No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Security question… is it a terrible idea to trust the Role that Pulumi Deployments uses to assume a role that has Admin privileges in an AWS account?

the reality of IaC is that it needs to be a highly privileged role to achieve everything it needs to. Creating resources with Pulumi usually needs a lot of permissions.

You can create a role with lower scope using iamlive <https://github.com/iann0036/iamlive> which is less privileged

regarding trusting the role with admin, OIDC means that the pulumi deployment runner only gets temporary credentials which expire on each run, it’s largely a case of “it depends” if you trust that

thank you—yeah this is how I’ve been thinking about it… the ROI on granular permissions seems low right now as it’s going to be tedious to lock down the role permissions especially as we iterate on our stacks

Deployments run on single use VMs and compute and storage are never shared across runs. We designed our architecture to maximize isolation. In addition, OIDC does allow you to fine tune things like credential lifetime and expiry. 

In the future, we will offer the ability to host your own deployment runners. 