Skip to content

docs: Add setup guidance for SuperAdmin auth, account IDs, and placeholders #852

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
milldr wants to merge 4 commits into
base: master
Choose a base branch
from
Open

docs: Add setup guidance for SuperAdmin auth, account IDs, and placeholders #852

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
609edf3
docs: Add setup guidance for SuperAdmin auth, account IDs, and placeh…
milldr Jan 22, 2026
0296ed8
docs: Use Steps component for nested list in account ID placeholder s…
milldr Jan 22, 2026
59dfe4b
docs: Use TaskList component for non-sequential checklist items
milldr Jan 23, 2026
6e4febf
Merge branch 'master' into milldr/refarch-setup-steps
milldr Jan 23, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 31 additions & 0 deletions docs/layers/accounts/deploy-accounts.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,37 @@ This step-by-step process outlines how to deploy AWS accounts using `atmos` work

</Step>

<Step>
## <StepNumber/> Update Account ID Placeholders

After creating accounts, you need to update any placeholder account IDs in your configuration with the actual account IDs.

<Steps>
1. Get the list of account IDs from Terraform output:
```bash
atmos terraform output account -s core-gbl-root
```
1. Update account IDs in your stack configuration files. Common locations include:
<TaskList>
- `stacks/orgs/<namespace>/_defaults.yaml` — The `account_map` variable
- `stacks/catalog/tfstate-backend.yaml` — The `allowed_principal_arns` if referencing specific accounts
- Any component configurations referencing account IDs directly
</TaskList>
1. Verify your changes by running a plan:
```bash
atmos terraform plan tfstate-backend -s core-gbl-root
```
</Steps>

:::tip Finding Placeholders
Search your configuration for placeholder patterns like `111111111111`, `123456789012`, or `000000000000`. These are common placeholder values that should be replaced with real account IDs.

```bash
grep -r "111111111111\|123456789012\|000000000000" stacks/
```
:::
</Step>

<Step>
## <StepNumber/> Deploy Accounts Settings

Expand Down
44 changes: 44 additions & 0 deletions docs/layers/accounts/prepare-aws-organization.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ sidebar_position: 2
import Intro from '@site/src/components/Intro';
import KeyPoints from '@site/src/components/KeyPoints';
import Steps from '@site/src/components/Steps';
import TaskList from '@site/src/components/TaskList';
import ActionCard from '@site/src/components/ActionCard';
import PrimaryCTA from '@site/src/components/PrimaryCTA';

Expand All @@ -17,6 +18,21 @@ The set up process for the "baseline" or "account" layer is commonly referred to

:::

:::info About Placeholder Values

The reference architecture includes placeholder values that you'll need to replace with your actual configuration. Common placeholders include:

<TaskList>
- **Account IDs** like `111111111111`, `123456789012`, or `000000000000` — Replace with your actual AWS account IDs after creating accounts
- **Underscored values** like `_example_` or `__REPLACE_ME__` — These indicate values that require your input
- **Example domains** like `example.com` or `acme.com` — Replace with your actual domain names
- **Sample ARNs** — Update with ARNs from your environment
</TaskList>

You'll update these values at different points during setup. Each guide will call out when specific replacements are needed.

:::

## Before Running Terraform (ClickOps)

First, you'll need to perform some ClickOps to ensure things are set up before we use Terraform to manage AWS accounts.
Expand All @@ -42,6 +58,34 @@ From the root account:
1. Create a single Access Key
1. Store credentials in 1Password: Access Key ID, Secret Access Key, Assigned MFA device ARN, and TOTP key
</Steps>
1. ### Configure Atmos Auth for SuperAdmin
Configure the `superadmin` profile to authenticate via Atmos during cold start. This allows you to run Atmos commands to deploy the foundation.
<Steps>
1. Set the `ATMOS_PROFILE` environment variable:
```bash
export ATMOS_PROFILE=superadmin
```
1. Create a `.env` file in your project root with the SuperAdmin credentials from 1Password:
```bash
# .env (do NOT commit this file)
AWS_ACCESS_KEY_ID=<your-access-key-id>
AWS_SECRET_ACCESS_KEY=<your-secret-access-key>
AWS_MFA_SERIAL=arn:aws:iam::<root-account-id>:mfa/SuperAdmin
```
1. Test the connection by running:
```bash
atmos auth login
```
1. Verify you can access the root account:
```bash
aws sts get-caller-identity
```
</Steps>
:::tip Atmos Profile Persistence
Add `export ATMOS_PROFILE=superadmin` to your shell configuration (`~/.zshrc` or `~/.bashrc`) to persist the setting across terminal sessions during cold start.

After cold start is complete and Identity Center is configured, you'll switch to a different profile (e.g., `devops` or `managers`) as described in [Configure Atmos Auth](/layers/identity/atmos-auth/).
:::
1. ### Enable IAM Access for Billing
For billing users, you need to enable IAM access to billing information.
<Steps>
Expand Down
Loading