Terraform adds a new setting to manage team tokens

We’re excited to share the latest enhancement to HashiCorp Terraform’s permissions capabilities: Admins can now control whether team members can manage their team’s API token. Now generally available in HCP Terraform and coming soon to Terraform Enterprise, this addition helps organizations improve their security posture for API token management by limiting the exposure of team tokens.

»API token management

Within HCP Terraform, three types of API tokens exist to facilitate programmatic access:

• User API tokens that belong to a specific user
• Team API tokens that belong to a specific team without being tied to any one user
• The organization API token that provides administrative access to settings and resources at the organizational level

Team tokens are the most commonly used token type for automation workflows because they can be scoped with granular access to projects and workspaces. And since they’re not tied to an individual user, there’s less operational risk when users leave the organization.

Previously in HCP Terraform, generating and managing team API tokens could cause difficulties for security teams, since any user added to a team, even temporarily, could create, view, regenerate, or delete the team API token. Since each team can have only one active API token at a time, an errant regeneration or deletion could interrupt critical workflows. Moreover, until the token was regenerated, former members could continue to use the team token they previously obtained even after they were removed from the team. This behavior concerned security teams and called for a more comprehensive approach to team-token permissions management.

»Improved control for API token management

A new setting for team API tokens addresses this challenge. This addition boosts privilege-management efforts by letting admins control whether the members of a team can view or manage their team’s API token.

This new setting, labeled “Team members can manage this API token”, is found on the settings page for each team, under the Teams menu in the Organization Settings. Admins can enable or disable this option for each team to meet their organizational requirements. When disabled, only members of the organization “owners” team or users with the org-wide “Manage teams” permission can create, delete, regenerate, or view the team API token.

For existing teams, the previous behavior is unchanged — team members can manage the team token unless this setting is disabled by an administrator. For new teams, this option defaults to disabled, following a secure-by-default approach.

»Summary and resources

Similar to the release of Terraform’s manage teams and manage agent pools capabilities, this new team-API token management setting marks another step in our effort to help users simplify permissions management and enable the least privilege principle in their infrastructure workflows.

This feature is now available for all tiers in HCP Terraform and is coming soon to Terraform Enterprise. Please refer to Terraform’s Teams documentation for details on getting started.

If you are new to Terraform, you can get started with HashiCorp-managed HCP Terraform for free to begin provisioning and managing your infrastructure in any environment. And don’t forget to link your HCP Terraform and HashiCorp Cloud Platform (HCP) accounts for a seamless sign-in experience.