<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0"><channel><title>Pulumi Blog: Davide Massarenti</title><link>https://www.pulumi.com/blog/author/davide-massarenti/</link><description>Pulumi blog posts: Davide Massarenti.</description><language>en-us</language><pubDate>Thu, 19 Mar 2026 10:30:00 -0700</pubDate><item><title>Pulumi IAM Expands: Manage Access at Scale with Tags, Roles, and Teams</title><link>https://www.pulumi.com/blog/expanding-pulumi-iam-custom-permissions/</link><pubDate>Thu, 19 Mar 2026 10:30:00 -0700</pubDate><guid>https://www.pulumi.com/blog/expanding-pulumi-iam-custom-permissions/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/expanding-pulumi-iam-custom-permissions/index.png" /&gt;
&lt;p&gt;Since the launch of &lt;a href="https://www.pulumi.com/blog/pulumi-cloud-iam-launch/"&gt;Pulumi IAM&lt;/a&gt; with &lt;a href="https://www.pulumi.com/docs/administration/access-identity/rbac/roles/"&gt;custom roles&lt;/a&gt; and scoped &lt;a href="https://www.pulumi.com/docs/administration/access-identity/access-tokens/"&gt;access tokens&lt;/a&gt;, organizations have been using fine-grained permissions to secure their automation and CI/CD pipelines. As teams scale to hundreds or thousands of stacks, environments, and accounts, the next challenge is applying those permissions efficiently.&lt;/p&gt;
&lt;p&gt;Today, we&amp;rsquo;re introducing three new capabilities to help you manage permissions more dynamically at scale: &lt;strong&gt;tag-based access control&lt;/strong&gt;, &lt;strong&gt;team role assignments&lt;/strong&gt;, and &lt;strong&gt;user role assignments&lt;/strong&gt;.&lt;/p&gt;
&lt;h2 id="why-tag-based-access-control"&gt;Why tag-based access control?&lt;/h2&gt;
&lt;p&gt;With custom roles, you can define granular permissions using &lt;a href="https://www.pulumi.com/docs/administration/access-identity/rbac/scopes"&gt;fine-grained scopes&lt;/a&gt;. However, applying those roles still requires selecting individual stacks, environments, or accounts one by one. For organizations managing a large number of Pulumi entities, this means either granting overly broad access or spending significant time on manual configuration. Tag-based access control solves this problem.&lt;/p&gt;
&lt;h2 id="whats-new"&gt;What&amp;rsquo;s new?&lt;/h2&gt;
&lt;h3 id="tag-based-access-control"&gt;Tag-based access control&lt;/h3&gt;
&lt;p&gt;You can now create rules within a custom role that dynamically grant permissions based on entity tags. This works across IaC stacks, ESC environments, and Insights accounts. For example, when a new stack is created and tagged &lt;code&gt;env:prod&lt;/code&gt;, anyone with a role containing a matching tag-based rule automatically gets the right permissions. No manual assignment required.&lt;/p&gt;
&lt;p&gt;A single role can include multiple tag-based rules, and they are evaluated with &lt;strong&gt;OR&lt;/strong&gt; logic. If an entity matches any of the rules, the permissions are granted. Within a single rule, you can combine multiple key-value conditions with implicit &lt;strong&gt;AND&lt;/strong&gt; logic for precise targeting. For example, a rule with conditions &lt;code&gt;env:prod&lt;/code&gt; and &lt;code&gt;team:payments&lt;/code&gt; ensures access is granted only to production resources owned by the payments team.&lt;/p&gt;
&lt;h3 id="team-role-assignments"&gt;Team role assignments&lt;/h3&gt;
&lt;p&gt;Custom roles can now be assigned directly to &lt;a href="https://www.pulumi.com/docs/administration/access-identity/rbac/teams"&gt;teams&lt;/a&gt; within your Pulumi organization. When an engineer joins a team, whether manually or via &lt;a href="https://www.pulumi.com/docs/pulumi-cloud/access-management/scim/"&gt;SCIM provisioning&lt;/a&gt;, they automatically inherit the permissions defined in the team&amp;rsquo;s assigned roles.&lt;/p&gt;
&lt;p&gt;Teams support both &lt;strong&gt;inline permissions&lt;/strong&gt; (ad-hoc access to specific stacks, environments, or accounts) and &lt;strong&gt;role-based permissions&lt;/strong&gt; simultaneously. You can assign &lt;strong&gt;multiple roles&lt;/strong&gt; to a single team, giving you full flexibility to compose access from reusable building blocks while retaining the ability to grant one-off access where needed. If you have existing workflows built around ad-hoc assignments to teams, those continue to work exactly as before. You can adopt roles incrementally or mix both approaches on the same team.&lt;/p&gt;
&lt;div class="note note-info"&gt;
&lt;div class="icon-and-line"&gt;
&lt;svg xmlns="http://www.w3.org/2000/svg" class="ph-icon ph-icon--fill" fill="currentColor" aria-hidden="true" focusable="false"&gt;&lt;use href="https://www.pulumi.com/icons/sprite.4a9ac1016b9d8a688a5e7e867f96bdf80115a0739af8c688ba04791e15f64461.svg#p-info-fill"/&gt;&lt;/svg&gt;
&lt;div class="line"&gt;&lt;/div&gt;
&lt;/div&gt;
&lt;div class="content"&gt;Team admins (or users with the &lt;code&gt;team:update&lt;/code&gt; scope) can continue to manage their team&amp;rsquo;s inline permissions as they do today. However, assigning organization-level custom roles to a team requires additional permissions: &lt;code&gt;role:read&lt;/code&gt; and &lt;code&gt;role:update&lt;/code&gt;.&lt;/div&gt;
&lt;/div&gt;
&lt;h3 id="user-role-assignments"&gt;User role assignments&lt;/h3&gt;
&lt;p&gt;Custom roles can also be assigned directly to individual organization members. This is useful for users whose responsibilities span multiple teams or require permissions beyond the existing org-level &lt;code&gt;Admin&lt;/code&gt;, &lt;code&gt;Member&lt;/code&gt;, and &lt;code&gt;Billing Manager&lt;/code&gt; &lt;a href="https://www.pulumi.com/docs/administration/access-identity/rbac/roles"&gt;roles&lt;/a&gt;.&lt;/p&gt;
&lt;h3 id="how-permissions-work-together"&gt;How permissions work together&lt;/h3&gt;
