Skip to content
Latchkey

terraform login: Usage & Common CI Errors

Authenticate the CLI to HCP Terraform (Terraform Cloud) or a private registry.

terraform login obtains and stores an API token for HCP Terraform or another remote host. It is interactive by design, so CI uses environment-variable credentials instead.

What it does

terraform login opens a browser flow to authorize the CLI against app.terraform.io (or a specified host) and writes the token to ~/.terraform.d/credentials.tfrc.json. That token then authenticates remote state, runs, and private module/provider downloads.

Common usage

Terminal
# Interactive login to HCP Terraform
terraform login

# Log in to a custom hostname (TFE / private registry)
terraform login tfe.example.com

# CI: do NOT run login - provide a token via env var instead
export TF_TOKEN_app_terraform_io="$HCP_TOKEN"
terraform init

Common error in CI: login prompts / 401 unauthorized

In CI, terraform login either hangs on the interactive browser prompt or operations fail with "Error: Required token could not be found" / HTTP 401. Fix: never call login in automation - set the host-specific env var TF_TOKEN_app_terraform_io (dots in the hostname become underscores) to a team or user API token, then run init/plan. For self-hosted TFE use TF_TOKEN_<your_host_with_underscores>. Store the token as a masked CI secret.

Key arguments

ArgumentPurpose
(none)Log in to app.terraform.io
<hostname>Log in to a specific TFE/registry host
TF_TOKEN_<host>Env var alternative for CI (no login)

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →