DigitalOcean teams allow you to invite multiple users to access and manage shared resources, such as Droplets, Load Balancers, Spaces and more, without having to share login credentials or billing information.
Teams are recommended for project leaders and business owners who want to share control of server infrastructure with trusted collaborators, such as developers and system administrators.
This tutorial will explain how teams work and how you can use the feature.
A team is created by selecting Create a Team from the account drop-down menu next to your avatar. Doing so will also enable the team settings page on your account.
Note: Before creating a team account, be sure that you understand the implications of allowing multiple users to control your DigitalOcean account. You may want to skip this section until you read the rest of this tutorial and have a solid understanding of how team accounts work.
To create a team account, log into the DigitalOcean Control Panel.
Next, open the account drop-down by clicking on the arrow on the top right, next to your avatar.
Select Create a Team. Enter a Team name and the primary Contact email for your team:
If you would like all of your existing resources (such as Droplets, floating IPs, and domains) to be managed under this team account, check the box next to Convert your existing account into a team account. Be careful with this option, as it is not currently reversible.
Next, you’ll be prompted to choose a billing method. Select a credit card from the list of cards already associated with your account, and click Select Credit Card to continue.
Finally, you’ll be prompted to invite team members. Type one or more e-mail addresses, and press the Invite team members button. If you want to defer this step until later, instead click No thanks, I’ll send invitations later.
At this point, you should have a new team. Click the Visit Team Page button to view details.
The team settings page will display a handful of profile details for your team, along with a list of members:
You can see a team member’s current Role, whether a team member has enabled two-factor authentication in the 2 FA column, and whether they have accepted your invitation to the team under the Status column. By clicking the Actions drop-down, you can change a member’s current role, or remove them from the team. To invite more members to the team, click the Invite Members button.
Warning: It is strongly recommended that you require all members of your team to use very strong passwords and enable two-factor authentication, since a compromise of any one team member’s account would effectively give an attacker access to all of your DigitalOcean resources.
Once an individual has accepted an invite to your team, they can occupy one of three roles:
Remember that the Member and Owner roles have full control over the team’s Droplets and related resources via the Control Panel and API, similar to a normal user.
Note: While a team owner can remove any member’s Control Panel and API access by deleting them from the team, removing access to any existing Droplets via SSH keys and other credentials must be done independently, as DigitalOcean does not manage the contents of a Droplet after it is created. As with any shared network resource, organizations should plan in advance for revoking credentials on multi-user Droplets when team members depart.
The billing settings for a team account can be managed by team owners and billers. The billing settings can be viewed and modified by going to Settings, then clicking on the Billing link in the side navigation menu under the name of the team you wish to manage:
Billing emails will be sent to email addresses belonging to the Team Owner and Billing Role member.
Most team resources, such as Droplets and public SSH keys, are viewable by all members of a team account, but there are a few types of resources that are specific to particular members.
The following items are unique to particular members:
All other account resources can be viewed or managed by every member of a team, depending on their role, including:
Recent account events will show up in your team’s Security History. This can be found by going to Settings, then clicking on the Security link in the side navigation menu under the name of your team, then scrolling past the list of SSH Keys.
The security history includes Droplet and team management events, with the IP address of the user that triggered the event, and a timestamp (GMT).
To a deactivate a team, first:
You’ll receive confirmation that the team has been deactivated, and it will no longer appear in the Control Panel. Once a team is deactivated, you can use the name again to create a new team.