Stack permissions
The Pulumi Cloud provides fine-grained access controls for stacks. Stack permissions are based on the member’s role within the organization and their team membership. Additionally, any member who creates a stack is granted admin permissions on that stack.
Organization admins can control the stack default permissions at the organization level from Settings > Access Management.
There are four types of stack permissions: None, Read, Write, and Admin.
Team permissions will expand these default permissions.
Permission Levels
Stack permissions allow users to perform the following actions:
| Action | None | Read | Write | Admin |
|---|---|---|---|---|
| View update history | ✅ | ✅ | ✅ | |
| Decrypt secret configuration | ✅ | ✅ | ✅ | |
| Read stack resources | ✅ | ✅ | ✅ | |
| Preview stack changes | ✅ | ✅ | ✅ | |
| Update stack | ✅ | ✅ | ||
Destroy stack (pulumi destroy) | ✅ | ✅ | ||
| Export stack checkpoint | ✅ | ✅ | ✅ | |
| Import stack checkpoint | ✅ | ✅ | ||
Delete stack (pulumi stack rm) | ✅ | |||
| Transfer to another organization | ✅ | |||
| Search stack resources | ✅ | ✅ | ✅ |
Managing Stack Permissions
Default Permissions
Organization admins can set default stack permissions for all members of the organization:
- Navigate to Settings > Access Management.
- Under Stack Default Permissions, select the desired permission level.
- Click Save to apply the changes.
Team-based Permissions
You can grant specific permissions to teams for better access control:
- Navigate to Settings > Teams.
- Select an existing team or create a new one.
- Under Stack Permissions, set the permission level for the team.
- Click Save to apply the changes.
For more information on team-based permissions, see Team permissions.
Stack Creator Permissions
By default, the user who creates a stack is granted admin permissions on that stack. This ensures that the creator can manage the stack they created regardless of default organization permissions.
Related Resources
Thank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.