cloudposse · aknysh · Mar 4, 2026 · Mar 3, 2026 · Mar 3, 2026 · Mar 3, 2026
@@ -0,0 +1,46 @@
+---
+slug: multi-cloud-docs
+title: "Multi-Cloud Documentation and Design Patterns"
+authors: [osterman]
+tags: [documentation]
+---
+
+Atmos has always been cloud agnostic, but our documentation hasn't always reflected that. This release adds comprehensive multi-cloud documentation including a new design pattern for organizing stacks across different cloud providers.
+
+<!--truncate-->
+
+## What Changed
+
+### Multi-Cloud Overview Page
+
+A new [Multi-Cloud](/multi-cloud) page explains how Atmos works with any cloud provider that Terraform supports. It includes a cloud concept mapping table that translates equivalent concepts across AWS, Azure, and GCP — from organizational hierarchy (Organizations vs Management Groups vs Folders) to networking (VPC vs VNet vs VPC Network) to identity (IAM Roles vs Managed Identities vs Service Accounts).
+
+The page also includes tabbed configuration examples showing how to set up [authentication](/cli/configuration/auth) and [stores](/cli/configuration/stores) for each provider.
+
+### Multi-Cloud Configuration Design Pattern
+
+A new [Multi-Cloud Configuration](/design-patterns/stack-organization/multi-cloud-configuration) design pattern shows how to organize your stacks so the directory layout mirrors how your cloud provider organizes its resources. The guiding principle: what you see on disk should match how resources are deployed.
+
+Each cloud gets its own example with native terminology in folder names:
+
+- **AWS**: `accounts/dev/us-east-1.yaml`
+- **Azure**: `subscriptions/dev/eastus.yaml`
+- **GCP**: `projects/dev/us-central1.yaml`
+
+### Application SDLC Environments Design Pattern
+
+Not every repository needs deep organizational hierarchy. A new [Application SDLC Environments](/design-patterns/stack-organization/application-sdlc) design pattern shows how application repositories can co-locate infrastructure alongside application code with a minimal flat structure: `dev.yaml`, `staging.yaml`, `prod.yaml`, and optionally `preview.yaml` for ephemeral PR environments.
+
+This pattern makes it easy for developers to get up and running with Atmos in their application repositories without being overwhelmed by organizational taxonomy. The directory structure exposes only what the team needs to care about — the SDLC environment — while keeping everything else as inherited defaults. The result is a clean architecture where infrastructure ships with the application in the same repo and the same pull request.
+
+For a working example of this pattern, see the [app-on-ecs](https://github.com/cloudposse-examples/app-on-ecs) reference architecture on GitHub.
+
+### Azure and GCP Auth Documentation
+
+The [auth usage page](/cli/commands/auth/usage), [providers reference](/cli/configuration/auth/providers), and [identities reference](/cli/configuration/auth/identities) now include Azure and GCP alongside AWS, with tabbed examples for each cloud.
+
+## Why This Matters
+
+Teams deploying to Azure or GCP can now find documentation that speaks their cloud's language instead of translating from AWS-centric examples. The concept mapping table helps engineers working across multiple clouds quickly find equivalent services.
+
+For application developers, the SDLC pattern provides a low-friction on-ramp to Atmos — co-locate your Terraform next to your app code, define one file per environment, and let Atmos handle the rest.
@@ -47,7 +47,7 @@ atmos auth exec -- terraform plan
 # Show current authentication status
 atmos auth whoami
 
-# Open AWS console in browser
+# Open cloud console in browser
 atmos auth console
 
 # Start a shell with authentication
@@ -65,7 +65,7 @@ atmos auth shell
       <li>Empty for interactive selection (e.g., <code>--identity</code>)</li>
       <li><code>false</code> to disable authentication (e.g., <code>--identity=false</code>)</li>
     </ul>
-    When set to <code>false</code>, Atmos skips identity authentication and uses standard AWS credential resolution.
+    When set to <code>false</code>, Atmos skips identity authentication and uses standard cloud provider credential resolution.
   </dd>
 </dl>
 
