Skip to content

docs: Add setup guidance for SuperAdmin auth, account IDs, and placeholders #852

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
milldr merged 9 commits into from
Jan 26, 2026
Merged

docs: Add setup guidance for SuperAdmin auth, account IDs, and placeholders #852

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
609edf3
docs: Add setup guidance for SuperAdmin auth, account IDs, and placeh…
milldr Jan 22, 2026
0296ed8
docs: Use Steps component for nested list in account ID placeholder s…
milldr Jan 22, 2026
59dfe4b
docs: Use TaskList component for non-sequential checklist items
milldr Jan 23, 2026
6e4febf
Merge branch 'master' into milldr/refarch-setup-steps
milldr Jan 23, 2026
e5882d6
docs: Simplify account ID placeholder guidance
milldr Jan 26, 2026
06037de
docs: Update SuperAdmin Atmos Auth setup with correct commands
milldr Jan 26, 2026
7cd5c99
Update docs/layers/accounts/prepare-aws-organization.mdx
milldr Jan 26, 2026
28e9c17
Update docs/layers/accounts/deploy-accounts.mdx
milldr Jan 26, 2026
69a458a
Merge branch 'master' into milldr/refarch-setup-steps
milldr Jan 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions docs/layers/accounts/deploy-accounts.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,22 @@ This step-by-step process outlines how to deploy AWS accounts using `atmos` work

</Step>

<Step>
## <StepNumber/> Update Account ID Placeholders

Now that accounts are created, you have real account IDs to work with. The reference architecture may contain placeholder account IDs (like `111111111111` or `000000000000`) that need to be replaced with your actual values.

To get your account IDs, run:

```bash
atmos terraform output account -s core-gbl-root
## or if on the latest version with instanced components:
atmos terraform output aws-account/core-artifacts -s core-gbl-root
```

As you continue through the setup process, keep an eye out for placeholder values in your stack configurations and replace them with the actual account IDs as needed.
</Step>

<Step>
## <StepNumber/> Deploy Accounts Settings

Expand Down
44 changes: 44 additions & 0 deletions docs/layers/accounts/prepare-aws-organization.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ sidebar_position: 2
import Intro from '@site/src/components/Intro';
import KeyPoints from '@site/src/components/KeyPoints';
import Steps from '@site/src/components/Steps';
import TaskList from '@site/src/components/TaskList';
import ActionCard from '@site/src/components/ActionCard';
import PrimaryCTA from '@site/src/components/PrimaryCTA';

Expand All @@ -17,6 +18,21 @@ The set up process for the "baseline" or "account" layer is commonly referred to

:::

:::info About Placeholder Values

The reference architecture includes placeholder values that you'll need to replace with your actual configuration. Common placeholders include:

<TaskList>
- **Account IDs** like `111111111111`, `123456789012`, or `000000000000` — Replace with your actual AWS account IDs after creating accounts
- **Underscored values** like `_example_` or `__REPLACE_ME__` — These indicate values that require your input. Search for `_ACCOUNT_NUMBER__` to find items to replace like `__DEV_ACCOUNT_NUMBER__`
- **Example domains** like `example.com` or `acme.com` — Replace with your actual domain names
- **Sample ARNs** — Update with ARNs from your environment
</TaskList>

You'll update these values at different points during setup. Each guide will call out when specific replacements are needed.

:::

## Before Running Terraform (ClickOps)

First, you'll need to perform some ClickOps to ensure things are set up before we use Terraform to manage AWS accounts.
Expand All @@ -42,6 +58,34 @@ From the root account:
1. Create a single Access Key
1. Store credentials in 1Password: Access Key ID, Secret Access Key, Assigned MFA device ARN, and TOTP key
</Steps>
1. ### Configure Atmos Auth for SuperAdmin
Configure the `superadmin` profile to authenticate via Atmos during cold start. This allows you to run Atmos commands to deploy the foundation.
<Steps>
1. Set the `ATMOS_PROFILE` environment variable to select the superadmin profile:
```bash
export ATMOS_PROFILE=superadmin
```
1. Configure your user credentials by running the following command. You'll be prompted to enter your Access Key ID, Secret Access Key, and MFA ARN from 1Password:
```bash
atmos auth user configure
```
1. Start an authenticated session. You'll be prompted to enter a one-time MFA token:
```bash
atmos auth login
```
1. Verify you can access the root account:
```bash
atmos auth exec -- aws sts get-caller-identity
```
</Steps>
:::note Daily Usage
Once the profile is set and user credentials are configured, you only need to run `atmos auth login` each day to start a new authenticated session.
:::
:::tip Atmos Profile Persistence
Add `export ATMOS_PROFILE=superadmin` to your shell configuration (`~/.zshrc` or `~/.bashrc`) to persist the setting across terminal sessions during cold start.

After cold start is complete and Identity Center is configured, you'll switch to a different profile (e.g., `devops` or `managers`) as described in [Configure Atmos Auth](/layers/identity/atmos-auth/).
:::
1. ### Enable IAM Access for Billing
For billing users, you need to enable IAM access to billing information.
<Steps>
Expand Down
Loading
Loading