Channels
pulumi-ai
package-authoring
pulumi-cdk
oracle-cloud-infrastructure
learn-pulumi-events
linen
registry
built-with-pulumi
pulumi-cloud
contribex
testingtesting321
hacktoberfest
cloudengineering
yaml
pulumi-crosscode
content-share
finops
multi-language-hackathon
office-hours
workshops
blog-posts
localstack
welcome
gitlab
pulumi-kubernetes-operator
jobs
aws
pulumi-deployments
dotnet
golang
announcements
java
pulumiverse
python
install
getting-started
cloudengineering-support
testingtesting123
hackathon-03-19-2020
typescript
google-cloud
contribute
azure
kubernetes
docs
automation-api
status
general
Title
d
dry-journalist-60579
03/16/2023, 4:25 PMSecurity question… is it a terrible idea to trust the Role that Pulumi Deployments uses to assume a role that has Admin privileges in an AWS account?
b
billowy-army-68599
03/16/2023, 6:08 PMthe reality of IaC is that it needs to be a highly privileged role to achieve everything it needs to. Creating resources with Pulumi usually needs a lot of permissions.
You can create a role with lower scope using iamlive https://github.com/iann0036/iamlive which is less privileged
regarding trusting the role with admin, OIDC means that the pulumi deployment runner only gets temporary credentials which expire on each run, it’s largely a case of “it depends” if you trust that
d
dry-journalist-60579
03/16/2023, 6:15 PMthank you—yeah this is how I’ve been thinking about it… the ROI on granular permissions seems low right now as it’s going to be tedious to lock down the role permissions especially as we iterate on our stacks
l
lemon-agent-27707
03/16/2023, 6:53 PMDeployments run on single use VMs and compute and storage are never shared across runs. We designed our architecture to maximize isolation. In addition, OIDC does allow you to fine tune things like credential lifetime and expiry.
In the future, we will offer the ability to host your own deployment runners.
d
dry-journalist-60579
03/16/2023, 6:57 PMoh, nice!
thank you for the context!