Confused about TF Cloud Permissions


I am reading about the permissions in TF Cloud in the context of API tokens and I am a bit confused.

I understand that you should use an User API token for terraform CLI operations.
But with that API token and suitable client one can do destructive stuff in TF Cloud directly.

Then what permissions should I grant a team where a user is a member of so that this user can only be able to do terraform init/plan/apply from CLI?

Example situation:

I am provisioning in TF Cloud a user for a client of mine.
In TF Cloud I have private registry with plenty of modules and I set up the client’s infrastructure in a repo where these modules are extensively used.
Now for my client to be able to work with its infrastructure code he will need an API token.

So what kind of permissions should I grant the user I will make for that client so that he will be able to do his normal infra work from cli but not being able to change anything in my TF Cloud setup?

I assume there is a permission only for him to be able to get the modules with terraform get and init and go local from there?


The permissions of an individual user’s API token are the summation of the user’s team permissions. Check out the documentation on Managing Access to Workspaces, and specifically the last section on customizing permissions.

For the situation you describe, you can create a team for your client, add them to it, and add the team to their workspace with only Apply Runs enabled. They would be able to start and apply runs both from the CLI and UI - but note the UI access is restricted such that they cannot view or change workspace or organization settings, etc.

For further information on all the individual permissions you can grant the user/team, check out documentation on General Workspace Permissions.

Hope that helps!

Apply Runs - This just what I wanted to know.

Thank you! :slight_smile:

1 Like