Skip to content
Latchkey

Terraform "Required token could not be found" - backend auth in CI

A remote backend or private registry needs a bearer token. On a fresh CI runner nobody ran terraform login, so init has no credential to send and fails before it can reach the backend.

What this error means

terraform init fails configuring a remote backend or fetching a private module, reporting that a required token could not be found and suggesting terraform login.

terraform
Error: Required token could not be found

Run "terraform login" to obtain a token, or set the token in the
TF_TOKEN_app_terraform_io environment variable.

Common causes

No host token on the runner

CI never ran terraform login and no TF_TOKEN_* env var or CLI credentials block is configured, so init has nothing to authenticate with.

Token env var name mismatch

The host-scoped variable name must encode the hostname; a typo means Terraform never reads the token you set.

How to fix it

Inject the host token from CI secrets

Set the host-scoped token environment variable so init authenticates non-interactively.

Terminal
export TF_TOKEN_app_terraform_io="${{ secrets.TFC_TOKEN }}"
terraform init -input=false

Use a CLI credentials file for custom hosts

  1. For a self-hosted registry, write a credentials "host" { token = ... } block to the CLI config.
  2. Point TF_CLI_CONFIG_FILE at that file in the job environment.
  3. Keep the token in a CI secret, never committed.

How to prevent it

  • Inject tokens from CI secrets instead of relying on interactive terraform login.
  • Use a team/service token scoped to only the workspaces CI needs.
  • Document the exact TF_TOKEN_* variable name in the pipeline.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →