Terraform Cloud / Enterprise API Token
Detects HashiCorp Terraform Cloud / Terraform Enterprise API tokens (atlasv1 format). These tokens authenticate to the Terraform Cloud API and can read/write workspace state and variables; a leak can expose all infrastructure secrets.
- Type
- regex
- Engine
- universal
- Confidence
- high
- Confidence justification
- High confidence: the embedded .atlasv1. marker between two structured segments is highly distinctive and makes false positives extremely unlikely.
- Jurisdictions
- global
- Regulations
- Criminal Code Act 1995 (Cth), Computer Fraud and Abuse Act, Computer Misuse Act 1990
- Frameworks
- CIS Controls, ISO 27001, NIST CSF, SOC 2
- Data categories
- credentials, security
- Scope
- narrow
- Risk rating
- 9
- Platform compatibility
- Purview: Compatible, GCP DLP: Unsupported, Macie: Unsupported, Zscaler: Compatible, Palo Alto: Unsupported, Netskope: Unsupported
Pattern
(?<![A-Za-z0-9])[A-Za-z0-9]{14}\.atlasv1\.[A-Za-z0-9\-_=]{60,70}(?![A-Za-z0-9])Corroborative evidence keywords
terraform, terraform cloud, atlasv1, TF_TOKEN, app.terraform.io, credentials.tfrc.json
Proximity: 300 characters
Should match
aBcDeFgHiJkLmN.atlasv1.0123456789abcdefABCDEF0123456789abcdefABCDEF0123456789abcdef0123— Terraform Cloud token, 14-char id + .atlasv1. + bodyTF_TOKEN_app_terraform_io=12345678901234.atlasv1.zZyYxXwWvVuUtTsSrRqQpPoOnNmMlLkKjJiIhHgGfFeEdDcCbBaA0123456789— Labelled Terraform token in TF_TOKEN env varABCDEFGHIJKLMN.atlasv1.aBcDeFgHiJkLmNoPqRsTuVwXyZ0123456789-_=ABCDEFGHIJKLMNOPQRST012345— Terraform token with hyphen/underscore/equals in body
Should not match
aBcDeFgHiJkLmN.atlasv1.tooShort— Body too short to be a Terraform Cloud tokenaBcDeFgHiJkLmN.atlasv2.0123456789abcdefABCDEF0123456789abcdefABCDEF0123456789abcdef0123— Wrong marker (atlasv2) - not a Terraform Cloud tokenstore your terraform cloud token in the credentials file— Prose mention without a token value
Known false positives
- Dotted strings that coincidentally contain .atlasv1. in unrelated data. Mitigation: Require corroborative Terraform keywords and exclude placeholder markers.