Interactive command. Opens your browser to deploy an OIDC CloudFormation stack for secure, short-lived credentials.
Usage
fjall connect establishes a secure OIDC connection between Fjall and an AWS account. Use it to:
- Add another AWS account to your organisation.
- Connect an existing standalone account.
- Recover from AWS-side trust drift with
--force(the IAM role was deleted but Fjall still tracks the connection as active).
fjall create org. Run fjall connect for every account you add after that.
Prerequisites
- Authenticated with
fjall login. - Permission in the target AWS account to create IAM roles and CloudFormation stacks.
What It Does
- Opens your browser to deploy a CloudFormation stack in the target AWS account.
- The stack creates an IAM OIDC provider and a role that Fjall assumes on demand.
- Polls for stack completion.
- Caches the connection locally and syncs it to the Fjall webapp.
Options
| Option | Description | Default |
|---|---|---|
--region <region> | AWS region for the CloudFormation stack | us-east-2 |
--environment <env> | Environment label for this account: production, staging, development, platform, or compliance (root is reserved for scripted AWS Organizations management-account setup) | |
--name <name> | Human-readable name for the AWS account (for example, Production) | |
--force | Overwrite an existing matching (region, environment) connection with a fresh CloudFormation stack. Use to recover from trust drift | |
--verbose | Enable verbose logging | |
--non-interactive | Force plain CLI output (no UI) |
Examples
Interactive (recommended)
- Opens your default browser to deploy the OIDC CloudFormation stack.
- Shows a progress indicator while waiting for stack completion.
- Confirms the connection and displays account details.
Connect a named staging account
Non-interactive
Recover from trust drift
Typical workflow
Troubleshooting
Browser does not open
If the browser fails to open automatically:- Copy the URL from the terminal output and open it manually.
- Sign in to the correct AWS account in your browser.
Stack deployment fails
If the OIDC CloudFormation stack fails:- Check that your AWS account has permission to create IAM roles and CloudFormation stacks.
- Retry with
fjall connectto re-open the browser flow.
Connection already exists
If a matching connection already exists,fjall connect short-circuits the flow. To connect a different AWS account, run fjall connect with credentials for the new account. To overwrite an existing connection or recover from trust drift, add --force.
The OIDC connection provides short-lived credentials, so no long-term secrets are stored. Fjall assumes the IAM role on demand using OpenID Connect federation.
Next Steps
fjall create
Provision account infrastructure or scaffold an application after connecting.
fjall deploy
Deploy an application, organisation, platform, or account.
Understanding Profiles
See how AWS profiles are derived automatically from org config.
Create Application
Scaffold a new application from a pattern.