@@ -79,17 +79,36 @@ atmos auth shell
 
 **Providers** are the upstream systems that Atmos Auth uses to obtain initial credentials:
 
+**AWS**
 - **AWS SSO**: `aws/iam-identity-center`
 - **AWS SAML**: `aws/saml`
 - **GitHub OIDC**: `github/oidc`
 
+**Azure**
+- **Device Code**: `azure/device-code`
+- **OIDC (Workload Identity)**: `azure/oidc`
+- **CLI**: `azure/cli`
+
+**GCP**
+- **Application Default Credentials**: `gcp/adc`
+- **Workload Identity Federation**: `gcp/workload-identity-federation`
+
 ### Identities
 
 **Identities** represent the user accounts or roles available from provider credentials:
 
-- **AWS Permission Set**: `aws/permission-set`
-- **AWS Assume Role**: `aws/assume-role`
-- **AWS User**: `aws/user`
+**AWS**
+- **Permission Set**: `aws/permission-set`
+- **Assume Role**: `aws/assume-role`
+- **Assume Root**: `aws/assume-root`
+- **User (Break-glass)**: `aws/user`
+
+**Azure**
+- **Subscription**: `azure/subscription`
+
+**GCP**
+- **Service Account**: `gcp/service-account`
+- **Project**: `gcp/project`
 
 ### Identity Chaining
 
@@ -140,7 +159,7 @@ atmos terraform plan mycomponent --stack=dev
 
 **Recognized disable values:** `false`, `0`, `no`, `off` (case-insensitive)
 
-When disabled, Atmos skips all identity authentication and falls back to standard cloud provider SDK credential resolution.
+When disabled, Atmos skips all identity authentication and falls back to standard cloud provider SDK credential resolution (AWS, Azure, or GCP).
 
 ## Environment Variable Formats
 

@@ -148,5 +148,5 @@ auth:
 
 ## Notes
 
-- Learn how to [configure an `aws/user` identity](/cli/configuration/auth/identities#aws-user-break-glass) in `atmos.yaml` before running this command
-- See the [AWS User configuration](/cli/configuration/auth/identities#aws-user-break-glass) for MFA configuration and usage details
+- Learn how to [configure an `aws/user` identity](/cli/configuration/auth/identities#user-break-glass) in `atmos.yaml` before running this command
+- See the [AWS User configuration](/cli/configuration/auth/identities#user-break-glass) for MFA configuration and usage details
@@ -4,17 +4,22 @@ sidebar_position: 3
 sidebar_label: identities
 sidebar_class_name: command
 id: identities
-description: Configure authentication identities including AWS permission sets, assume roles, Azure subscriptions, and GCP service accounts in your `atmos.yaml`.
+description: Configure authentication identities for AWS, Azure, and GCP in your `atmos.yaml`.
 ---
 import DocCardList from '@theme/DocCardList'
 import File from '@site/src/components/File'
 import Intro from '@site/src/components/Intro'
+import Tabs from '@theme/Tabs'
+import TabItem from '@theme/TabItem'
 
 <Intro>
 Identities represent the user accounts or roles available from provider credentials. Configure identities in the `auth.identities` section of your `atmos.yaml`.
 </Intro>
 
-## AWS Permission Set
+<Tabs>
+<TabItem value="aws" label="AWS" default>
+
+## Permission Set
 
 For AWS SSO permission sets.
 
@@ -56,7 +61,7 @@ auth:
   <dd>Numeric account ID (used directly, no lookup required).</dd>
 </dl>
 
-## AWS Assume Role
+## Assume Role
 
 For assuming IAM roles, either directly from a provider or chained from another identity.
 
@@ -93,7 +98,7 @@ auth:
   <dd>Optional. Session name for CloudTrail auditing.</dd>
 </dl>
 
-## AWS Assume Root (Organizations)
+## Assume Root (Organizations)
 
 For centralized root access in AWS Organizations using sts:AssumeRoot. This allows privileged operations on member accounts without enabling root user credentials.
 
