<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0"><channel><title>Pulumi Blog: Access tokens</title><link>https://www.pulumi.com/blog/tag/access-tokens/</link><description>Pulumi blog posts: Access tokens.</description><language>en-us</language><pubDate>Wed, 14 Jan 2026 11:18:00 +0000</pubDate><item><title>Pulumi IAM Now Available for Self-Hosted Pulumi Cloud</title><link>https://www.pulumi.com/blog/pulumi-cloud-iam-self-hosted/</link><pubDate>Wed, 14 Jan 2026 11:18:00 +0000</pubDate><guid>https://www.pulumi.com/blog/pulumi-cloud-iam-self-hosted/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/pulumi-cloud-iam-self-hosted/index.png" /&gt;
&lt;p&gt;We&amp;rsquo;re excited to announce that &lt;strong&gt;Pulumi Identity and Access Management (IAM)&lt;/strong&gt; is now available for self-hosted instances of Pulumi Cloud. This foundational security capability brings the same &lt;a href="https://www.pulumi.com/blog/pulumi-cloud-iam-launch/"&gt;enterprise-grade access management&lt;/a&gt; we launched for Pulumi Cloud SaaS to organizations running Pulumi on their own infrastructure.&lt;/p&gt;
&lt;h2 id="enterprise-security-for-self-hosted-deployments"&gt;Enterprise Security for Self-Hosted Deployments&lt;/h2&gt;
&lt;p&gt;Self-hosted Pulumi Cloud customers can now leverage the full power of &lt;strong&gt;Custom Roles&lt;/strong&gt; and &lt;strong&gt;Granular Access Tokens&lt;/strong&gt; to implement Zero Trust security principles and least privilege access controls within their own environments. This means you can:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Define Custom Permissions&lt;/strong&gt; with fine-grained scopes (e.g., &lt;code&gt;stack:delete&lt;/code&gt;, &lt;code&gt;environment:read&lt;/code&gt;) tailored to your organization&amp;rsquo;s security requirements.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Create Custom Roles&lt;/strong&gt; by combining these permissions with specific Pulumi entities (Stacks, Environments, etc.).&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Generate Scoped Organization Access Tokens&lt;/strong&gt; that are precisely limited to the permissions defined in their associated roles, dramatically reducing the blast radius if credentials are compromised.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="secure-automation-for-on-premises-infrastructure"&gt;Secure Automation for On-Premises Infrastructure&lt;/h2&gt;
&lt;p&gt;This release is powerful for self-hosted Pulumi Cloud deployments where security and compliance requirements are often even more stringent. You can now:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Implement Least Privilege CI/CD:&lt;/strong&gt; Scope pipeline tokens to only the actions and resources they absolutely need, ensuring your automation follows the same security standards as your infrastructure.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Enhance Compliance Posture:&lt;/strong&gt; Demonstrate precise, auditable control over programmatic access to auditors and security teams.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Reduce Operational Risk:&lt;/strong&gt; Limit the potential impact of compromised tokens by restricting them to specific roles and permissions.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="getting-started"&gt;Getting Started&lt;/h2&gt;
&lt;p&gt;Self-hosted customers can access IAM features through the same intuitive interface available in Pulumi Cloud SaaS. Navigate to &lt;strong&gt;Settings&lt;/strong&gt; -&amp;gt; &lt;strong&gt;Access Management&lt;/strong&gt; -&amp;gt; &lt;strong&gt;Roles&lt;/strong&gt; to begin creating Custom Permissions and Custom Roles, then generate scoped Organization Access Tokens from &lt;strong&gt;Settings&lt;/strong&gt; -&amp;gt; &lt;strong&gt;Access Management&lt;/strong&gt; -&amp;gt; &lt;strong&gt;Access Tokens&lt;/strong&gt;.&lt;/p&gt;
&lt;p&gt;For detailed information about Pulumi IAM capabilities, including step-by-step guides and best practices, see our &lt;a href="https://www.pulumi.com/blog/pulumi-cloud-iam-launch/"&gt;comprehensive announcement blog post&lt;/a&gt;.&lt;/p&gt;
&lt;h2 id="learn-more"&gt;Learn More&lt;/h2&gt;
