How to Use Teams on DigitalOcean
DigitalOcean teams allow you to invite multiple users to access and manage shared resources, such as Droplets, Load Balancers, Spaces and more, without having to share login credentials or billing information.
Teams are recommended for project leaders and business owners who want to share control of server infrastructure with trusted collaborators, such as developers and system administrators.
This tutorial will explain how teams work and how you can use the feature.
How to Create a Team
A team is created by selecting Create a Team from the account dropdown menu next to your avatar. Doing so will also enable the team settings page on your account.
Note: Before creating a team account, be sure that you understand the implications of allowing multiple users to control your DigitalOcean account. You may want to skip this section until you read the rest of this tutorial and have a solid understanding of how team accounts work.
To create a team account, log into the DigitalOcean Control Panel.
Next, open the account dropdown by clicking on the arrow on the top right, next to your avatar.
Select Create a Team. Enter a Team name and the primary Contact email for your team:
If you would like all of your existing resources (such as Droplets, floating IPs, and domains) to be managed under this team account, check the box next to Convert your existing account into a team account. Be careful with this option, as it is not currently reversible.
Next, you'll be prompted to choose a billing method. Select a credit card from the list of cards already associated with your account, and click Select Credit Card to continue. If there are credits associated with your account, you may instead click the Credits tab and select an amount to transfer to the new team.
Finally, you'll be prompted to invite team members. Type one or more e-mail addresses, and press the Invite team members button. If you want to defer this step until later, instead click No thanks, I'll send invitations later.
At this point, you should have a new team. Click the Visit Team Page button to view details.
Team Membership and Roles
The team settings page will display a handful of profile details for your team, along with a list of members:
You can see a team member's current Role, whether a team member has enabled two-factor authentication in the 2 FA column, and whether they have accepted your invitation to the team under the Status column. By clicking the Actions dropdown, you can change a member's current role, or remove them from the team. To invite more members to the team, click the Invite Members button.
Warning: It is strongly recommended that you require all members of your team to use very strong passwords and enable two-factor authentication, since a compromise of any one team member's account would effectively give an attacker access to all of your DigitalOcean resources.
Once an individual has accepted an invite to your team, they can occupy one of three roles:
- Owner: Has full control over the account, including billing and team settings. Appropriate for users who need to manage both the account's billing and team settings.
- Billing: Has access to manage payment and billing information, read only access to resources, and no access to team settings. Appropriate for users who need to manage billing, but who do not manage technical resources or team membership.
- Member: Does not have access to team's billing or team settings, but can manage everything else. Appropriate for users who only require the ability to manage the team's server infrastructure resources, such as Droplets.
Remember that the Member and Owner roles have full control over the team's Droplets and related resources via the Control Panel and API, similar to a normal user.
Note: While a team owner can remove any member's Control Panel and API access by deleting them from the team, removing access to any existing Droplets via SSH keys and other credentials must be done independently, as DigitalOcean does not manage the contents of a Droplet after it is created. As with any shared network resource, organizations should plan in advance for revoking credentials on multi-user Droplets when team members depart.
The billing settings for a team account can be managed by team owners and billers. The billing settings can be viewed and modified by going to Settings, then clicking on the Billing link in the side navigation menu under the name of the team you wish to manage:
Billing emails will be sent to email addresses belonging to the Team Owner and Billing Role member.
Most team resources, such as Droplets and public SSH keys, are viewable by all members of a team account, but there are a few types of resources that are specific to particular members.
Member Specific Resources
The following items are unique to particular members:
- Personal Access Tokens: unique to the member that generated it
- Droplet password emails: sent to the member that created the related Droplet
- Support ticket emails: sent to any member that participated in a particular support ticket
Team Wide Resources
All other account resources can be viewed or managed by every member of a team, depending on their role, including:
- Public SSH Keys
- Developer Applications (API)
- Authorized Applications (API)
- Support Tickets
- Referral Code
- Security History
Recent account events will show up in your team's Security History. This can be found by going to Settings, then clicking on the Security link in the side navigation menu under the name of your team, then scrolling past the list of SSH Keys.
The security history includes droplet and team management events, with the IP address of the user that triggered the event, and a timestamp (GMT).
That's all there is to know about team accounts on DigitalOcean. Remember that you should only invite trusted people to your team, as they will be able to control your DigitalOcean resources!
If you have any questions about using team accounts on DigitalOcean, please ask them in the comments below.