The Pulumi Cloud Console provides fine-grained access controls for stacks.
A user’s permission to access a stack is based first on their role within the containing organization, and then on any additional permissions granted explicitly to that user.
Stack Permission Levels
There are four types of permission levels available to users and teams collaborating on Pulumi stacks. For information on how to grant stack permissions, see Teams.
These stack permissions allow users to perform the following actions:
|View update history||✅||✅||✅|
|Decrypt secret configuration||✅||✅||✅|
|Read stack resources||✅||✅||✅|
|Preview stack changes||✅||✅||✅|
|Destroy stack (
|Export stack checkpoint||✅||✅||✅|
|Import stack checkpoint||✅||✅|
|Delete stack (
Assigning Stack Permissions
Permissions to access a stack can be assigned three ways. The permissions granted from these sources are merged together, granting the highest permission available.
- Organization Settings The organization settings can configure a Default Stack Permission level, granting all members of the organization a minimum permission to access a stack.
- Stack Creator The user who created the stack is given
ADMINpermission, even if the organization’s Default Stack Permission is
NONE. (This special “creator” permission can be removed by visiting the stack’s “SETTINGS” and “ACCESS” tab.)
- Team Membership A team may grant permissions to access a stack
to the team’s members.