Terraform Enterprise service accounts

Avatar
Patrick Munne
  • Updated

Introduction

Problem

When listing all the users in Terraform Enterprise using the API endpoint (/api/v2/admin/users) there might be more users visible than expected.

You might see additional users that have the is-service-account attribute set to true 

Explanation

For a better formatted output the example uses the open-source tool jq which can be found here

The following API is an example command to get the users from the TFE environment.

export TFE_HOSTNAME=<TFE_FQDN>
export TOKEN=<API_TOKEN_ADMIN_PERMISSIONS>

curl \
--header "Authorization: Bearer $TOKEN" \
--header "Content-Type: application/vnd.api+json" \
--request GET \
https://$TFE_HOSTNAME/api/v2/admin/users | jq '.data[].attributes'

The output could show you users like the following

{
  "username": "gh-webhooks-test-yoKVgKZvO7",
  "email": "gh-webhooks-test-yokvgkzvo7@hashicorp.com",
  "avatar-url": "https://www.gravatar.com/avatar/fa3c2f0",
  "is-admin": false,
  "is-confirmed": true,
  "is-suspended": false,
  "is-service-account": true,
  "two-factor": {
    "enabled": false,
    "verified": false
  }
}
{
  "username": "api-team_5",
  "email": "api-team_5@hashicorp.com",
  "avatar-url": "https://www.gravatar.com/avatar/a2cf5b99d",
  "is-admin": false,
  "is-confirmed": true,
  "is-suspended": false,
  "is-service-account": true,
  "two-factor": {
    "enabled": false,
    "verified": false
  }
}

These users are not directed created by admin,  but these are the API user that represents that associated with the token generated by a team with internal id

  • Service Account

The "is-service-account": true shows this is created by Terraform Enterprise and internal use only

 

  • Username/Email

From the username/email description we see for which part of Terraform Enterprise they were created. 

 

gh-webhooks-test-yokvgkzvo7@hashicorp.com
- This relates to a VCS provider named test that points to Github .

 

api-team_5@hashicorp.com

- This relates to a team in Terraform Enterprise for which an API token was created and used. To get the details about which Teams group this relates to you will have to perform the following steps. 

    • ssh to Terraform Enterprise instance
    • Execute the following command to login to the Rails Console
docker exec -it tfe-atlas /bin/bash -c "/usr/bin/init.sh /app/scripts/wait-for-token -- bash -i -c 'cd /app && ./bin/rails c'" 
    • Verify to which the team belongs
User.find_by(:username => 'api-team_5').memberships[0].team
    • The result will be the following. In this case it relates to the team test-group
 #<Team id: 5, organization_id: 1, name: "test-group", created_at: "2023-02-17 10:39:57.362492000 +0000"

Additional Information

  • Information about the Terraform Enterprise API see the documentation here

  • Information about VCS providers see the documentation here

  • Information about Teams see the documentation here

Articles in this section

See more

Related articles