User accounts belong to individual people. Each user can be part of one or more teams, which are granted permissions on workspaces within an organization. A user can be a member of multiple organizations.
Use the Account API to get account details, update account information, and change your password.
Log In With Your HashiCorp Cloud Platform Account
We recommend using a HashiCorp Cloud Platform (HCP) account to log in to Terraform Cloud. Your HCP Account grants access to every HashiCorp product and the Terraform Registry. If you use your HCP Account, you manage user settings like multi-factor authentication and password resets from within HCP instead of the Terraform Cloud UI.
To log in with your HCP account, go to the Sign In to Terraform Cloud page and click Continue with HCP account. Terraform Cloud may ask if you want to link your account.
Linked HCP and Terraform Cloud Accounts
The first time you log in with your HCP credentials, Terraform Cloud searches for existing Terraform Cloud accounts with the same email address. If there is an unlinked account, Terraform Cloud asks if you want to link it to your HCP account. If there is no existing Terraform Cloud account with that email address, Terraform Cloud creates one and automatically links it to your HCP account.
After you link your HCP and Terraform Cloud accounts, you can only log in with your HCP credentials. You must unlink the accounts to resume logging in with your Terraform Cloud username and password.
You cannot unlink an autogenerated Terraform Cloud account from your HCP account. You can unlink a pre-existing Terraform Cloud account on the HCP Account Linking page in your User settings.
Creating an Account
To use Terraform Cloud or Enterprise, you must create an account through one of the following methods:
- Invitation Email: When a user sends you an invitation to join an existing Terraform Cloud organization, the email includes a sign-up link. After you create an account, you can automatically join that organization and can begin using Terraform Cloud.
- Sign-Up Page: Creating an account requires a username, an email address, and a password. For Terraform Cloud, go to
https://app.terraform.io/public/signup/account. For Terraform Enterprise, go to
https://<TFE HOSTNAME>/public/signup/account. After you create an account, you do not belong to any organizations. To begin using Terraform Cloud, you can either create an organization or ask an organization owner to send you an invitation email to join their organization.
Note: For Terraform Cloud, we recommend logging in with your HCP account instead of creating a separate Terraform Cloud account.
Joining Organizations and Teams
An organization owner or a user with Manage Membership permissions must invite you to join their organization and add you to one or more teams.
Terraform Cloud sends user invitations by email. If the invited email address matches an existing Terraform Cloud account, the invitee can join the organization with that account. Otherwise, they must create a new account and then join the organization.
Site Admin Permissions
On Terraform Enterprise instances, some user accounts have a special site admin permission that allows them to administer the entire instance.
Admin permissions are distinct from normal organization-level permissions, and they apply to a different set of UI controls and API endpoints. Admin users can administer any resource across the instance when using the site admin pages or the admin API, but they have normal user permissions when using an organization's standard UI controls and API endpoints. These normal user permissions are determined by team membership.
Refer to Administering Terraform Enterprise for more details.
To view your settings page, click your user icon and select User settings. Your Profile page appears, showing your username, email address, and avatar.
Click Profile in the sidebar to view and edit the username and email address associated with your Terraform Cloud account.
Important: Terraform Cloud includes your username in URL paths to resources. If external systems make requests to these resources, you must update them before you change your username.
Terraform Cloud uses Gravatar to display a user icon if you have associated one with your email address. Refer to the Gravatar documentation for details about changing your user icon.
Click Sessions in the sidebar to view a list of sessions associated with your Terraform Cloud account. You can revoke any sessions you do not recognize.
Click Organizations in the sidebar to view a list of the organizations where you are a member. If you are on the owners team, the organization is marked with an OWNER badge.
To leave an organization, click the ellipses (...) next to the organization and select Leave organization. You do not need permission from the owners to leave an organization, but you cannot leave if you are the last member of the owners team. Either add a new owner and then leave, or delete the organization.
Click Password in the sidebar to change your password.
Note: Password management is not available if your Terraform Enterprise instance uses SAML single sign on.
Click Two Factor Authentication in the sidebar to enable two-factor authentication. Two-factor authentication requires a TOTP-compliant application or an SMS-capable phone number. An organization can set policies that require two-factor authentication.
Refer to Two-Factor Authentication for details.
HCP Account Linking
Click HCP Account Linking in the sidebar to unlink your Terraform Cloud from your HCP Account. You cannot unlink an account that Terraform Cloud autogenerated during the linking process. Refer to Linked HCP and Terraform Cloud Accounts for more details.
After you unlink, you can begin using your Terraform Cloud credentials to log in. You cannot log in with your HCP account again unless you re-link it to your Terraform Cloud account.
Click SSO in the sidebar to review and remove SSO identity links associated with your account.
You have an SSO identity for every SSO-enabled Terraform Cloud organization. Terraform Cloud links each SSO identity to a single Terraform Cloud user account. This link determines which account you can use to access each organization.
Click Tokens in the sidebar to create, manage, and revoke API tokens. Terraform Cloud has three kinds of API tokens: user, team, and organization. Users can be members of multiple organizations, so user tokens work with any organization where the associated user is a member. Refer to API Tokens for details.
API tokens are required for the following tasks:
- Authenticating with the Terraform Cloud API. API calls require an
Authorization: Bearer <TOKEN>HTTP header.
- Authenticating with the Terraform Cloud CLI integration or the
remotebackend. These require a token in the CLI configuration file or in the backend configuration.
- Using private modules in command-line runs on local machines. This requires a token in the CLI configuration file.
Protect your tokens carefully because they contain the same permissions as your user account. For example, if you belong to a team with permission to read and write variables for a workspace, another user could use your API token to authenticate as your user account and also edit variables in that workspace. Refer to permissions for more details.
We recommend protecting your tokens by creating them with an expiration date and time.Refer to API Token Expiration for details.
Creating a Token
To create a new token:
- Click Create an API token. The Create API token box appears.
- Enter a Description that explains what the token is for and click Create API token.
- You can optionally enter the token's expiration date or time, or create a token that never expires. The UI displays a token's expiration date and time in your current time zone.
- Copy your token from the box and save it in a secure location. Terraform Cloud only displays the token once, right after you create it. If you lose it, you must revoke the old token and create a new one.
Revoking a Token
To revoke a token, click the trash can next to it. That token will no longer be able to authenticate as your user account.
Note: When SAML SSO is enabled there is a session timeout for user API tokens, forcing users to periodically reauthenticate through the web UI in order to keep their tokens active. Refer to API Token Expiration for details.
GitHub App OAuth Token
Click Tokens in the sidebar to manage your GitHub App token. This token lets you connect a workspaces to an available GitHub App installation.
Note: Only a Terraform Cloud User can own a GitHub App token. Team and Organization API tokens are not able to own a GitHub App token.
A GitHub App token lets you:
- Connect workspaces, policy sets, and registry modules to a GitHub App installation with the Terraform Cloud API and UI.
- View available GitHub App installations with the Terraform Cloud API and UI.
After generating this token, you can use it to view information about your available installations for the Terraform Cloud GitHub App.
Creating a GitHub App token
To create a GitHub App token, click Create a GitHub App token. The GitHub App authorization pop-up window appears requesting authorization of the Terraform Cloud GitHub App.
Note: This does not grant Terraform Cloud access to repositories.
Revoking the GitHub App token
To revoke the GitHub App token, click the ellipses button (...). The dropdown menu appears. Click the Delete Token option. This triggers a confirmation window to appear, which asks you to confirm that you want to revoke the token. Once confirmed, the token is revoked and you can no longer view GitHub App installations.