Organization Roles
Stacks in the Pulumi Console are grouped by organizations. In order to access the stacks within an organization, a Pulumi user must have a specific role within that organization.
Organization Membership
This only applies to newer organizations on the per-member subscription plan. Organizations billed per stack have slightly different rules regarding membership.
To become a member of a Pulumi organization, you must be invited by an existing Pulumi organization administrator, or you must submit a request to the administrator for approval. In addition, depending on the organization type, you must also be a member of the third-party organization or group backing the Pulumi organization.
For example, to become a member of a Pulumi organization backed by a GitLab Group, you must associate a GitLab identity with your Pulumi account, and also be a member of that GitLab group.
Organization Roles
There are several kinds of organization roles a user may be assigned.
MEMBER
A member of a Pulumi organization can be added to organization teams, and depending on organization settings, may be able to create or delete stacks.
ADMIN
Pulumi organization admins have ADMIN
access to all organization stacks,
and can manage organization settings and team memberships.
Organization Settings
A Pulumi organization administrator can change the permissions available to members of the organization.
Default Stack Permission
Any organization member with the ADMIN
role automatically has ADMIN
permissions for all of the organization’s stacks. Regular organization members
are granted the organization’s base permissions instead.
For example, if the organization’s base permissions is WRITE
, then
any organization member can update any organization stack.
If the default stack permission is NONE
, then organization members must be
granted access using teams in order to update, or even view the organization
stacks.
Stack Creation
Pulumi organization admins can configure whether or not members can create stacks.
If enabled, any organization member can create a new stack. Otherwise, only organization admins can.
When a stack is created within an organization, the creator is given
ADMIN
permissions to the stack. So even if the default
stack permission is NONE
, the creator will be able to update the stack. Organization admins
can remove a creator’s access to the stack.
Stack Deletion
Similar to stack creation, Pulumi organization admins can configure whether or not organization members can delete stacks.
If enabled, any organization member with ADMIN
permission on the stack can delete
it. Otherwise, only Pulumi organization admins can.
Stack Transfer
If enabled, organization members will be able to transfer stacks to another Pulumi organization.
Transfering a stack to another organization requires that the user performing the action
has both ADMIN
permission to the stack being moved, and has the MEMBER
or ADMIN
role
within the organization the stack is being transferred to.