Users - Terraform Enterprise | Terraform

User accounts belong to individual people. Each user can be part of one or more teams, which are granted permissions on workspaces within an organization. A user can be a member of multiple organizations.

API

Use the Account API to get account details, update account information, and change your password.

Creating an Account

To use Terraform Cloud or Enterprise, you must create an account through one of the following methods:

Invitation Email: When a user sends you an invitation to join an existing Terraform Cloud organization, the email includes a sign-up link. After you create an account, you can automatically join that organization and can begin using Terraform Cloud.
Sign-Up Page: Creating an account requires a username, an email address, and a password. For Terraform Cloud, go to https://app.terraform.io/public/signup/account. For Terraform Enterprise, go to https://<TFE HOSTNAME>/public/signup/account. After you create an account, you do not belong to any organizations. To begin using Terraform Cloud, you can either create an organization or ask an organization owner to send you an invitation email to join their organization.

Joining Organizations and Teams

An organization owner must invite you to join their organization. After you join, the organization owner must also add you to one or more teams.

Terraform Cloud sends user invitations by email. If the invited email address matches an existing Terraform Cloud account, the invitee can join the organization with that account. Otherwise, they must create a new account and then join the organization.

Site Admin Permissions

On Terraform Enterprise instances, some user accounts have a special site admin permission that allows them to administer the entire instance.

Admin permissions are distinct from normal organization-level permissions, and they apply to a different set of UI controls and API endpoints. Admin users can administer any resource across the instance when using the site admin pages or the admin API, but they have normal user permissions when using an organization's standard UI controls and API endpoints. These normal user permissions are determined by team membership.

Refer to Administering Terraform Enterprise for more details.

User Settings

To view your settings page, click your user icon and select User settings. Your Profile page appears, showing your username, email address, and avatar.

Profile

Click Profile in the sidebar to view and edit the username and email address associated with your Terraform Cloud account.

Important: Terraform Cloud includes your username in URL paths to resources. If external systems make requests to these resources, you must update them before you change your username.

Terraform Cloud uses Gravatar to display a user icon if you have associated one with your email address. Refer to the Gravatar documentation for details about changing your user icon.

Sessions

Click Sessions in the sidebar to view a list of sessions associated with your Terraform Cloud account. You can revoke any sessions you do not recognize.

Organizations

Click Organizations in the sidebar to view a list of the organizations where you are a member. If you are on the owners team, the organization is marked with an OWNER badge.

To leave an organization, click the ellipses (...) next to the organization and select Leave organization. You do not need permission from the owners to leave an organization, but you cannot leave if you are the last member of the owners team. Either add a new owner and then leave, or delete the organization.

Password

Click Password in the sidebar to change your password.

Note: Password management is not available if your Terraform Enterprise instance uses SAML single sign on.

Two-Factor Authentication

Click Two Factor Authentication in the sidebar to enable two-factor authentication. Two-factor authentication requires a TOTP-compliant application or an SMS-capable phone number. An organization can set policies that require two-factor authentication.

Refer to Two-Factor Authentication for details.

Tokens

Click Tokens in the sidebar to create, manage, and revoke API tokens. Terraform Cloud has three kinds of API tokens: user, team, and organization. Users can be members of multiple organizations, so user tokens work with any organization where the associated user is a member. Refer to API Tokens for details.

API tokens are required for the following tasks:

Authenticating with the Terraform Cloud API. API calls require an Authorization: Bearer <TOKEN> HTTP header.
Authenticating with the Terraform Cloud CLI integration or the remote backend. These require a token in the CLI configuration file or in the backend configuration.
Using private modules in command-line runs on local machines. This requires a token in the CLI configuration file.

Protect your tokens carefully because they contain the same permissions as your user account. For example, if you belong to a team with permission to read and write variables for a workspace, another user could use your API token to authenticate as your user account and also edit variables in that workspace. Refer to permissions for more details.

Creating a Token

To create a new token:

Click Create an API token. The Create API token box appears.
Enter a Description that explains what the token is for and click Create API token.
Copy your token from the box and save it in a secure location. Terraform Cloud only displays the token once, right after you create it. If you lose it, you must revoke the old token and create a new one.

Revoking a Token

To revoke a token, click the trash can next to it. That token will no longer be able to authenticate as your user account.

Note: When SAML SSO is enabled there is a session timeout for user API tokens, forcing users to periodically reauthenticate through the web UI in order to keep their tokens active. Refer to API Token Expiration for details.