&lt;p&gt;Explore the IAM &amp;amp; RBAC documentation to get started:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/docs/pulumi-cloud/access-management/rbac"&gt;Overview&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/docs/pulumi-cloud/access-management/rbac/roles"&gt;Roles&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/docs/pulumi-cloud/access-management/rbac/permissions"&gt;Permissions&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/docs/pulumi-cloud/access-management/rbac/scopes"&gt;Scopes&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;We&amp;rsquo;re committed to bringing enterprise-grade security features to all Pulumi deployments, whether in the cloud or on-premises. If you have questions or feedback, please reach out through your account representative or our &lt;a href="https://github.com/pulumi/pulumi-cloud-requests/issues"&gt;GitHub repository&lt;/a&gt;.&lt;/p&gt;</description><author>Davide Massarenti</author><author>Devon Grove</author><author>Casey Huang</author><author>Arun Loganathan</author><category>iam</category><category>rbac</category><category>security</category><category>features</category><category>pulumi-cloud</category><category>access-tokens</category><category>self-hosted</category></item><item><title>Announcing Pulumi Identity and Access Management (IAM)</title><link>https://www.pulumi.com/blog/pulumi-cloud-iam-launch/</link><pubDate>Mon, 09 Jun 2025 00:00:00 +0000</pubDate><guid>https://www.pulumi.com/blog/pulumi-cloud-iam-launch/</guid><description>
&lt;img src="https://www.pulumi.com/images/generated/blog/pulumi-cloud-iam-launch/index.png" /&gt;
&lt;p&gt;Cloud development is accelerating at an unprecedented pace, fueled by AI and the relentless drive for innovation. But this incredible speed demands unwavering trust in your security posture. How do you empower teams to deploy rapidly and frequently without opening doors to risk or violating compliance mandates? Today, we&amp;rsquo;re thrilled to answer that critical challenge by introducing &lt;strong&gt;Pulumi Identity and Access Management&lt;/strong&gt; (IAM) – a foundational new capability designed to embed robust, granular security directly into your cloud development lifecycle, enabling you to innovate both quickly and safely with Pulumi. Pulumi IAM provides the unified framework for fine-grained authorization needed to confidently manage modern cloud infrastructure and applications across the entire Pulumi Cloud platform.&lt;/p&gt;
&lt;h2 id="our-vision-for-pulumi-iam"&gt;Our Vision for Pulumi IAM&lt;/h2&gt;
&lt;p&gt;Pulumi IAM is a foundational investment, delivering enterprise-grade access management through a phased approach. Today&amp;rsquo;s release marks the beginning, with much more planned:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Phase 1: Granular Access Tokens &amp;amp; Custom Roles (Available Today)&lt;/strong&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Define custom, reusable &lt;strong&gt;Permissions&lt;/strong&gt; with &lt;a href="https://www.pulumi.com/docs/pulumi-cloud/access-management/rbac/scopes"&gt;fine-grained scopes&lt;/a&gt; (e.g., &lt;code&gt;stack:delete&lt;/code&gt; only).&lt;/li&gt;
&lt;li&gt;Create &lt;strong&gt;Custom Roles&lt;/strong&gt; by combining Permissions with specific Pulumi Entities (Stacks, Environments, etc.).&lt;/li&gt;
&lt;li&gt;Generate &lt;strong&gt;Organization Access Tokens&lt;/strong&gt; scoped precisely to these Custom Roles, perfect for secure automation.&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Phase 2: User &amp;amp; Team Role Assignment (Coming Soon)&lt;/strong&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Leverage &lt;strong&gt;OIDC configuration&lt;/strong&gt; to dynamically assume Custom Roles for secure, tokenless authentication from CI/CD systems like GitHub Actions, GitLab, and more.&lt;/li&gt;
&lt;li&gt;Assign these powerful Custom Roles directly to &lt;strong&gt;individual users and teams&lt;/strong&gt; within your Pulumi organization.&lt;/li&gt;
&lt;li&gt;Implement a complete overhaul of user and team access management, moving beyond the basic &lt;code&gt;Admin&lt;/code&gt;/&lt;code&gt;Member&lt;/code&gt; distinctions, and enabling reusability of custom building blocks permissions and roles that work for your organization&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Phase 3: Advanced Authorization &amp;amp; Scalability (Future Release)&lt;/strong&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Introduce &lt;strong&gt;Attribute-Based Access Control (ABAC)&lt;/strong&gt;, allowing policies based on tags or other attributes of Pulumi Entities (e.g., &amp;ldquo;grant &amp;lsquo;dev-role&amp;rsquo; access to all stacks tagged &amp;rsquo;env:dev&amp;rsquo;&amp;rdquo;).&lt;/li&gt;
&lt;li&gt;Enable the creation of &lt;strong&gt;Custom RBAC Policies&lt;/strong&gt; with conditional logic for highly specific access scenarios and reuse them&lt;/li&gt;
&lt;li&gt;Provide mechanisms to manage permissions across hundreds or thousands of Pulumi Entities efficiently.&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="a-foundation-for-zero-trust--unified-security"&gt;A Foundation for Zero Trust &amp;amp; Unified Security&lt;/h2&gt;
