Authentication
There are two separate OIDC flows in Atmos Pro—one for authenticating GitHub Actions with the Atmos Pro API, and one for authenticating your workflows with your cloud provider. Atmos Pro never has access to your cloud.
OpenID Connect (OIDC) is an industry-standard protocol that lets one service prove its identity to another without sharing passwords or static credentials. Instead of storing long-lived API keys or secrets, OIDC issues short-lived tokens that are cryptographically signed and automatically verified. This is the same mechanism used by AWS, Azure, and GCP for federated authentication, and it's what GitHub Actions uses natively.
OIDC is a big deal because it eliminates the most common source of credential leaks in CI/CD pipelines: static secrets stored in environment variables or config files. With OIDC, there are no secrets to rotate, no tokens to revoke, and no credentials to accidentally commit.
There are two distinct authentication flows when using Atmos Pro. It's important to understand the difference, because Atmos Pro never has access to your cloud provider accounts.
Two OIDC Flows:
GitHub Actions → Atmos Pro: Authenticates your CI workflows with the Atmos Pro API so it can orchestrate
deployments
GitHub Actions → Your Cloud: Authenticates your CI workflows with AWS, Azure, or GCP so Terraform can manage
resources. This is handled entirely by Atmos Auth and never leaves
your GitHub Action workflows. It is scoped to your job running your GitHub Action workflows and is never transferred
to Atmos Pro.
Both flows use OIDC, but they are completely independent. Atmos Pro orchestrates when and in what order your workflows run. The actual Terraform plan and apply operations execute inside your own GitHub Actions runners, using credentials that your workflows obtain directly from your cloud provider via OIDC. Atmos Pro never sees or handles your cloud credentials.
When you run the Atmos CLI inside a GitHub Actions workflow, the workflow requests a short-lived OIDC token from GitHub. The Atmos CLI uses this token to authenticate with the Atmos Pro API—no API keys, static tokens, or long-lived secrets are needed.
This flow is used for orchestration tasks: uploading affected stacks, dispatching workflows, and reporting status. It does not grant Atmos Pro any access to your cloud accounts.
- GitHub Actions gets an OIDC token from GitHub's built-in OIDC provider
- Atmos CLI exchanges that token with the Atmos Pro API to prove the workflow's identity
- Atmos Pro validates the token against GitHub's public keys and issues a short-lived access token scoped to the workflow
- No static secrets are required for this flow
The second OIDC flow authenticates your GitHub Actions workflows directly with your cloud provider (AWS, Azure, or GCP). This is how Terraform gets the credentials it needs to manage your infrastructure.
This flow is handled entirely by Atmos—not Atmos Pro. Atmos is the open-source CLI tool that manages your Terraform configurations, and it has native support for cloud authentication via OIDC using Auth Profiles. Atmos Pro never sees or handles your cloud credentials.
Configure Cloud Authentication
Set up Atmos Auth Profiles to authenticate your GitHub Actions workflows with AWS, Azure, or GCP.