&lt;p&gt;Permissions in Pulumi IAM are &lt;strong&gt;additive&lt;/strong&gt;. A user receives the union of all permissions granted to them, including permissions from roles assigned directly to them as a user and permissions from roles assigned to any team they belong to. A user on both the &amp;ldquo;SRE&amp;rdquo; and &amp;ldquo;Security&amp;rdquo; teams inherits permissions from both team roles, plus any role assigned to them individually.&lt;/p&gt;
&lt;h2 id="how-to-get-started"&gt;How to get started&lt;/h2&gt;
&lt;p&gt;Configuring tag-based access control and role assignments is done through the Pulumi Cloud console and REST API.&lt;/p&gt;
&lt;h3 id="1-create-a-custom-role-with-tag-based-rules"&gt;1. Create a custom role with tag-based rules&lt;/h3&gt;
&lt;p&gt;In Pulumi Cloud, navigate to &lt;strong&gt;Settings&lt;/strong&gt; &amp;gt; &lt;strong&gt;Access Management&lt;/strong&gt; &amp;gt; &lt;strong&gt;Roles&lt;/strong&gt; and create a new custom role. In the role configuration, add tag-based rules that define which entities the role should apply to.&lt;/p&gt;
&lt;p&gt;For example, to create a role that grants write access to all production stacks:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Click &lt;strong&gt;Create custom role&lt;/strong&gt; and give it a descriptive name (e.g., &amp;ldquo;Production Deployer&amp;rdquo;)&lt;/li&gt;
&lt;li&gt;Add a permission set (e.g., Stack Write) to the role&lt;/li&gt;
&lt;li&gt;Under entity selection, choose &lt;strong&gt;Tag-based rule&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;Set the condition: tag key &lt;code&gt;env&lt;/code&gt; equals &lt;code&gt;prod&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Save the role&lt;/li&gt;
&lt;/ol&gt;
&lt;h3 id="2-assign-the-role-to-a-team"&gt;2. Assign the role to a team&lt;/h3&gt;
&lt;p&gt;Go to &lt;strong&gt;Settings&lt;/strong&gt; &amp;gt; &lt;strong&gt;Access Management&lt;/strong&gt; &amp;gt; &lt;strong&gt;Teams&lt;/strong&gt;, select a team, and assign your custom role. All team members immediately inherit the defined permissions.&lt;/p&gt;
&lt;h3 id="3-assign-a-role-to-an-individual-user"&gt;3. Assign a role to an individual user&lt;/h3&gt;
&lt;p&gt;For users with unique access requirements, go to &lt;strong&gt;Settings&lt;/strong&gt; &amp;gt; &lt;strong&gt;Access Management&lt;/strong&gt; &amp;gt; &lt;strong&gt;Members&lt;/strong&gt;, select a user, and assign a custom role directly.&lt;/p&gt;
&lt;div class="my-4"&gt;
&lt;video class="flex outline-none rounded-lg w-full" title="Custom roles with tag-based access control"
controls
autoplay muted playsinline
loop &gt;
&lt;source src="abac-demo.mp4" /&gt;
&lt;/video&gt;
&lt;/div&gt;
&lt;h2 id="enforce-tagging-standards-with-pulumi-policy"&gt;Enforce tagging standards with Pulumi Policy&lt;/h2&gt;
&lt;p&gt;Tag-based access control relies on consistent tagging. If a stack is missing a tag or has an incorrect value, permissions won&amp;rsquo;t be applied as expected. &lt;a href="https://www.pulumi.com/docs/insights/policy/"&gt;Pulumi Policy&lt;/a&gt; closes this gap by letting you enforce tagging standards as a &lt;a href="https://www.pulumi.com/docs/insights/policy/policy-groups/"&gt;preventative policy group&lt;/a&gt;, so any &lt;code&gt;pulumi up&lt;/code&gt; on a stack with missing or invalid tags is blocked before deployment. This ensures your tag-based RBAC rules always grant the correct permissions. Policy enforces the standard, RBAC enforces the access.&lt;/p&gt;
&lt;p&gt;To learn how to write policies that validate stack tags, see &lt;a href="https://www.pulumi.com/docs/insights/policy/policy-packs/authoring/#using-stack-tags-in-policies"&gt;Using stack tags in policies&lt;/a&gt;.&lt;/p&gt;
&lt;div class="note note-info"&gt;
&lt;div class="icon-and-line"&gt;
&lt;svg xmlns="http://www.w3.org/2000/svg" class="ph-icon ph-icon--fill" fill="currentColor" aria-hidden="true" focusable="false"&gt;&lt;use href="https://www.pulumi.com/icons/sprite.4a9ac1016b9d8a688a5e7e867f96bdf80115a0739af8c688ba04791e15f64461.svg#p-info-fill"/&gt;&lt;/svg&gt;
&lt;div class="line"&gt;&lt;/div&gt;
&lt;/div&gt;
&lt;div class="content"&gt;Pulumi Policy currently supports tag enforcement for IaC stacks. For ESC environments and Insights accounts, tags are managed through the Pulumi Cloud console or REST API.&lt;/div&gt;
&lt;/div&gt;
&lt;h2 id="availability"&gt;Availability&lt;/h2&gt;
&lt;p&gt;Tag-based access control, team role assignments, and user role assignments are available today for customers on the &lt;strong&gt;Pulumi Enterprise&lt;/strong&gt; and &lt;strong&gt;Pulumi Business Critical&lt;/strong&gt; plans. Check out our &lt;a href="https://www.pulumi.com/pricing/"&gt;pricing page&lt;/a&gt; for more details on editions and what&amp;rsquo;s included.&lt;/p&gt;
&lt;h2 id="conclusion"&gt;Conclusion&lt;/h2&gt;
&lt;p&gt;With custom roles providing fine-grained permissions, tag-based rules enabling dynamic access policies, and the ability to assign roles directly to teams and users, Pulumi IAM now provides everything you need to implement automated, least-privilege access control at scale. We&amp;rsquo;re excited to see how you leverage these new capabilities to secure and streamline your cloud operations.&lt;/p&gt;
&lt;p&gt;Explore the &lt;a href="https://www.pulumi.com/docs/administration/access-identity/rbac"&gt;IAM documentation&lt;/a&gt; to get started, and share your feedback in our &lt;a href="https://github.com/pulumi/pulumi-cloud-requests/issues"&gt;GitHub repository&lt;/a&gt;.&lt;/p&gt;
