We’re excited to share the latest enhancement to HashiCorp Terraform’s permissions capabilities: user token control at the organization level. Now generally available in HCP Terraform and coming soon in Terraform Enterprise, this addition helps teams enable or disable user API tokens within Terraform organizations, facilitating better access control and collaboration within their environments.
Similar to the recent release of Terraform’s multiple team tokens capability, this new API token management setting marks another step in our effort to help users simplify permissions management and enable the least privilege principle in their infrastructure workflows.
»API token management in Terraform
Within HCP Terraform, three types of API tokens exist to facilitate programmatic access:
- User API tokens that belong to a specific user
- Team API tokens that belong to a specific team without being tied to any one user
- The organization API token that provides administrative access to settings and resources at the organizational level
As user API tokens are tied to a specific individual, these tokens inherit the user’s permissions, which may include access to sensitive infrastructure data such as state files, variables, and workspace configurations. Previously, users in a Terraform organization could create these tokens at will, with no way for organization owners to restrict this behavior, revoke these tokens, or view which tokens have access to their organization.
User tokens can also be created without a specified expiration, allowing them to persist indefinitely until manual deletion. This can introduce security risks in enterprise environments where long-lived credentials are discouraged or disallowed. These challenges prompted the need for centralized controls to disable or manage user token usage in Terraform organizations.
»Introducing user token settings at the organization level
Terraform users now have a new organization setting that can enable or disable user API token use. This setting can only be configured by owners, but will remain enabled by default to prevent disruptions to customer workflows. When user API tokens are explicitly disabled in an organization, users will no longer be able to use any user API tokens to access resources belonging to that organization. It is important to note that if the user belongs to several organizations, their token will remain valid for all other organizations that have not disabled user API token use.
Configure user tokens in the API tokens page under the User Tokens tab.
»Summary and resources
The ability to specify user token settings at organizational level is now available for all tiers in HCP Terraform and coming soon to Terraform Enterprise. Please refer to Terraform’s API Tokens page for details on getting started.
If you are new to Terraform, you can get started with HashiCorp-managed HCP Terraform for free to begin provisioning and managing your infrastructure in any environment. And don’t forget to link your HCP Terraform and HashiCorp Cloud Platform (HCP) accounts for a seamless sign-in experience.
