auth

func CreateAndAuthenticateManager ¶ added in v1.198.0

func CreateAndAuthenticateManager(
	identityName string,
	authConfig *schema.AuthConfig,
	selectValue string,
) (AuthManager, error)

CreateAndAuthenticateManager creates and authenticates an AuthManager from an identity name. If identityName is empty, attempts to auto-detect a default identity from configuration. Returns nil AuthManager only if no identity is specified AND no default identity is configured, or if authentication is explicitly disabled. Returns error if authentication fails or if identity is specified but auth is not configured.

This helper is used by both CLI commands and internal execution logic to ensure consistent authentication behavior across the codebase.

Identity resolution behavior:

• If identityName is cfg.IdentityFlagDisabledValue ("__DISABLED__"), returns nil (authentication explicitly disabled)
• If identityName is empty and no auth configured, returns nil (no authentication)
• If identityName is empty and auth configured, attempts auto-detection of default identity
• If identityName is selectValue ("__SELECT__"), prompts for identity selection
• Otherwise, uses the provided identityName

Auto-detection behavior when identityName is empty:

• If auth is not configured (no identities), returns nil (no authentication)
• If auth is configured, checks for default identity in both global atmos.yaml and stack configs
• If exactly ONE default identity exists, authenticates with it automatically
• If MULTIPLE defaults exist:
• Interactive mode (TTY): prompts user to select one from ONLY the defaults
• Non-interactive mode (CI): returns nil (no authentication)
• If NO defaults exist:
• Interactive mode: prompts user to select from all available identities
• Non-interactive mode (CI): returns nil (no authentication)

Interactive selection behavior:

• When triggered (via selectValue OR no defaults in interactive mode), prompts user ONCE
• Selected identity is cached in AuthManager for the entire command execution
• All YAML functions use the same selected identity (no repeated prompts)

Parameters:

• identityName: The identity to authenticate (can be "__SELECT__" for interactive selection, "__DISABLED__" to disable auth, or empty for auto-detection)
• authConfig: The auth configuration from atmos.yaml and stack configs
• selectValue: The special value that triggers interactive identity selection (typically "__SELECT__")

Returns:

• AuthManager with populated AuthContext after successful authentication
• nil if authentication disabled, no identity specified, or no default identity configured (in CI mode)
• error if authentication fails or auth is not configured when identity is specified

Note: This function does not load stack configs for default identities. Use CreateAndAuthenticateManagerWithAtmosConfig if you need stack-level default identity resolution.

func CreateAndAuthenticateManagerWithAtmosConfig ¶ added in v1.201.0

func CreateAndAuthenticateManagerWithAtmosConfig(
	identityName string,
	authConfig *schema.AuthConfig,
	selectValue string,
	atmosConfig *schema.AtmosConfiguration,
) (AuthManager, error)

CreateAndAuthenticateManagerWithAtmosConfig creates and authenticates an AuthManager from an identity name using a pre-merged auth config.

**This is the NO-SCAN variant.** It trusts the incoming `authConfig` to already be correct for the target scope and never runs the global stack-file pre-scanner. Use this for Category A callers that have a specific (component, stack) pair and have already merged the target stack's auth section via `ExecuteDescribeComponent` / `getMergedAuthConfigWithFetcher` (e.g. all `atmos terraform *` flows, `atmos helmfile *`, `atmos describe component`, nested component auth).

Running the global pre-scanner on top of a stack-scoped merged config would reintroduce the Discussion #122 leak (a default identity declared in one stack manifest silently propagating to terraform commands targeting completely unrelated stacks). Category A callers must stay on this no-scan path.

For Category B callers (`describe stacks`, `describe affected`, `list affected`, `list instances`, `aws security`, `aws compliance`, workflows, etc.) that legitimately have no target stack and need the Approach 2 stack-file pre-scan, use `CreateAndAuthenticateManagerWithStackScan` instead.

See docs/fixes/2026-04-08-atmos-auth-identity-resolution-fixes.md for the full design rationale (option d+).