&lt;h2 id="learn-more"&gt;Learn more&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/docs/administration/access-identity/rbac"&gt;RBAC overview&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/docs/administration/access-identity/rbac/roles"&gt;Roles&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/docs/administration/access-identity/rbac/permission-sets"&gt;Permission sets&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/docs/administration/access-identity/rbac/teams"&gt;Teams&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/docs/administration/access-identity/rbac/scopes"&gt;Scopes&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/blog/pulumi-cloud-iam-launch/"&gt;Pulumi IAM launch blog&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/blog/pulumi-cloud-iam-self-hosted/"&gt;Pulumi IAM for self-hosted&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;</description><author>Devon Grove</author><author>Davide Massarenti</author><author>Casey Huang</author><author>Arun Loganathan</author><category>iam</category><category>rbac</category><category>security</category><category>features</category><category>pulumi-cloud</category></item><item><title>How We Built a Distributed Work Scheduling System for Pulumi Cloud</title><link>https://www.pulumi.com/blog/how-we-built-a-distributed-work-scheduling-system-for-pulumi-cloud/</link><pubDate>Thu, 26 Feb 2026 00:00:00 +0000</pubDate><guid>https://www.pulumi.com/blog/how-we-built-a-distributed-work-scheduling-system-for-pulumi-cloud/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/how-we-built-a-distributed-work-scheduling-system-for-pulumi-cloud/index.png" /&gt;
&lt;p&gt;Pulumi Cloud orchestrates a growing number of workflow types: &lt;a href="https://www.pulumi.com/docs/deployments/"&gt;Deployments&lt;/a&gt;, &lt;a href="https://www.pulumi.com/docs/insights/"&gt;Insights&lt;/a&gt; discovery scans, and &lt;a href="https://www.pulumi.com/docs/insights/policy/"&gt;policy evaluations&lt;/a&gt;. Some of that work runs on Pulumi&amp;rsquo;s infrastructure, and some of it runs on yours via &lt;a href="https://www.pulumi.com/docs/deployments/deployments/customer-managed-agents/"&gt;customer-managed workflow runners&lt;/a&gt;. We needed a scheduling system that could handle all of these workflow types reliably across both environments. In this post, we&amp;rsquo;ll take a look at the system we built.&lt;/p&gt;
&lt;h2 id="where-we-started"&gt;Where we started&lt;/h2&gt;
&lt;p&gt;For our first workflow integration, Deployments, scheduling wasn&amp;rsquo;t too complicated. A deployment was queued, a worker picked it up, and it ran. The queue was purpose-built for deployments, and it worked well for that single use case. Over time, we added more sophisticated logic to handle retries, ordering, rate limiting, observability, and more.&lt;/p&gt;
&lt;p&gt;With the launch of Insights, the number of workflow types grew. Now Pulumi Cloud manages discovery scans to catalog cloud resources and runs audit policy evaluations to continuously verify compliance. While these workflows share similarities, each type needed its own scheduling, retry logic, and failure handling.&lt;/p&gt;
&lt;p&gt;Later we added the option for customers to run workflows on their own infrastructure using &lt;a href="https://www.pulumi.com/docs/deployments/deployments/customer-managed-agents/"&gt;customer-managed workflow runners&lt;/a&gt;. As the complexity of these requirements grew, we knew that our initial approach for Deployments wasn&amp;rsquo;t going to scale. We needed a single system that could schedule any type of work, route it to the right place, and handle the messy reality of distributed execution: crashes, network failures, rate limits, and retries.&lt;/p&gt;
&lt;p&gt;We call this the &lt;strong&gt;background activity system&lt;/strong&gt;.&lt;/p&gt;
&lt;h2 id="why-not-use-an-off-the-shelf-queue"&gt;Why not use an off-the-shelf queue?&lt;/h2&gt;
&lt;p&gt;Why build this instead of using Amazon SQS, RabbitMQ, or one of the many existing queue libraries? We considered these options but chose to build our own for a few reasons.&lt;/p&gt;
&lt;p&gt;Pulumi Cloud supports &lt;a href="https://www.pulumi.com/docs/administration/self-hosting/"&gt;self-hosted installations&lt;/a&gt;, including air-gapped environments. We intentionally minimize external dependencies so that self-hosted customers don&amp;rsquo;t have to stand up additional infrastructure. A system built on an external queue works fine for our hosted service, but it means self-hosted customers would need to provide a compatible backend. By building on top of the database we already require, we avoid adding another system to maintain.&lt;/p&gt;
&lt;p&gt;More importantly, queueing is only part of the problem. What we actually need is &lt;em&gt;scheduling with durability&lt;/em&gt;. This means ensuring that remote workers don&amp;rsquo;t lose activities on restart, priority so that urgent work gets compute resources first, constraints like &amp;ldquo;only so many scans per org at a time,&amp;rdquo; structured logging for observability, and checkpointing so that long-running operations can resume after a failure.&lt;/p&gt;
&lt;p&gt;These features can be layered onto a generic queue library but can require more code than implementing them directly. For example, priority queues are often implemented with multiple ranked queues, but this breaks single-activity-at-a-time constraints. A second queue wouldn&amp;rsquo;t see a job already running in the first one. There&amp;rsquo;s no way for producers in a distributed system to coordinate across the queues without support in the queuing system itself.&lt;/p&gt;
&lt;p&gt;Capacity management is another area where generic queues fall short. Distributed systems need to respond dynamically to slowdowns, network interruptions, and rate limits from downstream services. These are common low-level details that every workflow type needs, and building them into the scheduling layer means individual handlers don&amp;rsquo;t have to solve them independently.&lt;/p&gt;
&lt;p&gt;We also need structured logging that works everywhere, including on customer-managed runners behind firewalls where centralized logging services aren&amp;rsquo;t accessible.&lt;/p&gt;
&lt;p&gt;Building this ourselves gave us a system that works with existing infrastructure and handles these requirements natively.&lt;/p&gt;
&lt;h2 id="design-constraints"&gt;Design constraints&lt;/h2&gt;
