No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Hi, does anybody know how long personal access tokens stay active after an account has been deactivated? We offboarded a colleague some weeks ago and just noticed that apparently he put one of his PATs into a CICD variable. His account is verifiably deactivated, but when I copy the PAT, I can still log into the Pulumi-cloud backend on the CLI and even are greeted with `You are logged in as &lt;username-of-offboarded-colleague&gt;` .

still doing some checking here but if the PAT is a personal token that was created prior to <https://www.pulumi.com/blog/short-lived-access-tokens/|Announcing Short Lived Access Tokens in Pulumi Cloud> (6/25/24) there would be no expiration. The safest thing to do here would be to ensure the user's PATs and stack access were also removed but I understand that is... suboptimal

To clarify: PATs are attached to the user, not the org. So if you remove/deactivate a user the PAT would still allow login as long as the PAT itself is not expired, but when you try to do anything against the org you would be denied.

Ah, I see. Thank you for the information. We'll make sure that the offboarded user doesn't have any remaining permissions and then we should be clear.