Problem
The User API auth token has suddenly stopped working. Terraform CLI commands and API calls may result in 401: Unauthorized errors.
Cause
It's common for the User API token to be temporarily disabled when SAML is enabled as referenced in this API Token Expiration doc. When SAML is initially enabled, or when a user's SAML-authenticated web session expires or times out, the users API tokens are also temporarily disabled.
This is because Terraform Enterprise relies on your identity provider for team membership mapping, and a user might have been added to or removed from some teams since their session expired. This restriction only affects user tokens, not team or organization tokens.
The API token session timeout is a site-wide setting that is configurable in the admin settings athttps://<TFE HOSTNAME>/app/admin/saml. The default session timeout setting is two weeks and that figure is adjustable.
Solutions:
Refreshing or reauthenticating the user session is required to reenable the a User token. Reauthentication would take place athttps://<TFE HOSTNAME>/session. Once the session is refreshed reusing the user's User token will be permitted.
Outcome
Any API calls should now process without Unauthorized errors.
Additional Information
- For additional assistance please contact HashiCorp Support.
- Add a service account attribute to SAML Terraform Enterprise users