Terraform now supports multiple team tokens

We’re excited to share the latest enhancement to HashiCorp Terraform’s permissions capabilities: multiple team tokens. Now generally available in HCP Terraform and coming soon Terraform Enterprise, this addition helps organizations create distinct tokens for different teams, facilitating better access control and collaboration within Terraform environments.

Similar to the recent releases of Terraform’s manage teams and manage agent pools capabilities, this new team-API token management setting marks another step in our effort to help users simplify permissions management and enable the least privilege principle in their infrastructure workflows.

»API token management in Terraform

Within HCP Terraform, three types of API tokens exist to facilitate programmatic access:

• User API tokens that belong to a specific user
• Team API tokens that belong to a specific team without being tied to any one user
• The organization API token that provides administrative access to settings and resources at the organizational level

Team tokens are the most commonly used token type for automation workflows because they can be scoped with granular access to projects and workspaces. And since they’re not tied to an individual user, there’s less operational risk when users leave the organization.

Previously, HCP Terraform only allowed a single team API token per team. This token was shared among all team members, meaning that any automation, scripts, or integrations that require API access must use the same credentials. While this simplified token management, it presented challenges in terms of security, access control, and auditing.

With only one token per team, organizations faced difficulties in tracking who was using the token. Also, if a token was compromised, it had to be regenerated, potentially disrupting existing workflows that rely on it. Organizations with multiple automation pipelines or integrations often need separate credentials for better security segmentation, which was not possible with the current single-token approach.

»Improved control with multiple team API tokens

To address these limitations, Terraform is introducing a new capability that allows customers to generate multiple team tokens, providing greater flexibility and security in managing API access.

Selecting a group that already has an existing token no longer warns that a token already exists for the group, and a description can be added:

»Summary and resources

The ability to create multiple team API tokens is now available for all tiers in HCP Terraform and coming soon to Terraform Enterprise. Please refer to Terraform’s Teams documentation for details on getting started.

If you are new to Terraform, you can get started with HashiCorp-managed HCP Terraform for free to begin provisioning and managing your infrastructure in any environment. And don’t forget to link your HCP Terraform and HashiCorp Cloud Platform (HCP) accounts for a seamless sign-in experience.