Hi, does anybody know how long personal access tokens stay active after an account has been deactivated? We offboarded a colleague some weeks ago and just noticed that apparently he put one of his PATs into a CICD variable. His account is verifiably deactivated, but when I copy the PAT, I can still log into the Pulumi-cloud backend on the CLI and even are greeted with
You are logged in as <username-of-offboarded-colleague>
.
f
future-hairdresser-70637
08/08/2024, 1:11 PM
still doing some checking here but if the PAT is a personal token that was created prior to Announcing Short Lived Access Tokens in Pulumi Cloud (6/25/24) there would be no expiration. The safest thing to do here would be to ensure the user's PATs and stack access were also removed but I understand that is... suboptimal
future-hairdresser-70637
08/08/2024, 11:23 PM
To clarify: PATs are attached to the user, not the org. So if you remove/deactivate a user the PAT would still allow login as long as the PAT itself is not expired, but when you try to do anything against the org you would be denied.
👍 1
g
gray-dinner-70083
08/09/2024, 9:10 AM
Ah, I see. Thank you for the information. We'll make sure that the offboarded user doesn't have any remaining permissions and then we should be clear.