&lt;p&gt;With that context, here are some of the constraints that shaped the design:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Pull-only agents.&lt;/strong&gt; Customer-managed workflow runners live behind NATs, corporate proxies, and air-gapped networks. They can&amp;rsquo;t accept inbound connections, so all communication has to be agent-initiated.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Mixed execution environments.&lt;/strong&gt; The same system needs to work for Pulumi-hosted workers (with direct access to internal systems) and customer-managed runners (communicating entirely over REST). We didn&amp;rsquo;t want to maintain two separate code paths.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Different workflow types.&lt;/strong&gt; Deployments, Insights scans, and audit policy evaluations have different payloads and execution semantics, but they all need the same scheduling guarantees: exactly-once execution, automatic retries, failure recovery, and observability.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Automatic fault tolerance.&lt;/strong&gt; Agents crash, networks drop, and machines get recycled by autoscalers. The system needs to detect these failures and recover without needing a person to step in.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Extensibility.&lt;/strong&gt; We knew we&amp;rsquo;d keep adding workflow types. Adding a new one should mean writing a handler and registering it, not building new infrastructure.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="the-background-activity"&gt;The background activity&lt;/h2&gt;
&lt;p&gt;At the center of the system is the &lt;strong&gt;background activity&lt;/strong&gt;, a persistent, typed work unit. Each activity includes:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;A &lt;strong&gt;type discriminator&lt;/strong&gt; that identifies what kind of work it represents (e.g., &amp;ldquo;insights-discovery&amp;rdquo; or &amp;ldquo;policy-evaluation&amp;rdquo;)&lt;/li&gt;
&lt;li&gt;A &lt;strong&gt;payload&lt;/strong&gt; specific to that type, containing whatever data the handler needs&lt;/li&gt;
&lt;li&gt;A &lt;strong&gt;routing context&lt;/strong&gt; that determines which runner pool should execute it&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Scheduling metadata&lt;/strong&gt; like priority, activation time, and retry configuration&lt;/li&gt;
&lt;li&gt;A &lt;strong&gt;status&lt;/strong&gt; tracking where the activity is in its lifecycle&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;The type discriminator makes this system polymorphic. The scheduling engine doesn&amp;rsquo;t need to know what&amp;rsquo;s inside the payload. It moves activities through their lifecycle and delegates the actual work to a type-specific handler.&lt;/p&gt;
&lt;h3 id="the-state-machine"&gt;The state machine&lt;/h3&gt;
&lt;p&gt;Every activity follows the same lifecycle regardless of type:&lt;/p&gt;
&lt;pre class="mermaid"&gt;
---
config:
flowchart:
curve: linear
---
graph LR
Start(( )) --&amp;gt;|Created| Ready
Ready --&amp;gt;|Leased| Pending
Pending --&amp;gt;|Started| Executing
Executing --&amp;gt;|Success| Completed
Completed --&amp;gt; End(( ))
Executing --&amp;gt;|Error| Failed
Failed --&amp;gt; End
Executing --&amp;gt;|Canceled| Canceled
Canceled --&amp;gt; End
Executing --&amp;gt;|Dependencies| Waiting
Waiting --&amp;gt;|Unblocked| Ready
Pending --&amp;gt;|Lease expired| Restarting
Executing --&amp;gt;|Lease expired| Restarting
Restarting --&amp;gt;|Re-lease| Ready
style Start fill:#000,stroke:#000,color:#000
style End fill:#000,stroke:#000,color:#000
&lt;/pre&gt;
&lt;p&gt;The states fall into two groups:&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Running states&lt;/strong&gt; (work is in flight or can be resumed):&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Ready&lt;/strong&gt;: queued and eligible to be claimed by a worker&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Pending&lt;/strong&gt;: claimed by a worker, execution about to start&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Executing&lt;/strong&gt;: actively running on a worker&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Waiting&lt;/strong&gt;: parked, blocked on one or more dependency activities&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Restarting&lt;/strong&gt;: recovered after a worker failure, ready to be re-claimed&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;strong&gt;Terminal states&lt;/strong&gt; (work is done):&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Completed&lt;/strong&gt;, &lt;strong&gt;Failed&lt;/strong&gt;, &lt;strong&gt;Canceled&lt;/strong&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;New workflow types get these features automatically: scheduling, retries, dependency management, and observability.&lt;/p&gt;
&lt;h2 id="leases-distributed-execution-without-coordination"&gt;Leases: distributed execution without coordination&lt;/h2&gt;
&lt;p&gt;A central challenge of any distributed work queue is preventing double-execution. If two agents try to execute the same activity simultaneously, you get duplicate work and data corruption. A central coordinator can solve this, but it becomes a single point of failure.&lt;/p&gt;
&lt;p&gt;We use lease-based optimistic concurrency instead. This is a well-known pattern, adapted here for long-running, stateful workflows.&lt;/p&gt;
&lt;h3 id="how-it-works"&gt;How it works&lt;/h3&gt;
&lt;p&gt;When an agent is ready for new work, it asks the service to &lt;strong&gt;lease&lt;/strong&gt; an activity. The service atomically selects the highest-priority ready activity, assigns a lease token with an expiration time, and transitions the activity to &lt;code&gt;Pending&lt;/code&gt;. No other agent can claim the same activity.&lt;/p&gt;
&lt;pre class="mermaid"&gt;
sequenceDiagram
participant Agent
participant Service
Agent-&amp;gt;&amp;gt;Service: Poll for work
Note right of Service: Select highest-priority&amp;lt;br/&amp;gt;Ready activity
Note right of Service: Atomically set lease&amp;lt;br/&amp;gt;token + expiration
Service-&amp;gt;&amp;gt;Agent: Lease (token, expiration)
Agent-&amp;gt;&amp;gt;Service: Begin execution
Note right of Service: Transition to Executing
Note over Agent: Work in progress...
