Changing Passwords and Updating Tokens Outside of the Terraform Cloud and Terraform Enterprise UI – HashiCorp Help Center

Use Case

Currently, there is no automated way to rotate passwords and token in Terraform Enterprise or Terraform Cloud. There are, however, CLI and API driven alternatives that can be implemented within an automated workflow.

The following resources may be changed using either CLI or API driven methods.

Terraform Enterprise:

LDAP configuration for the Replicated console
Replicated console password; used to log in at https://<TFE_HOSTNAME>:8800

Terraform Cloud and Terraform Enterprise:

User password
User API token

Procedure

LDAP Configuration for the Replicated Console

The LDAP configuration for the Replicated console may be updated by connecting to the instance and using Replicated’s native export and import commands. The process to do so is outlined below.

Connect to the Terraform Enterprise instance using SSH.
Use the following command to export the current LDAP configuration to a file.
```
 $ replicatedctl console-auth export > file.txt
```
Make the necessary changes to the resulting file.
Import the updated configuration using the following command.
```
 $ cat file.txt | replicatedctl console-auth import
```

Replicated Console Password

The password for the Replicated console (found at https://<TFE_HOSTNAME>:8800) may be updated from the command line when connected to the Terraform Enterprise instance, regardless of if the current password is known. To do so, use the following steps.

Connect to the Terraform Enterprise instance using SSH.
Run the following command to set a new password for the console, replacing <new password> with the desired password.
```
 $ echo '{"Password": {"Password": "<new password>"}}' | \
     replicatedctl console-auth import
```

Resetting a User Password via the API

User passwords for Terraform Cloud and Terraform Enterprise may be reset using the API. Notably, the current password must be known, and a valid API token used in order to access the API endpoint. The process for doing so is outlined below.

Create a payload file (for this example, payload.json is used for a filename) with the following content, replacing the <current password> and <new password> values where necessary.

  {
   "data": {
     "type": "users",
     "attributes": {
       "current_password": "<current password>",
       "password": "<new password>",
       "password_confirmation": "<new password>"
     }
   }
 }

Make a call to the change your password API endpoint using the following syntax. If you have used a filename other than payload.json, be sure to update this value.

 $ curl \
   --header "Authorization: Bearer $TOKEN" \
   --header "Content-Type: application/vnd.api+json" \
   --request PATCH \
   --data @payload.json \
   https://app.terraform.io/api/v2/account/password

Rotating a User Token via the API

User API tokens may optionally be rotated using the API. Because a given user may have multiple API tokens, “rotating” is a multi-part process: first creating a new token and then deleting the old token. The process to do so is outlined below.

Obtain your user ID by accessing the account details API endpoint. The user ID may be found at data.id within the response.

 $ curl \
   --header "Authorization: Bearer $TOKEN" \
   --header "Content-Type: application/vnd.api+json" \
   --request GET \
   https://app.terraform.io/api/v2/account/details

Once the user ID has been obtained, create a payload file (for this example, we’ll use the filename payload.json) with the following format, replacing <description> with a description for the token.
```
 {
   "data": {
     "type": "authentication-tokens",
     "attributes": {
       "description":"<description>"
     }
   }
 }
```
After creating the payload file, the create a user token API endpoint may be used to create a new user token using the values supplied in the payload file. If you’ve opted to use a filename other than payload.json, make sure to update that value as necessary.
```
 $ curl \
   --header "Authorization: Bearer $TOKEN" \
   --header "Content-Type: application/vnd.api+json" \
   --request POST \
   --data @payload.json \
   "https://app.terraform.io/api/v2/users/$USER_ID/authentication-tokens"
```
In order to delete the previous token (to complete the “rotation” process), you will need the ID of the previous token. This information may be gathered by accessing the list user tokens API endpoint. The description of each token is found at data[].attributes.description; once you’ve determined which token should be removed, the ID(s) may be found at data[].id.
```
 $ curl \
   --header "Authorization: Bearer $TOKEN" \
   --header "Content-Type: application/vnd.api+json" \
   --request GET \
   "https://app.terraform.io/api/v2/users/$USER_ID/authentication-tokens"
```

After gathering the ID of a token to be deleted, the destroy a user token API endpoint may be accessed to remove the token.

 $ curl \
   --header "Authorization: Bearer $TOKEN" \
   --header "Content-Type: application/vnd.api+json" \
   --request DELETE \
   "https://app.terraform.io/api/v2/authentication-tokens/$TOKEN_ID"

Additional Information

If you experience issues using the methods described in this article, please contact support to request further assistance.