Related questions - what is typical practice for local development environment's access? We use sso for auth to aws in local environment. I'm thinking allowing those sso principals to assume to a role that only has read access to aws resources. That would allow developers to

pulumi preview

but not

up

or

destroy

. Then in CI, setup roles to have full admin permissions. Any general advices?

Try to avoid full admin permissions. If you have the bandwidth, start off with read-only access and add read-write policies as and when they're needed.