Hello, I'm facing issues while using the automation API to create a new stack. What I've done is building a simple pulumi automation application that would leverage some LocalPrograms in order to deploy multiple applications one after the other. I've created a docker container starting from the latest official pulumi node-js image available on public ecr, included all the pulumi projects and the pulumi automation application (an express.js server). I'm passing a valid pulumi token with admin access to the container, but when I try to create the stacks using the pulumi automation application, I get an error like this

"err":{"type":"CommandError","message":"code: -2\n stdout: \n stderr: Command failed with exit code 255: pulumi stack init pippo --non-interactive\n │
│ Logging in using access token from PULUMI_ACCESS_TOKEN\nerror: could not create stack: [403] Only organization administrators can create stacks.\n err?: Error: Command failed with exit code 255: pulumi stack init pippo --non-interactive\nLogging │
│  in using access token from PULUMI_ACCESS_TOKEN\nerror: could not create stack: [403] Only organization administrators can create stacks.\n","stack":"CommandError: code: -2\n stdout: \n stderr: Command failed with exit code 255: pulumi stack ini │
│ t pippo --non-interactive\nLogging in using access token from PULUMI_ACCESS_TOKEN\nerror: could not create stack: [403] Only organization administrators can create stacks.\n err?: Error: Command failed with exit code 255: pulumi stack init pippo │
│  --non-interactive\nLogging in using access token from PULUMI_ACCESS_TOKEN\nerror: could not create stack: [403] Only organization administrators can create stacks.\n\n    at Object.createCommandError (/app/pulumi-automation-server/node_modules/ │
│ @pulumi/automation/errors.ts:78:11)\n    at Object.<anonymous> (/app/pulumi-automation-server/node_modules/@pulumi/automation/cmd.ts:79:15)\n    at Generator.throw (<anonymous>)\n    at rejected (/app/pulumi-automation-server/node_modules/@pulum │
│ i/pulumi/automation/cmd.js:19:65)\n    at processTicksAndRejections (node:internal/process/task_queues:95:5)","commandResult":{"stdout":"","stderr":"Command failed with exit code 255: pulumi stack init pippo --non-interactive\nLogging in using a │
│ ccess token from PULUMI_ACCESS_TOKEN\nerror: could not create stack: [403] Only organization administrators can create stacks.","code":-2,"err":{"shortMessage":"Command failed with exit code 255: pulumi stack init pippo --non-interactive","comma │
│ nd":"pulumi stack init pippo --non-interactive","escapedCommand":"pulumi stack init pippo --non-interactive","exitCode":255,"stdout":"","stderr":"Logging in using access token from PULUMI_ACCESS_TOKEN\nerror: could not create stack: [403] Only o │
│ rganization administrators can create stacks.","failed":true,"timedOut":false,"isCanceled":false,"killed":false}},"name":"CommandError"},"msg":"Error during configuration request"}

What type of token do I need to create in order for the pulumi-automation to work?

are you logged into the service in the locatiin you’re using automation API?

If I run the

pulumi whoami -v

command I actually see the details I'm expecting,

User: <organization-name>
Organization: <organization-name>
BackendURL: <my-organization-backend-url>

in your org setting: https://app.pulumi.com/<orgname>/settings/access-management

Stack permission for all members: None False False True (Sorry, can't upload image)

if you set the top one to true instead of false it’ll fix it

but that would give permission to all users with write permissions to create stacks am I right? We only want admin users to have such permission

To give more details here, if instead of an organization token

Organization tokens only have member access. There is an upcoming change to allow org tokens with admin access, but not sure of its ETA

I think this is available on the frontend at least

sounds great, does look like a bug