terraform login: Usage & Common CI Errors
Authenticate the CLI to HCP Terraform (Terraform Cloud) or a private registry.
terraform login obtains and stores an API token for HCP Terraform or another remote host. It is interactive by design, so CI uses environment-variable credentials instead.
What it does
terraform login opens a browser flow to authorize the CLI against app.terraform.io (or a specified host) and writes the token to ~/.terraform.d/credentials.tfrc.json. That token then authenticates remote state, runs, and private module/provider downloads.
Common usage
# Interactive login to HCP Terraform
terraform login
# Log in to a custom hostname (TFE / private registry)
terraform login tfe.example.com
# CI: do NOT run login - provide a token via env var instead
export TF_TOKEN_app_terraform_io="$HCP_TOKEN"
terraform initCommon error in CI: login prompts / 401 unauthorized
In CI, terraform login either hangs on the interactive browser prompt or operations fail with "Error: Required token could not be found" / HTTP 401. Fix: never call login in automation - set the host-specific env var TF_TOKEN_app_terraform_io (dots in the hostname become underscores) to a team or user API token, then run init/plan. For self-hosted TFE use TF_TOKEN_<your_host_with_underscores>. Store the token as a masked CI secret.
Key arguments
| Argument | Purpose |
|---|---|
| (none) | Log in to app.terraform.io |
| <hostname> | Log in to a specific TFE/registry host |
| TF_TOKEN_<host> | Env var alternative for CI (no login) |