Introduction
Sensitive data exposure/cryptographic failure is #2 in the OWASP Top 10 List for 2021. If an API token is leaked, it is crucial to rotate the token as soon as possible. Finding this exposed token for removal can be challenging in Terraform Enterprise or TFC. Use the command below to get API token information order to target for deletion.
Procedure
1. Using the compromised API token, make an API call to
curl \ --header "Authorization: Bearer $TOKEN" \ --header "Content-Type: application/vnd.api+json" \ --request GET \
https://app.terraform.io/api/v2/account/details
This API call will provide the account details for the user associated with an API token.
If the API token is a user token, this is the only step that needs to be taken.
2. If the token is a team token, a user will be returned with the name "api-team_[number]" and it will be listed as a service account. This account is generated by Terraform specifically for this token. To determine what team the token is attached to, use the following API call:
Use the list teams API endpoint with the ?include=users
parameter to obtain a list of all teams:
curl \
--header "Authorization: Bearer $TOKEN" \
--header "Content-Type: application/vnd.api+json" \
--request GET \
https://app.terraform.io/api/v2/organizations/my-organization/teams?include=users
Search through the output for api-team_[number]
which should show what team the auto-generated user is associated with.