Skip to main content
In this lesson, you’ll learn how to sign in and interact with Terraform Cloud through the web UI, CLI, and API. We’ll cover user and organization-level security settings, SSH key management, and token types.

1. Logging into Terraform Cloud Web UI

  1. Navigate to the Terraform Cloud login page and enter your HCP account or username/email credentials.
The image shows a login page for HashiCorp Terraform Cloud, with options to sign in using an HCP account or by entering a username or email. A dropdown menu suggests different email options for login.
  1. If you belong to multiple organizations, select the one you want to access.
The image shows a webpage from Terraform Cloud where a user can choose from a list of organizations to access, including "Enterprise-Cloud," "Enterprise-DataCenter," and "Mastering-Terraform-Cloud."

2. Configuring User-Level Authentication

  1. Click your user avatar and select User SettingsAccount Settings.
The image shows a Terraform Cloud interface with no workspaces created yet, and a user menu open displaying options like "User settings" and "Sign out."
  1. Under Authentication, enable Two-Factor Authentication (2FA). You can choose an authentication app or SMS.
The image shows a webpage for setting up two-factor authentication, offering options for using an application or SMS for verification. It includes a field for entering a phone number and a button to enable 2FA.
  1. For app-based 2FA, scan the QR code and enter the generated one-time password.
The image shows a webpage for verifying two-factor authentication, featuring a QR code and a field to enter an authentication code.
Always save your backup codes in a secure location. Losing access to your 2FA device can lock you out of Terraform Cloud.
Once verified, 2FA is active on your account.

3. Organization-Level Security Policies

Switch to your organization (e.g., Mastering Terraform Cloud), then go to SettingsAuthentication. Here you can:
  • Require that all members enable 2FA
  • Configure session inactivity timeouts
  • Set reauthentication intervals
The image shows a web interface for managing two-factor authentication settings, with options to disable 2FA and reveal backup codes. It includes a dropdown menu for selecting an organization.
The image shows a settings page for authentication in Terraform Cloud, detailing user session timeout and two-factor authentication options. It includes fields for setting session timeout and reauthentication intervals, with options to update user sessions and require two-factor authentication.
Customizing session timeouts helps balance security and usability across your organization.

4. Managing SSH Keys for Git Operations

At the organization level, upload SSH private keys to enable Git-based operations. To generate an RSA key in PEM format: 
ssh-keygen -t rsa -m PEM

5. Authenticating with Terraform CLI

On your local machine with Terraform installed, run: 
terraform login
This command will open your browser to generate an API token, then return you to the CLI.
The image shows a command-line interface prompting the user to generate and enter a token for Terraform, with instructions to open a web browser to obtain the token.
When prompted, paste your token (input is hidden): 
# (Paste your token here)
Terraform will store the credentials for subsequent CLI operations.

6. Interacting with Terraform Cloud via API

First, export your token as an environment variable: 
export TERRAFORM_TOKEN="YOUR_TOKEN"
Then request your organization’s details: 
curl \
  --header "Authorization: Bearer $TERRAFORM_TOKEN" \
  --header "Content-Type: application/vnd.api+json" \
  https://app.terraform.io/api/v2/organizations/Mastering-Terraform-Cloud
A successful response returns your organization’s metadata in JSON: 
{
  "data": {
    "id": "Mastering-Terraform-Cloud",
    "type": "organizations",
    "attributes": {
      "external-id": "org-tsVGG3U6yVQPMxxJ",
      "created-at": "2022-08-18T16:34:58.952Z",
      "email": "[email protected]",
      "session-timeout": null,
      "session-remember": null,
      "collaborator-auth-policy": "password",
      "plan-identifier": "free",
      "allow-force-delete-workspaces": true,
      "name": "Mastering-Terraform-Cloud",
      "permissions": {
        "can-update": true,
        "can-destroy": true,
        "can-access-via-teams": true
      }
    }
  }
}
For full API details, see the Terraform Cloud API Reference.

7. Terraform Cloud API Token Types

Terraform Cloud supports these token types:
Token TypeScopeUse Case
User TokenIndividual user permissionsPersonal CLI & API access
Team TokenSpecific team privilegesAutomation with team-level access
Organization TokenOrganization-wide management (teams, workspaces)Scripts managing org resources
The image shows a web interface for managing API tokens in Terraform Cloud, with options to create a new token and a list of existing tokens.
The image shows a webpage from Terraform Cloud's settings, specifically the API Tokens section, detailing user, team, and organization tokens. It includes navigation options on the left and a button to create an organization token.
This concludes our demonstration of web UI, CLI, and API authentication with Terraform Cloud.
The image shows a settings page for authentication in a web application, detailing user session timeout and two-factor authentication options. It includes fields for setting session timeout and reauthentication intervals, with an option to require two-factor authentication for organization members.

Watch Video

Practice Lab