Introduction
You have a user in Terraform Enterprise that is performing Terraform API calls. The user session is expired automatically according to your settings in TFE.
This will invalidate the users API tokens and results in API calls failing with an 401: Unauthorized error.
Once the user has created a new session by login in to TFE, the API calls will work again.
To prevent the invalidation of a users API tokens and the need for the user to log in again, you can mark the user as a service account with the SAML SSO attribute IsServiceAccount.
Prerequisites
- Terraform Enterprise
- SAML SSO enabled
Procedure
In your IDP, create an attribute mapping for IsServiceAccount.
The name should exactly be
IsServiceAccount(case sensitive).The format is basic
The value/source should map to a boolean resolving to true.
Expected Outcome
When assigning a user account the IsServiceAccount , the users API tokens will not expire once the user session in the UI is expired. This will ensure that the user is still able to perform API calls without an active browser session.
Caveats
Please keep in mind that users can have tokens that do not expire. By making this user account a service account, these tokens will be active indefinitely. Only revoking the
IsServiceAccountin your IDP will not automatically sync to TFE. This sync only happens when the user signs in. It is possible for an admin to suspend the user or revoke the user tokens in TFE.
This is only possible with SAML SSO login enabled. There is no API call or UI feature to enable this
IsServiceAccount.