Parameters:

• identityName: The identity to authenticate (can be "__SELECT__" for interactive selection, "__DISABLED__" to disable auth, or empty for auto-detection)
• authConfig: The auth configuration, already merged against the target stack by the caller
• selectValue: The special value that triggers interactive identity selection (typically "__SELECT__")
• atmosConfig: The full atmos configuration (optional; used only for cliConfigPath and perf tracking)

Returns:

• AuthManager with populated AuthContext after successful authentication
• nil if authentication disabled, no identity specified, or no default identity configured (in CI mode)
• error if authentication fails or auth is not configured when identity is specified

func CreateAndAuthenticateManagerWithEnvOverrides ¶

func CreateAndAuthenticateManagerWithEnvOverrides(envOverrides map[string]string) (AuthManager, error)

CreateAndAuthenticateManagerWithEnvOverrides builds and authenticates an AuthManager "as if" the given ATMOS_* environment variables were set on the parent process.

It is the composition of three concerns a caller would otherwise orchestrate manually:

1. env.SetWithRestore — temporarily applies ATMOS_* variables from the map to os.Environ() and returns a restore closure. The generic save/set/restore primitive lives in pkg/env.
2. cfg.InitCliConfig — re-loads the atmos configuration so that ATMOS_PROFILE / ATMOS_CLI_CONFIG_PATH / ATMOS_BASE_PATH from step 1 influence which profile and identities are discovered.
3. CreateAndAuthenticateManagerWithAtmosConfig — constructs and authenticates the manager against the freshly-loaded config.

Only keys with the ATMOS_* prefix in envOverrides are applied — other keys are silently ignored. This primitive is intentionally scoped to atmos config/identity resolution; callers that need to mutate arbitrary env variables should use env.SetWithRestore directly.

The env overrides are reverted before this function returns. The returned manager's identity map and credentials are already populated during construction, so the restoration does not affect subsequent use.

Returns (nil, nil) under the same conditions as CreateAndAuthenticateManagerWithAtmosConfig: authentication disabled, no identity specified, or no default identity configured. Callers that require a non-nil manager must check explicitly.

Goroutine-safe: a package-level mutex (managerEnvOverridesMu) serializes concurrent calls to prevent races between the os.Environ() write and the subsequent cfg.InitCliConfig read. Concurrent callers will block rather than observe each other's overrides.

func CreateAndAuthenticateManagerWithStackScan ¶

func CreateAndAuthenticateManagerWithStackScan(
	identityName string,
	authConfig *schema.AuthConfig,
	selectValue string,
	atmosConfig *schema.AtmosConfiguration,
) (AuthManager, error)

CreateAndAuthenticateManagerWithStackScan creates and authenticates an AuthManager, first running the global stack-file pre-scanner (Approach 2) to discover stack-level default identities.

**This is the SCAN variant.** It is the correct choice for Category B commands that legitimately have no target (component, stack) pair and therefore cannot rely on the exec-layer merge path. These commands include `atmos describe stacks`, `atmos describe affected`, `atmos describe dependents`, `atmos list affected`, `atmos list instances`, `atmos aws security`, `atmos aws compliance`, and workflow execution.

Behavior:

• When `identityName` is empty and `atmosConfig` is provided, loads stack configuration files via `config.LoadStackAuthDefaults` (which now follows `import:` chains and correctly sees defaults declared in imported `_defaults.yaml` files, even when those files are in `excluded_paths` — fixing Issue #2293 for multi-stack commands).
• Merges the discovered defaults into a **copy** of `authConfig` (never mutates the caller's original config) before delegating to `CreateAndAuthenticateManagerWithAtmosConfig`.
• When the caller passes an explicit `identityName`, the scan is skipped — the explicit flag always wins.

Category A callers (terraform/helmfile/describe component/nested auth) must NOT use this variant. Running the scanner on top of a stack-scoped merged config reintroduces the Discussion #122 leak across stacks. Those callers must use `CreateAndAuthenticateManagerWithAtmosConfig` directly.

See docs/fixes/2026-04-08-atmos-auth-identity-resolution-fixes.md for the full design rationale (option d+).

Parameters:

• identityName: The identity to authenticate (can be "__SELECT__" for interactive selection, "__DISABLED__" to disable auth, or empty for auto-detection via stack scan)
• authConfig: The base auth configuration from atmos.yaml + profile (NOT stack-scoped)
• selectValue: The special value that triggers interactive identity selection
• atmosConfig: The full atmos configuration (required for stack loading; nil skips the scan)

Returns: same contract as `CreateAndAuthenticateManagerWithAtmosConfig`.