• Overview
    • Enforce Policy as Code
    • Infrastructure as Code
    • Inject Secrets into Terraform
    • Integrate with Existing Workflows
    • Manage Kubernetes
    • Manage Virtual Machine Images
    • Multi-Cloud Deployment
    • Network Infrastructure Automation
    • Terraform CLI
    • Terraform Cloud
    • Terraform Enterprise
  • Registry
  • Tutorials
    • About the Docs
    • Intro to Terraform
    • Configuration Language
    • Terraform CLI
    • Terraform Cloud
    • Terraform Enterprise
    • Provider Use
    • Plugin Development
    • Registry Publishing
    • Integration Program
    • Terraform Tools
    • CDK for Terraform
    • Glossary
  • Community
GitHubTerraform Cloud
Download

    Terraform Cloud and Enterprise

  • Overview
  • Plans and Features
  • Getting Started
    • API Docs template
    • Overview
    • Account
    • Agent Pools
    • Agent Tokens
    • Applies
    • Audit Trails
    • Comments
    • Configuration Versions
    • Cost Estimates
    • Feature Sets
    • Invoices
    • IP Ranges
    • Notification Configurations
    • OAuth Clients
    • OAuth Tokens
    • Organizations
    • Organization Memberships
    • Organization Tags
    • Organization Tokens
    • Plan Exports
    • Plans
    • Policies
    • Policy Checks
    • Policy Sets
    • Policy Set Parameters
      • Modules
      • Providers
      • Private Provider Versions and Platforms
      • GPG Keys
    • Runs
      • Run Tasks
      • Stages and Results
      • Custom Integration
    • Run Triggers
    • SSH Keys
    • State Versions
    • State Version Outputs
    • Subscriptions
    • Team Access
    • Team Membership
    • Team Tokens
    • Teams
    • User Tokens
    • Users
    • Variables
    • VCS Events
    • Workspaces
    • Workspace-Specific Variables
    • Workspace Resources
    • Variable Sets
      • Overview
      • Module Sharing
      • Organizations
      • Runs
      • Settings
      • Terraform Versions
      • Users
      • Workspaces
    • Changelog
    • Stability Policy
    • Overview
    • Creating Workspaces
    • Naming
    • Terraform Configurations
      • Overview
      • Managing Variables
      • Overview
      • VCS Connections
      • Access
      • Drift Detection
      • Notifications
      • SSH Keys for Modules
      • Run Triggers
      • Run Tasks
    • Terraform State
    • JSON Filtering
    • Remote Operations
    • Viewing and Managing Runs
    • Run States and Stages
    • Run Modes and Options
    • UI/VCS-driven Runs
    • API-driven Runs
    • CLI-driven Runs
    • The Run Environment
    • Installing Software
    • Users
    • Teams
    • Organizations
    • Permissions
    • Two-factor Authentication
    • API Tokens
      • Overview
      • Microsoft Azure AD
      • Okta
      • SAML
      • Linking a User Account
      • Testing
    • Overview
    • GitHub.com
    • GitHub.com (OAuth)
    • GitHub Enterprise
    • GitLab.com
    • GitLab EE and CE
    • Bitbucket Cloud
    • Bitbucket Server and Data Center
    • Azure DevOps Services
    • Azure DevOps Server
    • Troubleshooting
    • Overview
    • Adding Public Providers and Modules
    • Publishing Private Providers
    • Publishing Private Modules
    • Using Providers and Modules
    • Configuration Designer
  • Migrating to Terraform Cloud
    • Overview
    • Using Sentinel with Terraform 0.12
    • Manage Policies
    • Enforce and Override Policies
    • Mocking Terraform Sentinel Data
    • Working With JSON Result Data
      • Overview
      • tfconfig
      • tfconfig/v2
      • tfplan
      • tfplan/v2
      • tfstate
      • tfstate/v2
      • tfrun
    • Example Policies
    • Overview
    • AWS
    • GCP
    • Azure
      • Overview
      • Service Catalog
      • Admin Guide
      • Developer Reference
      • Example Customizations
      • V1 Setup Instructions
    • Splunk Integration
    • Kubernetes Integration
    • Run Tasks Integration
    • Overview
    • IP Ranges
    • Data Security
    • Security Model
    • Overview
    • Part 1: Overview of Our Recommended Workflow
    • Part 2: Evaluating Your Current Provisioning Practices
    • Part 3: How to Evolve Your Provisioning Practices
    • Part 3.1: From Manual Changes to Semi-Automation
    • Part 3.2: From Semi-Automation to Infrastructure as Code
    • Part 3.3: From Infrastructure as Code to Collaborative Infrastructure as Code
    • Part 3.4: Advanced Workflow Improvements

  • Terraform Cloud Agents

  • Terraform Enterprise Admin

  • Other Docs

  • Intro to Terraform
  • Configuration Language
  • Terraform CLI
  • Terraform Cloud
  • Terraform Enterprise
  • Provider Use
  • Plugin Development
  • Registry Publishing
  • Integration Program
  • Terraform Tools
  • CDK for Terraform
  • Glossary
Type '/' to Search

»Users

User accounts belong to individual people. Each user can be part of one or more teams, which are granted permissions on workspaces within an organization. A user can be a member of multiple organizations.