Agent-&amp;gt;&amp;gt;Service: Renew lease
Service-&amp;gt;&amp;gt;Agent: New expiration
Note over Agent: Work continues...
Agent-&amp;gt;&amp;gt;Service: Complete (token, result)
Note right of Service: Transition to Completed&amp;lt;br/&amp;gt;Archive activity
Service-&amp;gt;&amp;gt;Agent: Acknowledged
&lt;/pre&gt;
&lt;p&gt;While executing, the agent periodically &lt;strong&gt;renews&lt;/strong&gt; its lease to signal that it&amp;rsquo;s still working. If the agent crashes, loses network connectivity, or is terminated, it stops renewing. Once the lease expires, the service transitions the activity to &lt;code&gt;Restarting&lt;/code&gt;, making it available for another agent to claim.&lt;/p&gt;
&lt;pre class="mermaid"&gt;
sequenceDiagram
participant A as Agent A
participant S as Service
participant B as Agent B
A-&amp;gt;&amp;gt;S: Lease activity
S-&amp;gt;&amp;gt;A: Token + expiration
Note over A: Executing...
A--xS: Agent A crashes
Note right of S: Lease expires
Note right of S: Transition → Restarting
B-&amp;gt;&amp;gt;S: Poll for work
Note right of S: Lease to Agent B&amp;lt;br/&amp;gt;Transition → Pending
S-&amp;gt;&amp;gt;B: Token + expiration
Note over B: Agent B continues execution
&lt;/pre&gt;
&lt;p&gt;The service doesn&amp;rsquo;t need to explicitly coordinate between workers because leases are acquired using atomic database operations. The lease expiration is the failure detector; if a lease expires, then the work needs to be rescheduled.&lt;/p&gt;
&lt;h2 id="routing-work-to-the-right-runner-pool"&gt;Routing work to the right runner pool&lt;/h2&gt;
&lt;p&gt;Pulumi Cloud supports multiple &lt;a href="https://www.pulumi.com/docs/deployments/deployments/customer-managed-agents/"&gt;workflow runner pools&lt;/a&gt;. An organization might have one pool for production in &lt;code&gt;us-east-1&lt;/code&gt;, another for staging in &lt;code&gt;eu-west-1&lt;/code&gt;, and use Pulumi-hosted runners for development. Work needs to reach the right pool.&lt;/p&gt;
&lt;p&gt;Each activity carries a &lt;strong&gt;routing context&lt;/strong&gt; that identifies which runner pool should execute it. When a runner polls for work, it filters by its own pool identifier so that it only sees activities meant for it.&lt;/p&gt;
&lt;p&gt;We use prefix matching for this filtering. A runner matches activities whose context starts with its pool&amp;rsquo;s identifier. This means the service can use hierarchical contexts (e.g., &lt;code&gt;pool-abc/insights/scan-123&lt;/code&gt;) and runners will still match on the pool prefix. Cleanup is also straightforward; when a runner pool is deleted, all activities with that context prefix are bulk-canceled.&lt;/p&gt;
&lt;p&gt;This routing mechanism works the same way regardless of workflow type, and adding a new workflow type doesn&amp;rsquo;t require changes to the routing layer.&lt;/p&gt;
&lt;h2 id="dependencies-and-multi-step-workflows"&gt;Dependencies and multi-step workflows&lt;/h2&gt;
&lt;p&gt;Some workflows are naturally multi-step. An Insights discovery scan might discover resources that then need policy evaluation. Rather than building a separate orchestration engine, we built dependency management into the activity system.&lt;/p&gt;
&lt;p&gt;An activity can declare a &lt;strong&gt;dependency set&lt;/strong&gt;: a list of other activities that must complete before it can run. A dependent activity enters the &lt;code&gt;Waiting&lt;/code&gt; state when created. As its dependencies complete, the system checks whether all prerequisites are satisfied. When the last one finishes, the waiting activity transitions to &lt;code&gt;Ready&lt;/code&gt; and enters the scheduling queue.&lt;/p&gt;
&lt;pre class="mermaid"&gt;
graph TD
A[&amp;#34;Insights Discovery&amp;lt;br/&amp;gt;&amp;lt;b&amp;gt;Executing&amp;lt;/b&amp;gt;&amp;#34;] --&amp;gt;|depends on| B[&amp;#34;Policy Evaluation&amp;lt;br/&amp;gt;&amp;lt;b&amp;gt;Waiting&amp;lt;/b&amp;gt;&amp;#34;]
A --&amp;gt;|completes| C[&amp;#34;Insights Discovery&amp;lt;br/&amp;gt;&amp;lt;b&amp;gt;Completed&amp;lt;/b&amp;gt;&amp;#34;]
C --&amp;gt;|triggers| D[&amp;#34;Policy Evaluation&amp;lt;br/&amp;gt;&amp;lt;b&amp;gt;Ready&amp;lt;/b&amp;gt;&amp;lt;br/&amp;gt;(auto-scheduled)&amp;#34;]
&lt;/pre&gt;
&lt;p&gt;This gives us a lightweight &lt;a href="https://en.wikipedia.org/wiki/Directed_acyclic_graph"&gt;DAG&lt;/a&gt; of work without requiring a separate workflow engine. Dependent activities get the same guarantees as any other activity: lease-based execution, automatic recovery, and observability.&lt;/p&gt;
&lt;h2 id="two-execution-modes-one-interface"&gt;Two execution modes, one interface&lt;/h2&gt;
&lt;p&gt;This is where the design really pays off for customer-managed runners. The system supports two execution modes:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Direct mode&lt;/strong&gt; runs in-process alongside the Pulumi Cloud service. Workers have low-latency access to internal systems and can process activities with minimal overhead. This is what Pulumi-hosted runners use.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Remote mode&lt;/strong&gt; communicates over REST APIs. The runner polls for activities, leases them, executes work locally, and reports results back over HTTP. This is what customer-managed runners use. No database access, no internal network access, no inbound connectivity required.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Both modes share the same handler interface so that a workflow handler doesn&amp;rsquo;t need to know where it&amp;rsquo;s running. Whether it&amp;rsquo;s running on Pulumi&amp;rsquo;s hosted infrastructure or on a customer&amp;rsquo;s Kubernetes cluster, the handler simply processes the payload and reports a result.&lt;/p&gt;
&lt;h2 id="putting-it-all-together"&gt;Putting it all together&lt;/h2&gt;
&lt;p&gt;Let&amp;rsquo;s walk through a concrete example. A user wants to run an Insights discovery scan on an AWS account using a customer-managed workflow runner.&lt;/p&gt;
&lt;pre class="mermaid"&gt;
sequenceDiagram
participant User
participant PC as Pulumi Cloud
participant Runner as Workflow Runner&amp;lt;br/&amp;gt;(Customer Infrastructure)
