1. Docs
  2. Pulumi Cloud
  3. Access management
  4. Team tokens

Team tokens

    Team Access Tokens are only available to organizations using Pulumi Enterprise or Pulumi Business Critical. To learn more about our editions, visit our pricing page.

    Team Access Tokens, like Organization Access Tokens, provide Enterprise and Business Critical customers the opportunity to manage resources and stack operations for their organization independent of a single-user account. However, Team Access Tokens enable this access to be scoped to the stack access of a Pulumi Team, rather than to the entire organization’s stacks.

    Collectively Organization Access Tokens and Team Access Tokens are referred to as “machine tokens”, which are not owned by a real user in your organization. This distinguishes them from Personal Access Tokens.

    Team Access Tokens are available on Enterprise and Business Critical subscriptions, as well as trials.

    Team Access Tokens provide several benefits over Organization and Personal Access Tokens:

    • They can be managed by Team Admins in addition to Organization Admins, allowing more users in your organization to leverage machine tokens.
    • They support user-independent usage in your CI integrations while having less privileged scope to other stacks in your organization.

    Creating a Team Access Token

    Navigate to your Pulumi Organization, then:

    1. Select Teams.
    2. Select the Pulumi Team you would like to attach the token to.
    3. Scroll to Access Tokens.

    Team Access Tokens, like Organization Access Tokens, must have a name that is unique among all Organization Access Tokens assigned to it. This allows tokens taking operations on behalf of your organization to be identifiable in the event that one is compromised.

    Once you name a token, the name is taken forever, even after you delete it. This is in order to maintain the integrity of Audit Log Events which persist the token’s name as part of the event (see below). Any other Organization Admin, or a Team Admin for the associated team, can delete the token since they are managed by the team and not by a user.

    The creation of any Team Access Token, and the user who performed it, is logged as an Audit Log Event.

    Viewing Team Access Tokens

    To view Team Access Tokens, go to your Pulumi Team page within your respective organization and scroll to the Team Access Tokens card. Only Organization Admins and Team Admins for the Team will see this card.

    Deleting a Team Access Token

    A Team Access Token can be deleted by any Team Admin, for the specific Team that it belongs to, or any Organization Admin. No other member types of the organization can delete a Team Access Token.

    From the organization’s homepage, follow the same steps as for all other Access Token types:

    1. Select Teams.
    2. Navigate to the desired Pulumi Team.
    3. Scroll to the Team Access Tokens card.
    4. Select the ellipsis button.
    5. Choose Delete token. You will be prompted in a dialog to confirm your choice.

    If you choose to delete a token, its access will immediately be revoked and all further operations using it will fail as unauthorized. That token’s name will remain reserved for your organization to preserve its uniqueness in Audit Log Events for any operations that it carried out.

    Auditing Team Token Actions

    Since an organization can have many machine tokens, it’s necessary to be able to identify them uniquely in Audit Log Events. All Audit Log Events which were triggered by an Team Access Token will surface the token’s unique name, and in the event of Audit Log Export, the token’s UUID as well.

    Permissions/Authorization

    Team Access Tokens behave like a team member with the stack permissions granted by that team. They do not grant any privileges to view the Pulumi Cloud UI, or to create additional tokens of any type. See below for a full list of accessible APIs:

    API Access

    See the Pulumi Cloud REST API docs for more information about each API endpoint.

    Stacks

    These are dependent on the stack permissions granted to the team associated with the Team Access Token. A stack can only be deleted if the team has Admin stack permissions. Webhooks can only be managed if the team has Write stack permissions.

    Action
    List Stacks
    Get Stack
    Get Stack State
    Transfer Stack
    Delete Stack
    Create Webhook
    List Webhooks
    Get Webhook
    Ping Webhook
    List Webhooks Deliveries

    Stack Tags

    These are dependent on the stack permissions granted to the team associated with the Team Access Token. A stack tag can only be set or deleted if the team has Write stack permissions.

    Action
    Get Stack Tags
    Set Stack Tag
    Delete Stack Tag

    Stack Updates

    Action
    List Stack Updates
    Get Update Status
    List Update Events
    List Previews

    Organizations

    Action
    List Users
    Add User to Organization
    Remove User from Organization
    List Teams
    Create Team
    Delete Team
    Update Team Membership
    Grant Stack Access to Team
    Remove Stack Access from Team
    Update User’s Role
    List User Access Tokens
    Create User Access Token
    Delete User Access Token
    Create Webhook
    List Webhooks
    Get Webhook
    Ping Webhook
    List Webhooks Deliveries

    Audit Logs

    ActionTeam Token Access
    Get Audit Log Events (JSON)
    Export Audit Log Events (CSV or CEF)
      Register for Pulumi UP, June 15, 2023