Problem
If you are the only member of an organization in the free tier of Terraform Cloud, and, due to an MFA access issue, you are no longer able to access your account and organization. If you also do not have the following:
- The MFA recovery codes.
- The MFA cannot be disabled by the support team since there is not enough information to confirm your identity.
Then, the only option is to anonymize your account but access to the organization will be lost and that is not the desired outcome.
Access to the organization can be regained if you have a user token, team token, or organization token available.
Solution
If you have a user, team, or organization token you can use the Terraform API to regain access to your organization. That can be done by creating a new user in Terraform Cloud using a different e-mail or an alias of the old one if possible.
After that is done, using the following API call, check what is your owners
team ID. The '$TOKEN' environment variables should have the value of your TFC token. The organization token will not show you the owners
team ID. You might need to reach out to HashiCorp Support for it.
curl \
--header "Authorization: Bearer $TOKEN" \
--header "Content-Type: application/vnd.api+json" \
--request GET \
https://app.terraform.io/api/v2/organizations/<YOUR_ORG_NAME>/teams | jq
A similar output should be shown:
{
"data": [
{
"id": "team-XXXXXXXXXXXX",
"type": "teams",
"attributes": {
"name": "owners",
Make a note of the team ID.
Next, create a payload.json
file containing the following config:
{
"data": {
"attributes": {
"email": "<YOUR_NEWLY_CREATED_ACCOUNT_EMAIL>"
},
"relationships": {
"teams": {
"data": [
{
"type": "teams",
"id": "<YOUR_OWNERS_TEAM_ID_HERE>"
}
]
}
},
"type": "organization-memberships"
}
}
Finally, invite the new user with the following API call using the created payload.
curl \
--header "Authorization: Bearer $TOKEN" \
--header "Content-Type: application/vnd.api+json" \
--request POST \
--data @payload.json \
https://app.terraform.io/api/v2/organizations/<YOUR_ORG_NAME>/organization-memberships | jq
You should receive an invitation e-mail. After accepting the invitation you will regain access to your organization.
Outcome
The new user has access to the organization. However, the old one doesn't. You may have a preference on which one you want to use. In order to be able to use the old e-mail address, the only option is to anonymize your old user. Contact `tf-cloud@hashicorp.support` to perform the anonymization. After that is done you can create a new user with the old e-mail and add it to the organization. The second user who regained the access can be kicked out, anonymized, or kept in the organization as you prefer.
At any point feel free to contact HashiCorp Support at tf-cloud@hashicorp.support or submit a ticket via our support portal.
Note: Keeping the MFA recovery codes safe is vital for recovering access to your account if a MFA device is lost.