Pulumi Cloud access tokens
Use access tokens to sign into the Pulumi Cloud via the CLI or automate your usage of the Pulumi Cloud using the REST API. Learn more about the REST API in the Pulumi Cloud REST API docs.
Pulumi offers three types of access tokens:
- Personal tokens, which map to the permissions of an individual user. Personal tokens are available to all Pulumi Cloud users.
- Organization tokens, which map to the permissions of either a regular organization member or an organization admin, depending on the scope of the token. Organization tokens are only available to Enterprise and Business Critical customers.
- Team tokens, which map to the permissions of a team within an organization. For more information on using teams within your Pulumi Cloud organization, see Teams & Role-based access control (RBAC) . Team tokens are only available to Enterprise and Business Critical customers.
When using tokens, be mindful of the following security best practices:
- Organization and team access tokens are machine tokens that are not connected to a user account, and therefore should only be used in scenarios like CI/CD pipelines, where the Pulumi actions are not being performed directly by a particular user.
- Tokens can optionally be assigned an expiration period of up to two years, at which point the token will no longer be valid for any Pulumi operation. Expired tokens cannot be refreshed or reactivated. It’s strongly recommended that you assign an expiration to your token to encourage token rotation and improve your organization’s security posture.
Access token permissions
Personal access tokens map to the permissions of a user, organization access tokens map to the permissions of an organization member, and team access tokens map to the permissions of a team member.
Both organization and team token activities produce audit log events which are accessible from the Audit Logs page. All audit log events surface the token’s unique name, and in the event of audit log export, the token’s UUID as well.
Action | Personal | Team | Organization | Admin |
---|---|---|---|---|
Stacks | Personal | Team | Organization | Admin |
List stacks | ✅ | ✅ | ✅ | ✅ |
Get stack | ✅ | ✅ | ✅ | ✅ |
Get stack state | ✅ | ✅ | ✅ | ✅ |
Transfer stack | ✅ | |||
Delete stack | ✅ | ✅ | ✅ | ✅ |
List webhooks | ✅ | ✅ | ✅ | |
Create webhook | ✅ | ✅ | ✅ | |
Get webhook | ✅ | ✅ | ✅ | |
Ping webhook | ✅ | ✅ | ✅ | |
List webhook deliveries | ✅ | ✅ | ✅ | |
Stack tags | Personal | Team | Organization | Admin |
Get stack tags | ✅ | ✅ | ✅ | ✅ |
Set stack tag | ✅ | ✅ | ✅ | ✅ |
Delete stack tag | ✅ | ✅ | ✅ | ✅ |
Stack updates | Personal | Team | Organization | Admin |
List stack updates | ✅ | ✅ | ✅ | ✅ |
Get update status | ✅ | ✅ | ✅ | ✅ |
List update events | ✅ | ✅ | ✅ | ✅ |
List previews | ✅ | ✅ | ✅ | ✅ |
Organizations | Personal | Team | Organization | Admin |
List users | ✅ | ✅ | ✅ | |
Add user to organization | ✅ | |||
Remove user from organization | ✅ | |||
List teams | ✅ | ✅ | ✅ | |
Create team | ✅ | ✅ | ||
Delete team | ✅ | ✅ | ||
Update team membership | ✅ | |||
Grant stack access to team | ✅ | |||
Remove stack access from team | ✅ | |||
Create team token | ✅ | |||
Delete team token | ✅ | |||
Update member role | ✅ | |||
List access tokens | ✅ | |||
Create access token | ||||
Delete access token | ||||
Webhooks | Personal | Team | Organization | Admin |
List stack webhooks | ✅ | ✅ | ✅ | ✅ |
Create stack webhook | ✅ | ✅ | ✅ | ✅ |
Get stack webhook | ✅ | ✅ | ✅ | ✅ |
Ping stack webhook | ✅ | ✅ | ✅ | ✅ |
List stack webhooks deliveries | ✅ | ✅ | ✅ | ✅ |
List organization webhooks | ✅ | |||
Create organization webhook | ✅ | |||
Get organization webhook | ✅ | |||
Ping organization webhook | ✅ | |||
List organization webhooks deliveries | ✅ | |||
Audit logs | Personal | Team | Organization | Admin |
Get audit log events (JSON) | ✅ | |||
Export audit log events (CSV or CEF) | ✅ |
Personal access tokens
These access tokens have the same permission as your user.
