Terraform Cloud: API tokens return 401 Unauthorized errors for SSO users.

Problem

User API tokens for Terraform Cloud fail with "401 Unauthorized"

Cause

• User API tokens associated with users configured for Single Sign-On require an active user session in order to be considered a valid token.
• In the past, this was not strictly enforced by TFC, so this error may appear suddenly and without any obvious changes made

Overview of possible solutions (if applicable)

Solutions:

• Create a team token instead of a user token, as team tokens are not tied to SSO

• Create a user outside of the SSO scope and create a non-expiring API token instead.

Outcome

These new tokens should be authorized without an active user session.

Additional Information

• https://developer.hashicorp.com/terraform/cloud-docs/users-teams-organizations/single-sign-on#enforced-access-policy-for-terraform-cloud-resources

• https://developer.hashicorp.com/terraform/cloud-docs/users-teams-organizations/api-tokens#team-api-tokens