How-to locate an API token in Terraform Cloud or Enterprise

Avatar
Jen Johnston
  • Updated

Introduction

Sensitive data exposure is a critical security concern, as highlighted in the OWASP Top 10 List for 2021. If an API token for HCP Terraform or Terraform Enterprise is compromised, you must rotate it immediately. This guide provides the steps to identify the account or team associated with a compromised token so you can delete it.

Prerequisites

  • The compromised API token string.
  • A command-line terminal with curl installed.

Procedure

Follow these steps to identify the source of a compromised API token.

Step 1: Identify the Token Type

First, use the compromised token to query the account details API endpoint. This will reveal whether the token belongs to a user or a team.

For HCP Terraform, run the following command, replacing $TOKEN with the compromised token.

$ curl \
  --header "Authorization: Bearer $TOKEN" \
  --header "Content-Type: application/vnd.api+json" \
  --request GET \
  https://app.terraform.io/api/v2/account/details

Note: For Terraform Enterprise, replace app.terraform.io with the hostname of your instance.

The get your account details API call returns details for the identity associated with the token.

  • If the token is a user token, the API returns the user's account details. You have successfully identified the token's owner and no further steps are needed.
  • If the token is a team token, the API returns a service account with a name like api-team_[number]. This is an account automatically generated by Terraform for the team token. Proceed to the next step to find which team it belongs to.

Step 2: Locate the Associated Team (for Team Tokens)

If the token is a team token, you must identify which team the api-team_[number] service account belongs to.

Use the list teams API endpoint with the ?include=users parameter to get a list of all teams and their associated user members.

For HCP Terraform, run the following command, replacing $TOKEN and my-organization.

$ curl \
  --header "Authorization: Bearer $TOKEN" \
  --header "Content-Type: application/vnd.api+json" \
  --request GET \
  https://app.terraform.io/api/v2/organizations/my-organization/teams?include=users

Note: For Terraform Enterprise, replace app.terraform.io with the hostname of your instance.

Search the JSON output for the api-team_[number] username you found in Step 1. The team object containing this user is the source of the compromised token.

Articles in this section

See more

Related articles