Pulumi Cloud access tokens
Use access tokens to sign into the Pulumi Cloud via the CLI or automate your usage of the Pulumi Cloud using the REST API. Learn more about the REST API in the Pulumi Cloud REST API docs.
Pulumi offers three types of access tokens: Personal, organization, and team. Personal access tokens are available to everyone, organization and team access tokens are only available to Enterprise and Business Critical customers. Organization and team access tokens are machine tokens that are not connected to a user account.
Access token permissions
Personal access tokens map to the permissions of a user, organization access tokens map to the permissions of an organization member, and team access tokens map to the permissions of a team member.
Both organization and team token activities produce audit log events which are accessible from the Audit Logs page. All audit log events surface the token’s unique name, and in the event of audit log export, the token’s UUID as well.
Action | Personal | Team | Organization | Admin |
---|---|---|---|---|
Stacks | Personal | Team | Organization | Admin |
List stacks | ✅ | ✅ | ✅ | ✅ |
Get stack | ✅ | ✅ | ✅ | ✅ |
Get stack state | ✅ | ✅ | ✅ | ✅ |
Transfer stack | ✅ | |||
Delete stack | ✅ | ✅ | ✅ | ✅ |
List webhooks | ✅ | ✅ | ✅ | |
Create webhook | ✅ | ✅ | ✅ | |
Get webhook | ✅ | ✅ | ✅ | |
Ping webhook | ✅ | ✅ | ✅ | |
List webhook deliveries | ✅ | ✅ | ✅ | |
Stack tags | Personal | Team | Organization | Admin |
Get stack tags | ✅ | ✅ | ✅ | ✅ |
Set stack tag | ✅ | ✅ | ✅ | ✅ |
Delete stack tag | ✅ | ✅ | ✅ | ✅ |
Stack updates | Personal | Team | Organization | Admin |
List stack updates | ✅ | ✅ | ✅ | ✅ |
Get update status | ✅ | ✅ | ✅ | ✅ |
List update events | ✅ | ✅ | ✅ | ✅ |
List previews | ✅ | ✅ | ✅ | ✅ |
Organizations | Personal | Team | Organization | Admin |
List users | ✅ | ✅ | ✅ | |
Add user to organization | ✅ | |||
Remove user from organization | ✅ | |||
List teams | ✅ | ✅ | ✅ | |
Create team | ✅ | ✅ | ||
Delete team | ✅ | ✅ | ||
Update team membership | ✅ | |||
Grant stack access to team | ✅ | |||
Remove stack access from team | ✅ | |||
Create team token | ✅ | |||
Delete team token | ✅ | |||
Update member role | ✅ | |||
List access tokens | ✅ | |||
Create access token | ||||
Delete access token | ||||
List webhooks | ✅ | ✅ | ||
Create webhook | ✅ | ✅ | ||
Get webhook | ✅ | ✅ | ||
Ping webhook | ✅ | ✅ | ||
List webhooks deliveries | ✅ | ✅ | ||
Audit logs | Personal | Team | Organization | Admin |
Get audit log events (JSON) | ✅ | |||
Export audit log events (CSV or CEF) | ✅ |
Personal access tokens
These access tokens have the same permission as your user.
Creating Personal Access Tokens
To create an access token:
- Select Personal access tokens from the user menu.
- Select Create token.
Deleting Personal Access Tokens
To delete an access token:
- Select Personal access tokens from the user menu.
- Select Delete token from the 3-dot menu at the end of the table row.
Organization access tokens
Organization access tokens provide the following benefits:
- Organization access tokens belong to the organization. Any organization admin can view, create, and delete organization tokens. If a member of your organization leaves, you don’t have to worry about losing access to core CI/CD tokens attached to their personal account.
- Promotes less privileged access, as an Organization Access Token, unlike a Personal Access Token, is granted privileges only to the organization in which it was created, rather than to all organizations a single user belongs to.
- Audit logs and update history are attributed to the organization, rather than an individual user.
Creating an organization access token
Navigate to your organization and then:
- Navigate to Settings > Access Tokens.
- Select Create token.
The token must have a name that is unique among all organization and team access tokens in the organization., including deleted tokens. This allows tokens taking operations on behalf of your organization to be identifiable in the event that one is compromised. Any other organization admin can delete this token; it is not owned by the admin which created it. Creation of organization access tokens is logged as an audit log event.
Admin organization access tokens
Admin organization access tokens (or admin tokens) are organization tokens with elevated, administrator-level privileges. Admin tokens allow automated processes to perform any operation supported for organization administrators except for the creation or deletion of other organization tokens.
To create an admin organization access token, select the Admin
option when creating an organization token, following the steps above.
Exercise caution and limit the use of admin organization access tokens to scenarios where they are absolutely necessary. Avoid unnecessary sharing and adhere to the principle of least privilege. Admin tokens can be deleted from the Access Tokens page within your organization settings following the process below.
Viewing organization access tokens
Organization access tokens are viewed navigating to Access tokens from the organization settings.
Deleting organization access tokens
Organization access tokens can be deleted by any organization admin at any time.
- Navigate to Settings > Access Tokens.
- Choose Delete token from the action menu. You will be prompted in a dialog to confirm your choice.
If you choose to delete a token, its access will immediately be revoked and all further operations using it will fail as unauthorized. The token name will remain reserved for your organization after deletion.
Team access tokens
Team access tokens provide the following benefits:
- Managed by organization and team admins, allowing more users in your organization to leverage machine tokens.
- Support user-independent usage in your CI integrations while having less privileged scope to other stacks in your organization.
Creating team access tokens
Navigate to your Pulumi Organization, then:
- Select Teams.
- Select the Pulumi Team you would like to attach the token to.
- Scroll to Access Tokens.
The token must have a name that is unique among all organization and team access tokens in the organization., including deleted tokens. This allows tokens taking operations on behalf of your organization to be identifiable in the event that one is compromised. Any other organization admin can delete this token; it is not owned by the admin which created it. Creation of organization access tokens is logged as an audit log event.
Viewing team access tokens
To view team access tokens:
- Select Teams.
- Select a team.
- Scroll to the Team Access Tokens card.
Deleting team access tokens
Team access tokens can be deleted by any Organization or Team admin.
To delete a team access token:
- Select Teams.
- Select a team.
- Scroll to the Team Access Tokens card.
- Select the ellipsis button.
- Choose Delete token. You will be prompted in a dialog to confirm your choice.
If you choose to delete a token, its access will immediately be revoked and all further operations using it will fail as unauthorized. The token name will remain reserved for your organization after deletion.
Thank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.