https://pulumi.com logo
n

nice-butcher-64302

08/04/2023, 12:40 PM
Hello, I'm facing issues while using the automation API to create a new stack. What I've done is building a simple pulumi automation application that would leverage some LocalPrograms in order to deploy multiple applications one after the other. I've created a docker container starting from the latest official pulumi node-js image available on public ecr, included all the pulumi projects and the pulumi automation application (an express.js server). I'm passing a valid pulumi token with admin access to the container, but when I try to create the stacks using the pulumi automation application, I get an error like this
Copy code
"err":{"type":"CommandError","message":"code: -2\n stdout: \n stderr: Command failed with exit code 255: pulumi stack init pippo --non-interactive\n │
│ Logging in using access token from PULUMI_ACCESS_TOKEN\nerror: could not create stack: [403] Only organization administrators can create stacks.\n err?: Error: Command failed with exit code 255: pulumi stack init pippo --non-interactive\nLogging │
│  in using access token from PULUMI_ACCESS_TOKEN\nerror: could not create stack: [403] Only organization administrators can create stacks.\n","stack":"CommandError: code: -2\n stdout: \n stderr: Command failed with exit code 255: pulumi stack ini │
│ t pippo --non-interactive\nLogging in using access token from PULUMI_ACCESS_TOKEN\nerror: could not create stack: [403] Only organization administrators can create stacks.\n err?: Error: Command failed with exit code 255: pulumi stack init pippo │
│  --non-interactive\nLogging in using access token from PULUMI_ACCESS_TOKEN\nerror: could not create stack: [403] Only organization administrators can create stacks.\n\n    at Object.createCommandError (/app/pulumi-automation-server/node_modules/ │
│ @pulumi/automation/errors.ts:78:11)\n    at Object.<anonymous> (/app/pulumi-automation-server/node_modules/@pulumi/automation/cmd.ts:79:15)\n    at Generator.throw (<anonymous>)\n    at rejected (/app/pulumi-automation-server/node_modules/@pulum │
│ i/pulumi/automation/cmd.js:19:65)\n    at processTicksAndRejections (node:internal/process/task_queues:95:5)","commandResult":{"stdout":"","stderr":"Command failed with exit code 255: pulumi stack init pippo --non-interactive\nLogging in using a │
│ ccess token from PULUMI_ACCESS_TOKEN\nerror: could not create stack: [403] Only organization administrators can create stacks.","code":-2,"err":{"shortMessage":"Command failed with exit code 255: pulumi stack init pippo --non-interactive","comma │
│ nd":"pulumi stack init pippo --non-interactive","escapedCommand":"pulumi stack init pippo --non-interactive","exitCode":255,"stdout":"","stderr":"Logging in using access token from PULUMI_ACCESS_TOKEN\nerror: could not create stack: [403] Only o │
│ rganization administrators can create stacks.","failed":true,"timedOut":false,"isCanceled":false,"killed":false}},"name":"CommandError"},"msg":"Error during configuration request"}
What type of token do I need to create in order for the pulumi-automation to work?
To give more details here, if instead of an organization token I use a personal access token, I'm able to create the stack 'pippo' without issues (I'm an admin for my organization). Apparently the problem is create a stack using an organization token (even if admin).
b

billowy-army-68599

08/04/2023, 4:39 PM
are you logged into the service in the locatiin you’re using automation API?
n

nice-butcher-64302

08/04/2023, 4:42 PM
If I run the
pulumi whoami -v
command I actually see the details I'm expecting,
Copy code
User: <organization-name>
Organization: <organization-name>
BackendURL: <my-organization-backend-url>
I can destroy an existing stack with the organization token, I can't create a new stack
b

billowy-army-68599

08/04/2023, 4:44 PM
in your org setting: https://app.pulumi.com/<orgname>/settings/access-management
what are these values set to?
n

nice-butcher-64302

08/04/2023, 4:47 PM
Stack permission for all members: None False False True (Sorry, can't upload image)
b

billowy-army-68599

08/04/2023, 5:19 PM
if you set the top one to true instead of false it’ll fix it
n

nice-butcher-64302

08/04/2023, 5:20 PM
but that would give permission to all users with write permissions to create stacks am I right? We only want admin users to have such permission
b

billowy-army-68599

08/04/2023, 5:23 PM
To give more details here, if instead of an organization token
Organization tokens only have member access. There is an upcoming change to allow org tokens with admin access, but not sure of its ETA
n

nice-butcher-64302

08/04/2023, 5:30 PM
I think this is available on the frontend at least
But even if I activate the "Admin Access" the token doesn't have the rights to perform admin operations like create a stack
I've opened a ticket on github for reference https://github.com/pulumi/pulumi-cloud-requests/issues/287
b

billowy-army-68599

08/04/2023, 5:40 PM
sounds great, does look like a bug
2 Views