This message was deleted.

I just read this, and this looks amazing. A) Since I am not an org admin, does that mean I can only use REST API? I'm reading this page https://www.pulumi.com/blog/oidc-blog/#enabling-oidc-for-your-stack-for-git-push-to-deploy We have multiple accounts and clouds, for example with AWS our structure of accounts is

org_root
   - dev
   - prod

At the moment we use github actions with a "jump" role -> 1) GH Action OIDC ->

org_root

2) assume role with credentials from

org_root

->

dev

The reason is that we do not need to maintain multiple OIDC connections for each account. B) Can I use Pulumi Deployments with this setup?

Since I am not an org admin, does that mean I can only use REST API?

Only org admins can configure stack settings, but anyone with stack write permissions can trigger a deployment.

Can I use Pulumi Deployments with this setup?

I believe it should be possible. If you have trouble please reach out as this is definitely something we'd like to support.

Thanks, I'll take a look. However, I find this

Only org admins can configure stack settings

an extremely limiting feature because Team subscription only allows 1 admin

I agree with you. We plan on removing that limitation eventually. It is a result of the fact that deployments relies on an organization level token. In the short term, we expect that we'll release support for defining deployment settings in code this week: https://github.com/pulumi/pulumi-pulumiservice/pull/122 This would allow you to define a stack that configures deployment settings across your entire organization. Once your admin has created and configured deployment settings for that stack, then it can be updated whenever a PR is approved and merged automatically.

Yeah I've been longing for a better IAM capabilities in pulumi and this sounds like a good workaround