User-&amp;gt;&amp;gt;PC: 1. Configure Insights scan&amp;lt;br/&amp;gt;for runner pool
Note right of PC: 2. Create background activity&amp;lt;br/&amp;gt;type: insights-discovery&amp;lt;br/&amp;gt;context: runner-pool-xyz&amp;lt;br/&amp;gt;status: Ready
Runner-&amp;gt;&amp;gt;PC: 3. Poll for work (filtered by pool)
PC-&amp;gt;&amp;gt;Runner: 4. Lease activity (token + expiration)
Runner-&amp;gt;&amp;gt;PC: 5. Initialize workflow
PC-&amp;gt;&amp;gt;Runner: Return cloud credentials + job token
Note over Runner: 6. Execute scan locally&amp;lt;br/&amp;gt;(talks directly to cloud APIs —&amp;lt;br/&amp;gt;credentials are used only on&amp;lt;br/&amp;gt;the runner)
Runner-&amp;gt;&amp;gt;PC: 7. Renew lease
Note right of PC: Extend expiration
Runner-&amp;gt;&amp;gt;PC: 8. Report completion
Note right of PC: 9. Mark completed&amp;lt;br/&amp;gt;Archive activity
Note right of PC: 10. Unblock dependent activities&amp;lt;br/&amp;gt;(e.g., policy evaluation)
&lt;/pre&gt;
&lt;ol&gt;
&lt;li&gt;A user configures an AWS account for Insights scanning in Pulumi Cloud and assigns it to a workflow runner pool.&lt;/li&gt;
&lt;li&gt;Pulumi Cloud creates a background activity with the type set to insights discovery, the routing context set to the runner pool, and the payload containing the account configuration.&lt;/li&gt;
&lt;li&gt;A customer-managed workflow runner polling that pool detects new work.&lt;/li&gt;
&lt;li&gt;The runner leases the activity, acquiring an exclusive lock via the lease token.&lt;/li&gt;
&lt;li&gt;The runner initializes the workflow, receiving any required cloud provider credentials (e.g., resolved from &lt;a href="https://www.pulumi.com/docs/esc/"&gt;Pulumi ESC (Environments, Secrets, and Configuration)&lt;/a&gt;) and a job token from Pulumi Cloud.&lt;/li&gt;
&lt;li&gt;The runner executes the scan locally on the customer&amp;rsquo;s infrastructure, talking directly to the cloud provider APIs.&lt;/li&gt;
&lt;li&gt;During execution, the runner periodically renews its lease to signal liveness.&lt;/li&gt;
&lt;li&gt;The scan completes, and the runner reports the result back to Pulumi Cloud.&lt;/li&gt;
&lt;li&gt;The service marks the activity as completed and archives it.&lt;/li&gt;
&lt;li&gt;If a dependent policy evaluation activity was waiting on this scan, it automatically transitions to &lt;code&gt;Ready&lt;/code&gt; and enters the scheduling queue, where another runner in the pool can pick it up.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;This flow works the same way whether the runner is hosted by Pulumi or by the customer. The only difference is whether the execution mode is direct or remote.&lt;/p&gt;
&lt;h2 id="retries-and-scheduling"&gt;Retries and scheduling&lt;/h2&gt;
&lt;p&gt;Failures are expected in distributed systems. The background activity system handles them at several levels:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Lease expiration&lt;/strong&gt; covers hard failures like agent crashes, network partitions, and machine terminations. If a lease expires, the activity moves to &lt;code&gt;Restarting&lt;/code&gt;, and is available for another agent to pick up.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Handler-controlled retries&lt;/strong&gt; cover soft failures like transient API errors and rate limits. A handler can request a reschedule with a delay, putting the activity back in &lt;code&gt;Ready&lt;/code&gt; with a future activation time.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Automatic retries&lt;/strong&gt; provide a configurable retry budget per activity. Each activity can specify how many times it should be retried and the delay between attempts, preventing runaway retry loops.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Priority scheduling&lt;/strong&gt; ensures urgent work gets processed first. Higher-priority activities are leased before lower-priority ones, even if the lower-priority activity has been waiting longer.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Lease renewal during slowdowns&lt;/strong&gt; keeps the activity alive without blocking other work, even if a downstream service is slow. The agent continues renewing its lease while it waits, and the scheduler remains free to assign other activities to other agents.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="observability"&gt;Observability&lt;/h2&gt;
&lt;p&gt;Every activity generates a structured log of its execution, including timestamps, severity levels, and code context. Logs are stored with the activity record and are accessible via an API and admin tooling.&lt;/p&gt;
&lt;p&gt;This is especially useful for customer-managed runners, where the service can&amp;rsquo;t directly observe the execution environment. The structured log gives operators visibility into the execution context, even when the runner is behind a firewall. Handlers can also use these logs as a progress journal, encoding checkpoints that allow a restarted activity to pick up where it left off rather than starting from scratch.&lt;/p&gt;
&lt;p&gt;Retention policies are configurable per organization and per workflow type. Completed activities can be retained for auditing or purged to manage storage, and failed activities are typically retained longer for debugging.&lt;/p&gt;
&lt;h2 id="what-we-learned"&gt;What we learned&lt;/h2&gt;
