Security question… is it a terrible idea to trust ...
# pulumi-deployments
Security question… is it a terrible idea to trust the Role that Pulumi Deployments uses to assume a role that has Admin privileges in an AWS account?
the reality of IaC is that it needs to be a highly privileged role to achieve everything it needs to. Creating resources with Pulumi usually needs a lot of permissions.
You can create a role with lower scope using iamlive which is less privileged
regarding trusting the role with admin, OIDC means that the pulumi deployment runner only gets temporary credentials which expire on each run, it’s largely a case of “it depends” if you trust that
thank you—yeah this is how I’ve been thinking about it… the ROI on granular permissions seems low right now as it’s going to be tedious to lock down the role permissions especially as we iterate on our stacks
Deployments run on single use VMs and compute and storage are never shared across runs. We designed our architecture to maximize isolation. In addition, OIDC does allow you to fine tune things like credential lifetime and expiry. In the future, we will offer the ability to host your own deployment runners.
oh, nice!
thank you for the context!