentials
func CreateTestIdentity(kind string) *schema.Identity
func CreateTestOIDCCredentials(token, provider string) *types.OIDCCredentials
func CreateTestProvider(kind, region string) *schema.Provider
func CreateTestWhoamiInfo(provider, identity, principal string) *types.WhoamiInfo
func MergeComponentAuthConfig(atmosConfig *schema.AtmosConfiguration, globalAuthConfig *schema.AuthConfig, ...) (*schema.AuthConfig, error)
func MergeComponentAuthFromConfig(globalAuth *schema.AuthConfig, componentConfig map[string]any, ...) (*schema.AuthConfig, error)
func NewAuthManager(config *schema.AuthConfig, credentialStore types.CredentialStore, ...) (types.AuthManager, error)
func TerraformPreHook(atmosConfig *schema.AtmosConfiguration, stackInfo *schema.ConfigAndStacksInfo) error
type AuthManager
- func CreateAndAuthenticateManager(identityName string, authConfig *schema.AuthConfig, selectValue string) (AuthManager, error)
- func CreateAndAuthenticateManagerWithAtmosConfig(identityName string, authConfig *schema.AuthConfig, selectValue string, ...) (AuthManager, error)
type CredentialStore
type Identity
type Provider
type Validator

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func AuthConfigToMap ¶ added in v1.198.0

func AuthConfigToMap(authConfig *schema.AuthConfig) (map[string]any, error)

AuthConfigToMap converts AuthConfig struct to map[string]any for deep merging. Uses mapstructure to convert struct fields according to mapstructure tags.

func CopyGlobalAuthConfig ¶ added in v1.198.0

func CopyGlobalAuthConfig(globalAuth *schema.AuthConfig) *schema.AuthConfig

CopyGlobalAuthConfig creates a deep copy of global auth config. Copies all fields: providers, identities, logs, keyring, and identity case map.

func CreateTestAuthConfig ¶

func CreateTestAuthConfig() *schema.AuthConfig

CreateTestAuthConfig creates a test auth configuration.

func CreateTestCredentials ¶

func CreateTestCredentials(accessKeyID, secretKey, region string) *types.AWSCredentials

CreateTestCredentials creates test AWS credentials.

func CreateTestIdentity ¶

func CreateTestIdentity(kind string) *schema.Identity

CreateTestIdentity creates a test identity configuration.

func CreateTestOIDCCredentials ¶

func CreateTestOIDCCredentials(token, provider string) *types.OIDCCredentials

CreateTestOIDCCredentials creates test OIDC credentials.

func CreateTestProvider ¶

func CreateTestProvider(kind, region string) *schema.Provider

CreateTestProvider creates a test provider configuration.

func CreateTestWhoamiInfo ¶

func CreateTestWhoamiInfo(provider, identity, principal string) *types.WhoamiInfo

CreateTestWhoamiInfo creates test whoami information.

func MergeComponentAuthConfig ¶ added in v1.198.0

func MergeComponentAuthConfig(
	atmosConfig *schema.AtmosConfiguration,
	globalAuthConfig *schema.AuthConfig,
	componentAuthSection map[string]any,
) (*schema.AuthConfig, error)

MergeComponentAuthConfig merges component-level auth config with global auth config. Returns the merged AuthConfig with component overrides applied.

func MergeComponentAuthFromConfig ¶ added in v1.198.0

func MergeComponentAuthFromConfig(
	globalAuth *schema.AuthConfig,
	componentConfig map[string]any,
	atmosConfig *schema.AtmosConfiguration,
	authSectionName string,
) (*schema.AuthConfig, error)

MergeComponentAuthFromConfig merges component-specific auth config from component configuration with global auth config. This allows components to define their own auth identities and defaults in stack configurations.

Parameters:

globalAuth: Global auth configuration from atmos.yaml
componentConfig: The full component configuration map (from ExecuteDescribeComponent or similar)
atmosConfig: AtmosConfiguration for merge settings
authSectionName: The name of the auth section in component config (typically "auth")

Returns:

Merged AuthConfig with component overrides applied
Global auth config if no component auth section found

func NewAuthManager ¶

func NewAuthManager(
	config *schema.AuthConfig,
	credentialStore types.CredentialStore,
	validator types.Validator,
	stackInfo *schema.ConfigAndStacksInfo,
) (types.AuthManager, error)

NewAuthManager creates a new AuthManager instance.

func TerraformPreHook ¶

func TerraformPreHook(atmosConfig *schema.AtmosConfiguration, stackInfo *schema.ConfigAndStacksInfo) error

TerraformPreHook runs before Terraform commands to set up authentication.