&lt;p&gt;&lt;strong&gt;A generic system pays off quickly.&lt;/strong&gt; Our initial instinct was to build targeted solutions for each workflow type. Investing in a generic activity system required more upfront design work, but now adding a new workflow type requires a fraction of the effort it would take otherwise. New workflows ship with full scheduling, retry, and observability support from day one.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Leases handle many failure modes.&lt;/strong&gt; We evaluated several approaches for distributed work coordination, including message queues with explicit acknowledgment and coordinator-based assignment. The lease model works well because all failure modes are handled through timeouts. If an agent is running as expected, it renews. If it isn&amp;rsquo;t, the lease expires.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Keeping the execution paths symmetric requires discipline.&lt;/strong&gt; Making the hosted and self-hosted paths share the same handler interface was a deliberate choice. It would be easy to add shortcuts for the hosted path that bypass the remote API, but resisting that temptation means that features work for both cases automatically.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;The hard part isn&amp;rsquo;t running the work.&lt;/strong&gt; Running a scan or a deployment is straightforward once you have the right credentials. The real complexity is in everything around the execution: scheduling, routing, leasing, retrying, resolving dependencies, and cleaning up. These operational concerns aren&amp;rsquo;t visible to users, but they are essential to providing a reliable experience.&lt;/p&gt;
&lt;h2 id="wrapping-it-up"&gt;Wrapping it up&lt;/h2&gt;
&lt;p&gt;Today this system powers deployments, Insights discovery scans, and policy evaluations across both Pulumi Cloud and customer-managed infrastructure. The architecture is general enough that every new workflow type we add inherits the full scheduling, routing, retry, and observability stack without additional plumbing.&lt;/p&gt;
&lt;p&gt;If you&amp;rsquo;re interested in running workflows on your own infrastructure, check out &lt;a href="https://www.pulumi.com/docs/deployments/deployments/customer-managed-agents/"&gt;customer-managed workflow runners&lt;/a&gt;. To see how Insights can help you understand and manage your cloud infrastructure, &lt;a href="https://www.pulumi.com/docs/insights/"&gt;get started with Pulumi Insights&lt;/a&gt;.&lt;/p&gt;</description><author>Levi Blackstone</author><author>Davide Massarenti</author><category>pulumi-cloud</category><category>features</category><category>engineering</category><category>insights</category></item><item><title>Announcing OpenAPI support for the Pulumi Cloud REST API</title><link>https://www.pulumi.com/blog/announcing-openapi-support-pulumi-cloud/</link><pubDate>Thu, 05 Feb 2026 00:00:00 +0000</pubDate><guid>https://www.pulumi.com/blog/announcing-openapi-support-pulumi-cloud/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/announcing-openapi-support-pulumi-cloud/index.png" /&gt;
&lt;p&gt;We&amp;rsquo;re thrilled to announce that the Pulumi Cloud REST API is now described by an OpenAPI 3.0 specification, and we&amp;rsquo;re just getting started.&lt;/p&gt;
&lt;p&gt;This is a feature that has been a long time coming. We have heard your requests for OpenAPI support &lt;a href="https://github.com/pulumi/pulumi-cloud-requests/issues/100"&gt;loud and clear&lt;/a&gt;, and we&amp;rsquo;re excited to share that not only do we have a published specification for consumption, but our API code is now built from this specification as well. Moving forward, this single source of truth unlocks better tooling, tighter integration, and a more predictable API experience for everyone.&lt;/p&gt;
&lt;p&gt;You can fetch the spec directly from the API at runtime or use it for client generation, validation, and documentation, all from one machine-readable contract.&lt;/p&gt;
&lt;h2 id="a-single-contract-for-the-pulumi-cloud-rest-api"&gt;A single contract for the Pulumi Cloud REST API&lt;/h2&gt;
&lt;p&gt;The Pulumi Cloud API powers the Pulumi CLI, the Pulumi Console, and third-party integrations. Until now, there was no single, published machine-readable description of that API. We&amp;rsquo;ve changed that. The API is now defined and served as a standard OpenAPI 3.0.3 document.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Runtime discovery&lt;/strong&gt;: You can retrieve the spec from the API itself, so your tooling always sees the same surface the service implements.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Client generation&lt;/strong&gt;: Use your favorite OpenAPI tooling (e.g. OpenAPI Generator, Swagger Codegen) to generate API clients in the language of your choice.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Validation and testing&lt;/strong&gt;: Validate requests and responses, or build mocks and tests, from the same spec the service uses.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Documentation&lt;/strong&gt;: The spec is the source of truth, not a separate, hand-maintained API doc that can drift from reality. Load the spec into Swagger UI, Redoc, or another viewer to browse the Pulumi Cloud API interactively.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="how-to-get-the-spec"&gt;How to get the spec&lt;/h2&gt;
&lt;p&gt;Send a GET request to:&lt;/p&gt;
&lt;pre tabindex="0"&gt;&lt;code&gt;https://api.pulumi.com/api/openapi/pulumi-spec.json
&lt;/code&gt;&lt;/pre&gt;&lt;p&gt;No authentication is required. The response is the OpenAPI 3.0 document for the Pulumi Cloud API, describing the supported, documented API surface.&lt;/p&gt;
&lt;h2 id="source-of-truth-and-stability"&gt;Source of truth and stability&lt;/h2&gt;
&lt;p&gt;We do not hand-write the OpenAPI spec. We generate it from the same API definition that drives our backend and console code. When we add or change API routes or models, we regenerate the spec so the published document stays in sync with what the service actually implements. That gives you a clear, stable contract for the Pulumi Cloud API.&lt;/p&gt;
&lt;h2 id="what-we-are-building-next"&gt;What we are building next&lt;/h2&gt;
&lt;p&gt;We are using this spec as the foundation for our own tooling, and have plans to continue leveraging the spec in our toolchain long-term.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;CLI&lt;/strong&gt;: We plan to drive the Pulumi CLI’s API client from the OpenAPI spec so that CLI and API stay in lockstep.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Pulumi Service Provider&lt;/strong&gt;: We are also building towards day 1 updates to the &lt;a href="https://www.pulumi.com/registry/packages/pulumiservice/"&gt;Pulumi Service Provider&lt;/a&gt; so that new and changed API resources are generated from the spec and ship in sync with the service.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Docs Enhancements&lt;/strong&gt;: Although you can load the spec using Swagger UI for your own browsing, we are intent on shipping enhancements to our &lt;a href="https://www.pulumi.com/docs/reference/cloud-rest-api/"&gt;public REST API docs&lt;/a&gt; that will keep them up-to-date according to the OpenAPI spec.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;As we ship those updates, you will get a single source of truth from API to CLI to provider.&lt;/p&gt;