@@ -140,7 +145,7 @@ auth:
 AssumeRoot requires AWS Organizations with centralized root access enabled and appropriate permissions on the base identity.
 :::
 
-## AWS User (Break-glass)
+## User (Break-glass)
 
 For static IAM user credentials, typically used for emergency access.
 
@@ -179,7 +184,10 @@ auth:
 Instead of storing credentials in configuration, use `atmos auth user configure` to store them securely in the system keyring.
 :::
 
-## Azure Subscription
+</TabItem>
+<TabItem value="azure" label="Azure">
+
+## Subscription
 
 For targeting a specific Azure subscription using credentials from an Azure provider.
 
@@ -217,7 +225,14 @@ auth:
 
 The Azure subscription identity inherits credentials from the provider and sets subscription-specific environment variables (`AZURE_SUBSCRIPTION_ID`, `ARM_SUBSCRIPTION_ID`, etc.) for Terraform and other Azure tools.
 
-## GCP Service Account
+:::tip
+For a detailed walkthrough with examples, see the [Azure Authentication Tutorial](/tutorials/azure-authentication).
+:::
+
+</TabItem>
+<TabItem value="gcp" label="GCP">
+
+## Service Account
 
 For impersonating a GCP service account using credentials from a GCP provider.
 
@@ -264,7 +279,7 @@ auth:
 
 The service account identity uses the IAM Credentials API to generate access tokens. Requires the base identity to have `roles/iam.serviceAccountTokenCreator` on the target service account.
 
-## GCP Project
+## Project
 
 For setting GCP project context without authentication. Useful for targeting a specific project when credentials come from a provider or parent identity.
 
@@ -302,6 +317,9 @@ auth:
 
 The project identity sets environment variables (`GOOGLE_CLOUD_PROJECT`, `CLOUDSDK_CORE_PROJECT`, `GOOGLE_CLOUD_REGION`, etc.) for Terraform and gcloud tools.
 
+</TabItem>
+</Tabs>
+
 ## Identity Chaining
 
 Identity chaining allows you to create complex authentication flows where one identity is used to obtain another.

@@ -71,7 +71,7 @@ auth:
 
 ## Subpages
 
-- **[Providers](/cli/configuration/auth/providers)** - Configure authentication providers (AWS SSO, SAML, GitHub OIDC)
+- **[Providers](/cli/configuration/auth/providers)** - Configure authentication providers (AWS SSO, SAML, GitHub OIDC, GCP, Azure)
 - **[Identities](/cli/configuration/auth/identities)** - Configure identities and identity chaining
 - **[Keyring](/cli/configuration/auth/keyring)** - Configure credential storage backends
 - **[Logs](/cli/configuration/auth/logs)** - Configure auth-specific logging
@@ -254,11 +254,15 @@ ATMOS_PROFILE=ci atmos terraform apply myapp -s prod
   {type: 'link', href: '/cli/commands/auth/shell', label: 'atmos auth shell', description: 'Start a shell with identity credentials'},
   {type: 'link', href: '/cli/commands/auth/exec', label: 'atmos auth exec', description: 'Execute a command with identity credentials'},
   {type: 'link', href: '/cli/commands/auth/env', label: 'atmos auth env', description: 'Export credentials as environment variables'},
-  {type: 'link', href: '/cli/commands/auth/console', label: 'atmos auth console', description: 'Open AWS console in browser'},
+  {type: 'link', href: '/cli/commands/auth/console', label: 'atmos auth console', description: 'Open cloud console in browser'},
   {type: 'link', href: '/cli/commands/auth/list', label: 'atmos auth list', description: 'List available identities and providers'},
   {type: 'link', href: '/cli/commands/auth/logout', label: 'atmos auth logout', description: 'Clear cached credentials'},
 ]} />
 
+## Tutorials
+
+- [Azure Authentication](/tutorials/azure-authentication) — Complete guide for Azure device code, OIDC, and CLI authentication
+
 ## See Also
 
 - [Profiles](/cli/configuration/profiles) — Environment-specific configuration overrides