Suggestion / Question: Would it be possible to add another option here where we can use the current_project and current_stack in the subject sent?

That is an interesting suggestion. Is it something you want to customize (https://www.pulumi.com/docs/pulumi-cloud/oidc/provider/#pulumi-esc:~:text=Additional%20options%20for%20customization%20include%3A) or just make it part of the default claims? @able-market-62580 - Thoughts?

It is interesting and actually discussed (particularly as part of anonymous environments and the OIDC subject). Problem is that ESC does not have a notion of the context where it is being executed (even in the case of the pulumi cli) so it is not straightforward to make in a reliable way to be consumed as part the provider authorization policies

I am wanting to lock down the access to environments by stacks. Right now we have rbac that covers team -> stack and team -> env. I want to further restrict to what stack can make use of it

sort of, only in that case we cold rely on the deployment token to carry that information in a trustworthy way, on the other hand, it worries me how inconsistent it will feel for customers not aware of these nuances.

yeah i actually misread i think because of the formating on that page,

ah right, still you are talking about ESC right?

correct

yes makes sense

in all honesty i am being a bit paranoid anyway since if i give access to an env to a team they could do unintended thing in the stack the env was intended for anyway

true but it is a good usecase to track nonetheless (@plain-diamond-92898). I cant tell if we would be able to prioritize it in the short term but we discussed it a couple of times and disregarded due its complexity waiting for evidence that is needed

Totally. I think we should consider this as a case when we are thinking about upgrading our RBAC model.

👍