&lt;p&gt;If you have questions or feedback about the OpenAPI spec or the Pulumi Cloud API, reach out in our &lt;a href="https://slack.pulumi.com/"&gt;Community Slack&lt;/a&gt; or open an issue in the &lt;a href="https://github.com/pulumi/pulumi"&gt;Pulumi repository&lt;/a&gt;. We&amp;rsquo;re excited to see what you build with it.&lt;/p&gt;</description><author>Davide Massarenti</author><author>Claire Gaestel</author><author>Devon Grove</author><author>Arun Loganathan</author><author>Zac Cook</author><category>features</category><category>pulumi-cloud</category><category>api</category></item><item><title>Pulumi IAM Now Available for Self-Hosted Pulumi Cloud</title><link>https://www.pulumi.com/blog/pulumi-cloud-iam-self-hosted/</link><pubDate>Wed, 14 Jan 2026 11:18:00 +0000</pubDate><guid>https://www.pulumi.com/blog/pulumi-cloud-iam-self-hosted/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/pulumi-cloud-iam-self-hosted/index.png" /&gt;
&lt;p&gt;We&amp;rsquo;re excited to announce that &lt;strong&gt;Pulumi Identity and Access Management (IAM)&lt;/strong&gt; is now available for self-hosted instances of Pulumi Cloud. This foundational security capability brings the same &lt;a href="https://www.pulumi.com/blog/pulumi-cloud-iam-launch/"&gt;enterprise-grade access management&lt;/a&gt; we launched for Pulumi Cloud SaaS to organizations running Pulumi on their own infrastructure.&lt;/p&gt;
&lt;h2 id="enterprise-security-for-self-hosted-deployments"&gt;Enterprise Security for Self-Hosted Deployments&lt;/h2&gt;
&lt;p&gt;Self-hosted Pulumi Cloud customers can now leverage the full power of &lt;strong&gt;Custom Roles&lt;/strong&gt; and &lt;strong&gt;Granular Access Tokens&lt;/strong&gt; to implement Zero Trust security principles and least privilege access controls within their own environments. This means you can:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Define Custom Permissions&lt;/strong&gt; with fine-grained scopes (e.g., &lt;code&gt;stack:delete&lt;/code&gt;, &lt;code&gt;environment:read&lt;/code&gt;) tailored to your organization&amp;rsquo;s security requirements.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Create Custom Roles&lt;/strong&gt; by combining these permissions with specific Pulumi entities (Stacks, Environments, etc.).&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Generate Scoped Organization Access Tokens&lt;/strong&gt; that are precisely limited to the permissions defined in their associated roles, dramatically reducing the blast radius if credentials are compromised.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="secure-automation-for-on-premises-infrastructure"&gt;Secure Automation for On-Premises Infrastructure&lt;/h2&gt;
&lt;p&gt;This release is powerful for self-hosted Pulumi Cloud deployments where security and compliance requirements are often even more stringent. You can now:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Implement Least Privilege CI/CD:&lt;/strong&gt; Scope pipeline tokens to only the actions and resources they absolutely need, ensuring your automation follows the same security standards as your infrastructure.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Enhance Compliance Posture:&lt;/strong&gt; Demonstrate precise, auditable control over programmatic access to auditors and security teams.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Reduce Operational Risk:&lt;/strong&gt; Limit the potential impact of compromised tokens by restricting them to specific roles and permissions.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="getting-started"&gt;Getting Started&lt;/h2&gt;
&lt;p&gt;Self-hosted customers can access IAM features through the same intuitive interface available in Pulumi Cloud SaaS. Navigate to &lt;strong&gt;Settings&lt;/strong&gt; -&amp;gt; &lt;strong&gt;Access Management&lt;/strong&gt; -&amp;gt; &lt;strong&gt;Roles&lt;/strong&gt; to begin creating Custom Permissions and Custom Roles, then generate scoped Organization Access Tokens from &lt;strong&gt;Settings&lt;/strong&gt; -&amp;gt; &lt;strong&gt;Access Management&lt;/strong&gt; -&amp;gt; &lt;strong&gt;Access Tokens&lt;/strong&gt;.&lt;/p&gt;
&lt;p&gt;For detailed information about Pulumi IAM capabilities, including step-by-step guides and best practices, see our &lt;a href="https://www.pulumi.com/blog/pulumi-cloud-iam-launch/"&gt;comprehensive announcement blog post&lt;/a&gt;.&lt;/p&gt;
&lt;h2 id="learn-more"&gt;Learn More&lt;/h2&gt;
&lt;p&gt;Explore the IAM &amp;amp; RBAC documentation to get started:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/docs/pulumi-cloud/access-management/rbac"&gt;Overview&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/docs/pulumi-cloud/access-management/rbac/roles"&gt;Roles&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/docs/pulumi-cloud/access-management/rbac/permissions"&gt;Permissions&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/docs/pulumi-cloud/access-management/rbac/scopes"&gt;Scopes&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;We&amp;rsquo;re committed to bringing enterprise-grade security features to all Pulumi deployments, whether in the cloud or on-premises. If you have questions or feedback, please reach out through your account representative or our &lt;a href="https://github.com/pulumi/pulumi-cloud-requests/issues"&gt;GitHub repository&lt;/a&gt;.&lt;/p&gt;</description><author>Davide Massarenti</author><author>Devon Grove</author><author>Casey Huang</author><author>Arun Loganathan</author><category>iam</category><category>rbac</category><category>security</category><category>features</category><category>pulumi-cloud</category><category>access-tokens</category><category>self-hosted</category></item></channel></rss>