Pulumi ESC access control
Pulumi ESC allows you to enforce least-privileged access across your environments through role-based access controls (RBAC). By assigning precise permissions at the organization and team levels, you ensure that users only have access to the environments they need. All changes, including environment updates and access modifications, are fully logged to provide complete auditing and compliance tracking, helping your organization maintain security best practices.
Setting up access to environments
Organization-wide permissions
Go to the Access Management
page under Settings to set Organization-wide environment permissions. Members of the organization will receive these permissions. The default environment permission is write
. There are four options:
none
: Members have access to none of the environmentsread
: Members can view only plaintext key values (i.e., the definition of the environment). They won’t be able to see the secret values in plaintext, run any provider configurations to retrieve credentials or run any functions. They cannot perform any Pulumi IaC operations such asrefresh
,up
,destroy
on stacks that imports the environmentopen
: Members with ‘open’ permissions can decrypt secrets and see them in plaintext. Additionally, they can get dynamic credentials using provider configurations and evaluate functions defined in the environment. They can perform any Pulumi IaC operation on stacks that import an environment as long as they have ‘write’ access to the stack and ‘open’ access to the environmentwrite
: Members will have permissions toopen
andupdate
any environment
Team permissions
You can grant environment-wise permissions to members of a Team. There are four roles:
Environment reader
: Team members will haveread
permissionsEnvironment opener
: Team members will haveopen
permissionsEnvironment editor
: Team members will havewrite
permissionsEnvironment admin
: Team members will havewrite
anddelete
permissions
Thank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.