Channels
#pulumi-deployments
Title
# pulumi-deployments
d
dry-journalist-60579
03/16/2023, 4:25 PMSecurity question… is it a terrible idea to trust the Role that Pulumi Deployments uses to assume a role that has Admin privileges in an AWS account?
b
billowy-army-68599
03/16/2023, 6:08 PM
the reality of IaC is that it needs to be a highly privileged role to achieve everything it needs to. Creating resources with Pulumi usually needs a lot of permissions.
You can create a role with lower scope using iamlive https://github.com/iann0036/iamlive which is less privileged
regarding trusting the role with admin, OIDC means that the pulumi deployment runner only gets temporary credentials which expire on each run, it’s largely a case of “it depends” if you trust that
d
dry-journalist-60579
03/16/2023, 6:15 PMthank you—yeah this is how I’ve been thinking about it… the ROI on granular permissions seems low right now as it’s going to be tedious to lock down the role permissions especially as we iterate on our stacks
l
lemon-agent-27707
03/16/2023, 6:53 PMDeployments run on single use VMs and compute and storage are never shared across runs. We designed our architecture to maximize isolation. In addition, OIDC does allow you to fine tune things like credential lifetime and expiry.
In the future, we will offer the ability to host your own deployment runners.
d
dry-journalist-60579
03/16/2023, 6:57 PMoh, nice!
thank you for the context!