Creating Personal Access Tokens
To create an access token:
- Select Personal access tokens from the user menu.
- Select Create token, which will open a dialog.
- Optionally, you may assign a description for additional context.
- Choose an expiration period up of up to two years. You may also choose that the token does not expire.
- Select Create token in the dialog to create the token.
It is strongly recommended that you choose an expiration period for all access tokens you create.
Deleting Personal Access Tokens
To delete an access token:
- Select Personal access tokens from the user menu.
- Select Delete token from the 3-dot menu at the end of the table row.
Organization access tokens
Organization access tokens provide the following benefits:
- Organization access tokens belong to the organization. Any organization admin can view, create, and delete organization tokens. If a member of your organization leaves, you don’t have to worry about losing access to core CI/CD tokens attached to their personal account.
- Promotes less privileged access, as an Organization Access Token, unlike a Personal Access Token, is granted privileges only to the organization in which it was created, rather than to all organizations a single user belongs to.
- Audit logs and update history are attributed to the organization, rather than an individual user.
Creating an organization access token
Navigate to your organization and then:
- Navigate to Settings > Access Tokens.
- Select Create token, which will open a dialog.
- Provide a unique name for this token across your organization. It can be up to 40 characters.
- Optionally, you may assign a description for additional context.
- Choose an expiration period up of up to two years. You may also choose that the token does not expire.
- Select Create token in the dialog to create the token.
The token must have a name that is unique among all organization and team access tokens in the organization., including deleted tokens. This allows tokens taking operations on behalf of your organization to be identifiable in the event that one is compromised. Any other organization admin can delete this token; it is not owned by the admin which created it. Creation of organization access tokens is logged as an audit log event.
It is strongly recommended that you choose an expiration period for all access tokens you create.
Admin organization access tokens
Admin organization access tokens (or admin tokens) are organization tokens with elevated, administrator-level privileges. Admin tokens allow automated processes to perform any operation supported for organization administrators except for the creation or deletion of other organization tokens.
To create an admin organization access token, select the Admin
option when creating an organization token, following the steps above.
Exercise caution and limit the use of admin organization access tokens to scenarios where they are absolutely necessary. Avoid unnecessary sharing and adhere to the principle of least privilege. Admin tokens can be deleted from the Access Tokens page within your organization settings following the process below.
Viewing organization access tokens
Organization access tokens are viewed navigating to Access tokens from the organization settings.
Deleting organization access tokens
Organization access tokens can be deleted by any organization admin at any time.
- Navigate to Settings > Access Tokens.
- Choose Delete token from the action menu. You will be prompted in a dialog to confirm your choice.
If you choose to delete a token, its access will immediately be revoked and all further operations using it will fail as unauthorized. The token name will remain reserved for your organization after deletion.
Team access tokens
Team access tokens provide the following benefits:
- Managed by organization and team admins, allowing more users in your organization to leverage machine tokens.
- Support user-independent usage in your CI integrations while having less privileged scope to other stacks in your organization.
Creating team access tokens
Navigate to your Pulumi Organization, then:
- Select Teams.
- Select the Pulumi Team you would like to attach the token to.
- Scroll to Access Tokens.
- Select Create token, which will open a dialog.
- Provide a unique name for this token across your organization. It can be up to 40 characters.
- Optionally, you may assign a description for additional context.
- Choose an expiration period up of up to two years. You may also choose that the token does not expire.
- Select Create token in the dialog to create the token.
The token must have a name that is unique among all organization and team access tokens in the organization., including deleted tokens. This allows tokens taking operations on behalf of your organization to be identifiable in the event that one is compromised. Any other organization admin can delete this token; it is not owned by the admin which created it. Creation of organization access tokens is logged as an audit log event.
It is strongly recommended that you choose an expiration period for all access tokens you create.
Viewing team access tokens
To view team access tokens:
- Select Teams.
- Select a team.
- Scroll to the Team Access Tokens card.
Deleting team access tokens
Team access tokens can be deleted by any Organization or Team admin.
To delete a team access token:
- Select Teams.
- Select a team.
- Scroll to the Team Access Tokens card.
- Select the ellipsis button.
- Choose Delete token. You will be prompted in a dialog to confirm your choice.
If you choose to delete a token, its access will immediately be revoked and all further operations using it will fail as unauthorized. The token name will remain reserved for your organization after deletion.
Thank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.