Is there way to setup different security secrets for Pulumi up vs Pulumi Preview commands? Example: I want to enable everyone in the company to be able to see pulumi changes, but I dont want them all to be able to run pulumi up on their machine.

good idea

@brief-car-60542 As shared on our call last week! Pulumi Enterprise and Business Critical supports RBAC to manage which users can see and/or update stacks. Thus, you can specify groups of one or more users and the stack(s) they have permission to read or write/update.

@brief-car-60542 one idea is to use a CI job (e.g. triggered by a Pull Request) to generate the preview. In this way, GitHub would control the access. https://www.pulumi.com/docs/guides/continuous-delivery/github-actions/#pull-request-flow

Also we have built rbac in the open-source version of pulumi in our commercial product qmcloud.

@brief-car-60542 One idea you can use diffrent key of Cloud provider， when you member up this resource ， they will Failed. I think if they just preview, it will be success!

@able-crayon-21563 that is what I did, but I dont want to entirely disable people from preview I think it hurts productivity.

@brief-car-60542 Are you Chinese? Sorry, my English is not very good. Regarding your question, I don’t think Pulumi currently offers this feature. However, you can try the following approach: For example, if you manage resources on AWS through Pulumi, you can assign different AWS access keys (AK) and secret keys (SK) to members of your team. By using different AKs and SKs, you can differentiate permissions. If a team member does not have permission to create new resources, I believe the Pulumi “up” command will fail, but the “preview” command should work without issue. You can give it a try.

@orange-airport-64592 Yes, I am Chinese. This is a interesting idea, I will give it a try, think you!