&lt;p&gt;Pulumi IAM isn&amp;rsquo;t just another feature; it&amp;rsquo;s a foundational pillar underpinning security across the entire Pulumi Cloud ecosystem, enabling organizations to implement &lt;strong&gt;Zero Trust&lt;/strong&gt; principles for their infrastructure management. Modern security models assume breaches will happen and demand rigorous verification for every access request. Static, organization-wide roles no longer suffice where separation of duties, least privilege, and compliance are paramount.&lt;/p&gt;
&lt;p&gt;Pulumi IAM addresses these challenges by providing:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Least Privilege Enforcement:&lt;/strong&gt; Define precisely &lt;em&gt;who&lt;/em&gt; can do &lt;em&gt;what&lt;/em&gt; on &lt;em&gt;which&lt;/em&gt; specific resources, minimizing the potential impact if credentials or accounts are compromised. This is core to Zero Trust – grant only the minimum necessary access, verified at the point of action.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Granular Control Across Pulumi:&lt;/strong&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Infrastructure as Code (IaC):&lt;/strong&gt; Apply fine-grained controls over Pulumi Stacks&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Secrets Management:&lt;/strong&gt; Define specific access levels for Pulumi ESC Environments.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Insights:&lt;/strong&gt; Manage permissions for Pulumi Insights account settings.&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Secure Automation:&lt;/strong&gt; Provide secure, least-privilege tokens and OIDC integration for CI/CD pipelines and automation, drastically reducing the risk associated with over-privileged service accounts.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Unified, Scalable Governance:&lt;/strong&gt; Establish a consistent authorization model that simplifies administration and scales from small teams to complex enterprise environments, ensuring security doesn&amp;rsquo;t hinder velocity.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="launching-today-granular-access-tokens-via-custom-roles"&gt;Launching Today: Granular Access Tokens via Custom Roles&lt;/h2&gt;
&lt;p&gt;This vision begins today with the initial phase of Pulumi IAM, enabling you to define &lt;strong&gt;Custom Roles&lt;/strong&gt; built from &lt;strong&gt;fine-grained Permissions&lt;/strong&gt; and apply them specifically to &lt;strong&gt;Organization Access Tokens&lt;/strong&gt;. This initial step provides immediate, significant security benefits, particularly for automation:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;True Least Privilege for CI/CD:&lt;/strong&gt; Scope pipeline tokens to &lt;em&gt;only&lt;/em&gt; the actions (e.g., &lt;code&gt;pulumi up&lt;/code&gt;) and Entities (e.g., &lt;code&gt;stack: myapp-prod&lt;/code&gt;) they absolutely need.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Reduced Blast Radius:&lt;/strong&gt; If a scoped token is compromised, the potential damage is limited strictly to the permissions defined in its associated role.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Enhanced Compliance:&lt;/strong&gt; Demonstrate precise control over programmatic access to auditors.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="how-to-get-started-with-granular-access-tokens"&gt;How to Get Started with Granular Access Tokens&lt;/h2&gt;
&lt;p&gt;Configuring and using Custom Roles for scoped tokens is done via the Pulumi Cloud console:&lt;/p&gt;
&lt;h3 id="1-define-a-custom-permission-optional"&gt;1. Define a Custom Permission (Optional)&lt;/h3&gt;
&lt;p&gt;Create reusable sets of fine-grained scopes.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;As an admin, navigate to Organization Settings -&amp;gt; Roles -&amp;gt; Permissions&lt;/li&gt;
&lt;li&gt;Follow instructions for &lt;a href="https://www.pulumi.com/docs/pulumi-cloud/access-management/rbac/permissions#creating-custom-permissions"&gt;creating a custom permission&lt;/a&gt;.&lt;/li&gt;
&lt;/ul&gt;
&lt;h3 id="2-create-a-custom-role"&gt;2. Create a Custom Role&lt;/h3&gt;
&lt;p&gt;Combine permissions with specific resources.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;As an admin, navigate to Organization Settings -&amp;gt; Roles&lt;/li&gt;
&lt;li&gt;Follow instructions for &lt;a href="https://www.pulumi.com/docs/pulumi-cloud/access-management/rbac/roles#creating-custom-roles"&gt;creating a custom role&lt;/a&gt;.&lt;/li&gt;
&lt;/ul&gt;
&lt;h3 id="3-generate-a-scoped-organization-access-token"&gt;3. Generate a Scoped Organization Access Token&lt;/h3&gt;
