[Terraform] SAML User API token 401 Unauthorized

Avatar
Aya Mohamed
  • Updated

 

Introduction

Problem

Scripts using the user API tokens are failing.

  • On the command line
  • Login to Terraform Enterprise
terraform login <TFE_FQDN>
  • Generate a token valid for x number of days
  • Paste the token back in the CLI
  • Following error comes back
401 - Unauthorized

 

Cause

  • SAML user token expired

  • User not able to authenticate via IDP

Overview of possible solutions (if applicable)

Solutions:

Verify in the TFE rails environment if the user token has been updated with the correct timestamp. These details are found in the updated_at value

To access the Rails console in Terraform Enterprise, perform the following.

  • SSH into the Terraform Enterprise instance.

  • Execute the following command to access the Rails console.

sudo docker exec -it ptfe_atlas /usr/bin/init.sh /app/scripts/wait-for-token -- bash -i -c 'cd /app && ./bin/rails c'

For TFE v202205-1 and above:

sudo docker exec -it tfe-atlas /usr/bin/init.sh /app/scripts/wait-for-token -- bash -i -c 'cd /app && ./bin/rails c'
For TFE FDO/ consolidated service container 
docker exec -it terraform-enterprise-tfe-1 tfectl support console
  • Once connected to the rails 
  • Insert the following command with the token value:  
token = AuthenticationToken.lookup_by_token("<token-value>")

Output example:

=> 
#<AuthenticationToken:0x00007fb0943460d8
  • Run the following command to get the details for the token we specified in the former command
token.authenticatable_resource 

Output example:

#<User id: 1, email: "admin@admin.nl", username: "admin", is_admin: true, created_at: "2023-10-16 10:27:59.664059000 +0000", updated_at: "2023-10-16 10:27:59.664059000 +0000", suspended_at: nil, two_factor_delivery: nil, two_factor_sms_number: nil, two_factor_secret_key: nil, two_factor_recovery_index: 0, two_factor_recovery_secret_key: nil, two_factor_verified_at: nil, two_factor_enabled_at: nil, is_service_account: false, used_recovery_codes_encrypted: nil, last_auth_through_saml: nil, external_id: "user-w7tD6c3D2cUgmmwh", accepted_terms_at: nil, accepted_privacy_policy_at: nil, invitation_token: nil, invitation_created_at: nil, is_cyborg: false, onboarding_status: nil, service_account_type: nil, admin_role: nil, suspension_reason: nil, used_recovery_codes: []>
  • Check updated_at date if this is changing

If the  updated_at is not changing then do the following:

  • Log out of TFE and your SAMl provider and then log back in through the SAML provider and then TFE.

If the  updated_at is changing then create a ticket with HashiCorp Support

Outcome

API token should be working

Additional Information

Articles in this section

See more

Related articles