How-to check API token permissions for Terraform Enterprise or HCP Terraform

Avatar
Patrick Munne
  • Updated

Introduction

Within TFE/HCP TF you can generate an API token to use at the following levels.    
- User token
- Team token
- Organization token  
    
What you can do with this token depends on what kind of token it is or the permissions assigned to the user/team for which the API token is generated.

Procedure

Use the token you have to get the organization details. This will also output the permissions you have with this token.  
More details about the API can be found here 
For better formatted output, the example uses the open-source tool jq which can be found here.
export TOKEN=<TFE_TOKEN>

curl \
--silent \
--header "Authorization: Bearer $TOKEN" \
--header "Content-Type: application/vnd.api+json" \
--request GET \
https://<TFE_HOSTNAME>/api/v2/organizations/<TFE_ORG_NAME> | jq '.data.attributes.permissions'
Output example:
{
"can-update": true,
"can-update-authentication": true,
"can-destroy": true,
"can-access-via-teams": true,
"can-create-module": true,
"can-create-team": true,
"can-create-workspace": true,
"can-manage-users": true,
"can-manage-subscription": true,
"can-view-subscription": true,
"can-manage-sso": true,
"can-update-oauth": true,
"can-update-sentinel": true,
"can-update-ssh-keys": true,
"can-update-api-token": true,
"can-traverse": true,
"can-view-usage": true,
"can-update-agent-pools": true,
"can-manage-tags": true,
"can-manage-varsets": true,
"can-read-varsets": true,
"can-manage-public-providers": true,
"can-create-provider": true,
"can-manage-public-modules": true,
"can-manage-custom-providers": true,
"can-manage-run-tasks": true,
"can-read-run-tasks": true,
"can-create-project": true,
"can-enable-stacks": false,
"can-manage-org-public-providers": true,
"can-manage-org-public-modules": true,
"can-manage-assessments": true,
"can-read-assessments": true,
"can-view-explorer": true,
"can-deploy-no-code-modules": true,
"can-manage-no-code-modules": true,
"can-create-change-requests": false,
"can-manage-saved-views": true,
"can-read-saved-views": true
}

 

Additional Information

  • Official documentation for the API tokens can be found here

  • Official website jq tool can be found here 

Articles in this section

Related articles