&lt;p&gt;Generate an organization access token with narrowed scope.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;As an admin, navigate to Organization Settings -&amp;gt; Access Tokens -&amp;gt; Organization Access Tokens.*&lt;/li&gt;
&lt;li&gt;Click &amp;ldquo;Create token&amp;rdquo;. Provide a description. &lt;strong&gt;Select your Custom Role&lt;/strong&gt; from the &amp;ldquo;Role&amp;rdquo; dropdown. Generate the token.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="new-scenarios-unlocked-today"&gt;New Scenarios Unlocked Today&lt;/h2&gt;
&lt;p&gt;This release immediately enables more secure and compliant workflows:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Secure Multi-Environment CI/CD:&lt;/strong&gt; A single pipeline can use different tokens based on the target environment (dev, staging, prod), each assuming a role with appropriately restricted permissions (e.g., read-only for prod dependencies, write for the target stack).&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Restricted Operational Scripts:&lt;/strong&gt; An automation script designed only to read audit logs can use a token tied to a role granting &lt;em&gt;only&lt;/em&gt; &lt;code&gt;audit_log:read&lt;/code&gt; permission, preventing accidental or malicious modifications.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Safer ChatOps &amp;amp; Tooling:&lt;/strong&gt; Integrations like ChatOps bots can operate with tokens scoped down to only necessary actions (e.g., triggering a &lt;code&gt;pulumi preview&lt;/code&gt; on specific stacks).&lt;/li&gt;
&lt;/ul&gt;
&lt;div class="note note-info"&gt;
&lt;div class="icon-and-line"&gt;
&lt;svg xmlns="http://www.w3.org/2000/svg" class="ph-icon ph-icon--fill" fill="currentColor" aria-hidden="true" focusable="false"&gt;&lt;use href="https://www.pulumi.com/icons/sprite.4a9ac1016b9d8a688a5e7e867f96bdf80115a0739af8c688ba04791e15f64461.svg#p-info-fill"/&gt;&lt;/svg&gt;
&lt;div class="line"&gt;&lt;/div&gt;
&lt;/div&gt;
&lt;div class="content"&gt;&lt;strong&gt;Available Today:&lt;/strong&gt; Custom Permissions, Custom Roles, and the ability to scope Organization Access Tokens using these roles, is &lt;strong&gt;available now&lt;/strong&gt; for customers on the &lt;strong&gt;Pulumi Enterprise&lt;/strong&gt; and &lt;strong&gt;Pulumi Business Critical&lt;/strong&gt; tiers. Explore these features in your Pulumi Cloud organization settings!&lt;/div&gt;
&lt;/div&gt;
&lt;h2 id="conclusion-building-a-more-secure-future"&gt;Conclusion: Building a More Secure Future&lt;/h2&gt;
&lt;p&gt;Pulumi Identity and Access Management (IAM) represents a fundamental advancement in securing cloud development lifecycles managed by Pulumi, providing the controls needed to confidently embrace speed and scale. Today’s launch of Granular Access Tokens via Custom Roles provides immediate security improvements for automation and programmatic access, laying the vital groundwork for our comprehensive IAM vision rooted in Zero Trust principles.&lt;/p&gt;
&lt;p&gt;This empowers platform and security teams with the fine-grained control needed to implement least privilege, enhance compliance, and scale Pulumi usage securely without sacrificing velocity.&lt;/p&gt;
&lt;p&gt;We encourage our Enterprise and Business Critical customers to explore Custom Roles and Granular Access Tokens today. Dive into the &lt;a href="https://www.pulumi.com/docs/pulumi-cloud/access-management/rbac"&gt;documentation&lt;/a&gt; and start building roles tailored to your security requirements. We welcome your feedback and feature requests in our &lt;a href="https://github.com/pulumi/pulumi-cloud-requests/issues"&gt;GitHub repository&lt;/a&gt;. Join us as we build a more secure foundation for cloud engineering!&lt;/p&gt;
&lt;h2 id="learn-more"&gt;Learn More&lt;/h2&gt;
&lt;p&gt;Learn more about Pulumi Cloud&amp;rsquo;s new IAM &amp;amp; RBAC features:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/docs/pulumi-cloud/access-management/rbac"&gt;Overview&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/docs/pulumi-cloud/access-management/rbac/roles"&gt;Roles&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/docs/pulumi-cloud/access-management/rbac/permissions"&gt;Permissions&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.pulumi.com/docs/pulumi-cloud/access-management/rbac/scopes"&gt;Scopes&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;</description><author>Germán Lena</author><author>Devon Grove</author><author>Arun Loganathan</author><category>iam</category><category>rbac</category><category>security</category><category>features</category><category>pulumi-cloud</category><category>access-tokens</category><category>oidc</category></item></channel></rss>