Types ¶

type AuthManager ¶

type AuthManager = types.AuthManager

func CreateAndAuthenticateManager ¶ added in v1.198.0

func CreateAndAuthenticateManager(
	identityName string,
	authConfig *schema.AuthConfig,
	selectValue string,
) (AuthManager, error)

CreateAndAuthenticateManager creates and authenticates an AuthManager from an identity name. If identityName is empty, attempts to auto-detect a default identity from configuration. Returns nil AuthManager only if no identity is specified AND no default identity is configured, or if authentication is explicitly disabled. Returns error if authentication fails or if identity is specified but auth is not configured.

This helper is used by both CLI commands and internal execution logic to ensure consistent authentication behavior across the codebase.

Identity resolution behavior:

If identityName is cfg.IdentityFlagDisabledValue ("__DISABLED__"), returns nil (authentication explicitly disabled)
If identityName is empty and no auth configured, returns nil (no authentication)
If identityName is empty and auth configured, attempts auto-detection of default identity
If identityName is selectValue ("__SELECT__"), prompts for identity selection
Otherwise, uses the provided identityName

Auto-detection behavior when identityName is empty:

If auth is not configured (no identities), returns nil (no authentication)
If auth is configured, checks for default identity in both global atmos.yaml and stack configs
If exactly ONE default identity exists, authenticates with it automatically
If MULTIPLE defaults exist:
Interactive mode (TTY): prompts user to select one from ONLY the defaults
Non-interactive mode (CI): returns nil (no authentication)
If NO defaults exist:
Interactive mode: prompts user to select from all available identities
Non-interactive mode (CI): returns nil (no authentication)

Interactive selection behavior:

When triggered (via selectValue OR no defaults in interactive mode), prompts user ONCE
Selected identity is cached in AuthManager for the entire command execution
All YAML functions use the same selected identity (no repeated prompts)

Parameters:

identityName: The identity to authenticate (can be "__SELECT__" for interactive selection, "__DISABLED__" to disable auth, or empty for auto-detection)
authConfig: The auth configuration from atmos.yaml and stack configs
selectValue: The special value that triggers interactive identity selection (typically "__SELECT__")

Returns:

AuthManager with populated AuthContext after successful authentication
nil if authentication disabled, no identity specified, or no default identity configured (in CI mode)
error if authentication fails or auth is not configured when identity is specified

Note: This function does not load stack configs for default identities. Use CreateAndAuthenticateManagerWithAtmosConfig if you need stack-level default identity resolution.

func CreateAndAuthenticateManagerWithAtmosConfig ¶ added in v1.201.0

func CreateAndAuthenticateManagerWithAtmosConfig(
	identityName string,
	authConfig *schema.AuthConfig,
	selectValue string,
	atmosConfig *schema.AtmosConfiguration,
) (AuthManager, error)

CreateAndAuthenticateManagerWithAtmosConfig creates and authenticates an AuthManager from an identity name. This is the full implementation that supports loading stack configs for default identities.

When atmosConfig is provided and identityName is empty:

Loads stack configuration files for auth identity defaults
Merges stack-level defaults with atmos.yaml defaults
Stack defaults take precedence over atmos.yaml defaults

This solves the chicken-and-egg problem where:

We need to know the default identity to authenticate
But stack configs are only loaded after authentication is configured
Stack-level defaults (auth.identities.*.default: true) would otherwise be ignored

Parameters:

identityName: The identity to authenticate (can be "__SELECT__" for interactive selection, "__DISABLED__" to disable auth, or empty for auto-detection)
authConfig: The auth configuration from atmos.yaml and stack configs
selectValue: The special value that triggers interactive identity selection (typically "__SELECT__")
atmosConfig: The full atmos configuration (optional, enables stack auth loading)

Returns:

AuthManager with populated AuthContext after successful authentication
nil if authentication disabled, no identity specified, or no default identity configured (in CI mode)
error if authentication fails or auth is not configured when identity is specified

type CredentialStore ¶

type CredentialStore = types.CredentialStore

type Identity ¶

type Identity = types.Identity

type Provider ¶

type Provider = types.Provider

type Validator ¶

type Validator = types.Validator

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
cloud
aws
azure
credentials
factory
identities
aws
azure
list
providers
aws
azure
github
mock
mock/aws
provisioning
types Package types is a generated GoMock package.	Package types is a generated GoMock package.
utils
validation

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL