Skip to main content
Interactive command. Opens your browser to deploy an OIDC CloudFormation stack for secure, short-lived credentials.

Usage

fjall connect [options]
fjall connect establishes a secure OIDC connection between Fjall and an AWS account. Use it to:
  • Add another AWS account to your organisation.
  • Connect an existing standalone account.
  • Recover from AWS-side trust drift with --force (the IAM role was deleted but Fjall still tracks the connection as active).
The first account is connected automatically by fjall create org. Run fjall connect for every account you add after that.

Prerequisites

  • Authenticated with fjall login.
  • Permission in the target AWS account to create IAM roles and CloudFormation stacks.

What It Does

  1. Opens your browser to deploy a CloudFormation stack in the target AWS account.
  2. The stack creates an IAM OIDC provider and a role that Fjall assumes on demand.
  3. Polls for stack completion.
  4. Caches the connection locally and syncs it to the Fjall webapp.

Options

OptionDescriptionDefault
--region <region>AWS region for the CloudFormation stackus-east-2
--environment <env>Environment label for this account: production, staging, development, platform, or compliance (root is reserved for scripted AWS Organizations management-account setup)
--name <name>Human-readable name for the AWS account (for example, Production)
--forceOverwrite an existing matching (region, environment) connection with a fresh CloudFormation stack. Use to recover from trust drift
--verboseEnable verbose logging
--non-interactiveForce plain CLI output (no UI)

Examples

fjall connect
The interactive flow:
  1. Opens your default browser to deploy the OIDC CloudFormation stack.
  2. Shows a progress indicator while waiting for stack completion.
  3. Confirms the connection and displays account details.

Connect a named staging account

fjall connect --name Staging --environment staging --region ap-southeast-2

Non-interactive

fjall connect --region ap-southeast-2 --non-interactive

Recover from trust drift

fjall connect --force --region us-east-2 --environment production

Typical workflow

# 1. Log in to Fjall
fjall login

# 2. Connect your AWS account
fjall connect

# 3. Create account infrastructure
fjall create account

# 4. Create an application
fjall create app

# 5. Deploy your application
fjall deploy web

Troubleshooting

Browser does not open

If the browser fails to open automatically:
  • Copy the URL from the terminal output and open it manually.
  • Sign in to the correct AWS account in your browser.

Stack deployment fails

If the OIDC CloudFormation stack fails:
  • Check that your AWS account has permission to create IAM roles and CloudFormation stacks.
  • Retry with fjall connect to re-open the browser flow.

Connection already exists

If a matching connection already exists, fjall connect short-circuits the flow. To connect a different AWS account, run fjall connect with credentials for the new account. To overwrite an existing connection or recover from trust drift, add --force.
The OIDC connection provides short-lived credentials, so no long-term secrets are stored. Fjall assumes the IAM role on demand using OpenID Connect federation.

Next Steps

fjall create

Provision account infrastructure or scaffold an application after connecting.

fjall deploy

Deploy an application, organisation, platform, or account.

Understanding Profiles

See how AWS profiles are derived automatically from org config.

Create Application

Scaffold a new application from a pattern.