»API

Use the Account API to get account details, update account information, and change your password.

»Creating an Account

Creating an account requires a username, an email address, and a password. To use Terraform Cloud, you must create an account through one of the following methods:

  • Invitation Email: When a user sends you an invitation to join an existing Terraform Cloud organization, the email includes a sign-up link. After you create an account, you will automatically join that organization and can begin using Terraform Cloud.
  • Sign-Up Page: For Terraform Cloud, go to https://app.terraform.io/signup/account. For Terraform Enterprise, go to https://<TFE HOSTNAME>/signup/account. After you create an account, you will not belong to any organizations. To begin using Terraform Cloud, you can either create an organization or ask an organization owner to send you an invitation email to join their organization.

»Joining Organizations and Teams

An organization owner must invite you to join their organization. After you join, the organization owner must also add you to one or more teams.

Terraform Cloud sends user invitations by email. If the invited email address matches an existing Terraform Cloud account, the invitee can join the organization with that account. Otherwise, they must create a new account and then join the organization.

»Site Admin Permissions

On Terraform Enterprise instances, some user accounts have a special site admin permission that allows them to administer the entire instance.

Admin permissions are distinct from normal organization-level permissions, and they apply to a different set of UI controls and API endpoints. Admin users can administer any resource across the instance when using the site admin pages or the admin API, but they have normal user permissions when using an organization's standard UI controls and API endpoints. These normal user permissions are determined by team membership.

Refer to Administering Terraform Enterprise for more details.

»User Settings

To view your settings page, click your user icon and select User settings. Your Profile page appears, showing your username, email address, and avatar.

»Profile

Click Profile in the sidebar to view and edit the username and email address associated with your Terraform Cloud account.

Important: Terraform Cloud includes your username in URL paths to resources. If external systems make requests to these resources, you must update them before you change your username.

Terraform Cloud uses Gravatar to display a user icon if you have associated one with your email address. Refer to the Gravatar documentation for details about changing your user icon.

»Sessions

Click Sessions in the sidebar to view a list of sessions associated with your Terraform Cloud account. You can revoke any sessions you do not recognize.

»Organizations

Click Organizations in the sidebar to view a list of the organizations where you are a member. If you are on the owners team, the organization is marked with an OWNER badge.

To leave an organization, click the ellipses (...) next to the organization and select Leave organization. You do not need permission from the owners to leave an organization, but you cannot leave if you are the last member of the owners team. Either add a new owner and then leave, or delete the organization.

»Password

Click Password in the sidebar to change your password.

Note: Password management is not available if your Terraform Enterprise instance uses SAML single sign on.

»Two-Factor Authentication

Click Two Factor Authentication in the sidebar to enable two-factor authentication. Two-factor authentication requires a TOTP-compliant application or an SMS-capable phone number. An organization can set policies that require two-factor authentication.

Refer to Two-Factor Authentication for details.

»SSO

Click SSO in the sidebar to review and remove SSO identity links associated with your account.

You have an SSO identity for every SSO-enabled Terraform Cloud organization. Terraform Cloud links each SSO identity to a single Terraform Cloud user account. This link determines which account you can use to access each organization.

»Tokens

Click Tokens in the sidebar to create, manage, and revoke API tokens. Terraform Cloud has three kinds of API tokens: user, team, and organization. Users can be members of multiple organizations, so user tokens work with any organization where the associated user is a member. Refer to API Tokens for details.

API tokens are required for the following tasks:

  • Authenticating with the Terraform Cloud API. API calls require an Authorization: Bearer <TOKEN> HTTP header.
  • Authenticating with the Terraform Cloud CLI integration or the remote backend. These require a token in the CLI configuration file or in the backend configuration.
  • Using private modules in command-line runs on local machines. This requires a token in the CLI configuration file.

Protect your tokens carefully because they contain the same permissions as your user account. For example, if you belong to a team with permission to read and write variables for a workspace, another user could use your API token to authenticate as your user account and also edit variables in that workspace. Refer to permissions for more details.

»Creating a Token

To create a new token:

  1. Click Create an API token. The Create API token box appears.
  2. Enter a Description that explains what the token is for and click Create API token.
  3. Copy your token from the box and save it in a secure location. Terraform Cloud only displays the token once, right after you create it. If you lose it, you must revoke the old token and create a new one.

»Revoking a Token

To revoke a token, click the trash can next to it. That token will no longer be able to authenticate as your user account.

Note: When SAML SSO is enabled there is a session timeout for user API tokens, forcing users to periodically reauthenticate through the web UI in order to keep their tokens active. Refer to API Token Expiration for details.

github logoEdit this page
  • Overview
  • Docs
  • Extend
  • Privacy
  • Security
  • Press Kit
  • Consent Manager