Hi, does anybody know how long personal access tok...
# general
g
Hi, does anybody know how long personal access tokens stay active after an account has been deactivated? We offboarded a colleague some weeks ago and just noticed that apparently he put one of his PATs into a CICD variable. His account is verifiably deactivated, but when I copy the PAT, I can still log into the Pulumi-cloud backend on the CLI and even are greeted with
You are logged in as <username-of-offboarded-colleague>
.
f
still doing some checking here but if the PAT is a personal token that was created prior to Announcing Short Lived Access Tokens in Pulumi Cloud (6/25/24) there would be no expiration. The safest thing to do here would be to ensure the user's PATs and stack access were also removed but I understand that is... suboptimal
To clarify: PATs are attached to the user, not the org. So if you remove/deactivate a user the PAT would still allow login as long as the PAT itself is not expired, but when you try to do anything against the org you would be denied.
👍 1
g
Ah, I see. Thank you for the information. We'll make sure that the offboarded user doesn't have any remaining permissions and then we should be clear.