The User API auth token has suddenly stopped working. Terraform CLI commands and API calls may result in
401: Unauthorized errors.
It's common for the User API token to be temporarily disabled when SAML is enabled as referenced in this API Token Expiration doc. When SAML is initially enabled, or when a user's SAML-authenticated web session expires or times out, the users API tokens are also temporarily disabled.
This is because Terraform Enterprise relies on your identity provider for team membership mapping, and a user might have been added to or removed from some teams since their session expired. This restriction only affects user tokens, not team or organization tokens.
The API token session timeout is a site-wide setting that is configurable in the admin settings at
https://<TFE HOSTNAME>/app/admin/saml. The default session timeout setting is two weeks and that figure is adjustable.
Refreshing or reauthenticating the user session is required to reenable the a User token. Reauthentication would take place at
https://<TFE HOSTNAME>/session. Once the session is refreshed reusing the user's User token will be permitted.
Any API calls should now process without Unauthorized errors.
- For additional assistance please contact HashiCorp Support.
- Add a service account attribute to SAML Terraform Enterprise users