RBAC Scopes
This document defines all the available scopes in Pulumi Cloud assignable to specific stacks or sets of stacks.
Note that creating, listing, or restoring stacks are organization-level operations, and these scopes can be found in the organization settings scopes.
Stacks
| Value | Description |
|---|---|
stack:cancel_update | Cancel an ongoing stack update operation. This halts the current deployment or update process. Granted by default permission: Stack Write |
stack:decrypt | Decrypt sensitive stack data. This allows viewing encrypted configuration values and secrets. Granted by default permission: Stack Read |
stack:delete | Delete a stack and its associated resources. This permanently removes the stack from the organization. Granted by default permission: Stack Admin |
stack:encrypt | Encrypt stack data. This secures sensitive information within the stack. Granted by default permission: Stack Read |
stack:export | Export stack data and configurations. This allows creating backups or migrating stacks. Granted by default permission: Stack Read |
stack:import | Import resources into a stack. This allows bringing external resources under management. Granted by default permission: Stack Write |
stack:read | View stack configurations and settings. This provides read-only access to stack details and parameters. Granted by default permission: Stack Read |
stack:rename | Change the name of a stack. This updates the stack’s display name across the platform. Granted by default permission: Stack Admin |
stack:transfer | Transfer ownership of a stack to another organization or user. This is used for organizational restructuring or migration. Granted by default permission: Stack Admin |
stack:write | Modify stack configurations and settings. This allows updating stack parameters and resource definitions. Granted by default permission: Stack Write |
Annotations
| Value | Description |
|---|---|
stack_annotations:read | View annotations attached to a stack. This provides context and metadata for stack resources. Granted by default permission: Stack Read |
stack_annotations:update | Modify or add annotations to a stack. This allows updating stack metadata and documentation. Granted by default permission: Stack Write |
Stack Deployments
| Value | Description |
|---|---|
stack_deployment_cache:read | View the deployment cache for a stack. This includes access to cached deployment artifacts and data. Granted by default permission: Stack Write |
stack_deployment:create | Create a new deployment for a stack. This initiates the deployment process for infrastructure resources. Granted by default permission: Stack Write |
stack_deployment:read | View details of stack deployments. This includes access to deployment status and history. Granted by default permission: Stack Read |
stack_deployment_settings:encrypt | Encrypt deployment settings for a stack. This secures sensitive configuration data. Granted by default permission: Stack Write |
stack_deployment_settings:read | View deployment settings for a stack. This includes access to configuration parameters and metadata. Granted by default permission: Stack Read |
stack_deployment_settings:write | Modify deployment settings for a stack. This allows updating configuration parameters and metadata. Granted by default permission: Stack Write |
Stack Deploy Schedules
| Value | Description |
|---|---|
stack_schedule:create | Create a new schedule for automated stack deployments. This allows setting up recurring deployment tasks. Granted by default permission: Stack Write |
stack_schedule:delete | Delete an existing stack deployment schedule. This permanently removes the scheduled task. Granted by default permission: Stack Write |
stack_schedule:pause | Pause a scheduled stack deployment. This temporarily halts the scheduled deployment process. Granted by default permission: Stack Write |
stack_schedule:read | View stack deployment schedule configurations. This includes access to schedule details and execution history. Granted by default permission: Stack Read |
stack_schedule:resume | Resume a paused stack deployment schedule. This restores automated deployment operations. Granted by default permission: Stack Write |
stack_schedule:update | Modify an existing stack deployment schedule. This allows updating timing, frequency, and other schedule parameters. Granted by default permission: Stack Write |
Stack Tags
| Value | Description |
|---|---|
stack_tags:update | Update tags associated with a stack. This helps in organizing and categorizing stack resources. Granted by default permission: Stack Write |
Stack Webhooks
| Value | Description |
|---|---|
stack_webhook:create | Create a new webhook for stack events. This enables integration with external systems for event notifications. Granted by default permission: Stack Write |
stack_webhook:delete | Delete an existing stack webhook. This removes the integration and stops event delivery. Granted by default permission: Stack Write |
stack_webhook:read | View stack webhook configurations. This includes access to webhook endpoints and event triggers. Granted by default permission: Stack Write |
stack_webhook:update | Modify an existing stack webhook. This allows updating endpoint URLs and event subscriptions. Granted by default permission: Stack Write |
Thank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.