https://pulumi.com logo
#getting-started
Title
# getting-started
w

white-spoon-73819

09/15/2023, 5:07 PM
Hey folks - we're using Pulumi Cloud with Google-backed auth. But we want to be able to do previews of our pulumi changes in Gitlab. It seems like that's not possible as we get an auth failure on the webhook when doing this. Is there a way to get this working?
c

clever-sunset-76585

09/15/2023, 6:58 PM
Are you using GSuite SAML with your Pulumi account? If yes I am not sure that this will work for you given that you are using SAML with Pulumi. But you could try connecting your GitLab identity to your existing Pulumi user. Of course, you should ensure that you connect the right GitLab user that has access to the GitLab project in question. That'll allow Pulumi to use your GitLab access token from your identity to create a Merge Request comment. If you haven't already you should also see the guide about the GitLab integration. Note that if your Project in GitLab is under a group, that will pose another problem since your Pulumi org would also need to use GitLab identity as well. This is for security reasons because Pulumi would need to verify your role in the Group and it can't do that if your Pulumi org is not backed by GitLab identity. An alternative would be switching to GitLab-based auth with Pulumi. You could use SAML with GitLab instead and let Pulumi access be governed by your users still being active on GitLab. That may be an option.
w

white-spoon-73819

09/15/2023, 6:59 PM
Yeah we use a GitLab group unfortunately.
How destructive is it to switch over to using GitLab for our Pulumi access? Do we need to reprovision users, or will people need to login again?
c

clever-sunset-76585

09/15/2023, 8:21 PM
You will not need to reprovision users in Pulumi, just that you'll want to get them all to first connect a GitLab identity to their Pulumi accounts that they should use to access the org. After that it should be safe to switch over. But only the admin of the group should do the switch over since the admin's access in GitLab is used to lookup certain information that other roles do not have access to. I believe the "Change Requirements" flow in the Pulumi Console does a check to ensure all of your current members also have an identity of the target identity provider you choose.
By the way, it might be a good idea to consult with Pulumi Support about this before you make changes and confirm that it is the only way. I am going off my memory here with all the information I've given you thus far and I reserve the right to be incorrect 😄