A user logs into the Atlas Console with three fields — username, password, and a Domain path (e.g. /your-org). To create one you need a domain (most setups: just the default one named after your org) and an account (one per billing unit). This page covers all three.
1. (One-time) Create a domain
If you already have a domain to put the user under, skip to step 2.
Console
Domains in the left nav. Click Add Domain +, give it a name, click OK.
CLI
cmk create domain name=your-org2. Create an account
An account owns resources (instances, networks, buckets) and is the billable unit. Each user belongs to one account.
Console
Accounts → Add Account +. Set:
- Username — the login name
- Password — temporary; have the user change it on first login
- Email, First name, Last name
- Role — see the table below
- Domain — the domain you created in step 1 (or the root domain)
CLI
cmk create account \
username=alice password='temp-password' \
email=alice@example.com firstname=Alice lastname=Example \
accounttype=0 \
domainid=$(cmk list domains name=your-org | jq -r '.domain[0].id') \
roleid=$(cmk list roles name=User | jq -r '.role[0].id')accounttype=0 is a regular user; accounttype=2 is a domain admin.
3. (Optional) Add additional users to an account
A single account can have multiple users (handy when several people share a billing unit but each needs their own credentials).
cmk create user \
username=bob password='temp-password' \
email=bob@example.com firstname=Bob lastname=Example \
account=alice \
domainid=$(cmk list domains name=your-org | jq -r '.domain[0].id')What to send your new user
When you onboard someone, they need exactly three things:
- Console URL: https://sky.runatlas.is
- Username + temporary password (they should change it on first login)
- Domain path:
/your-org— without this they can’t log in. This is the single most common onboarding failure.
For automation users — who’ll use cmk, Terraform, or the API directly — point them at Get API credentials to generate an API key pair.
Roles
| Role | Can do |
|---|---|
| User | Read/write resources within their account. The default for end users. |
| Domain Admin | Manage users, accounts, and sub-domains within their domain. For tenant administrators. |
| Resource Admin | Cross-account inside a domain. Rare. |
| Admin | Cross-domain (Atlas staff only). |
| Read-Only Admin | Read-only across the domain. Useful for auditors. |
You can list available roles with:
cmk list roles filter=name,id,typeDisable or delete a user
Disabling is the safer first step — the user can be re-enabled with their existing credentials. Deletion is permanent and removes all resources owned by the user’s account.
Console
Accounts → click the account → Users → click the user → Disable (or Delete for permanent removal).
CLI
cmk disable user id=<user-id>
cmk delete user id=<user-id>