How do I use a service account in a CI/CD pipeline? Set up a Pulumi user for this purpose?

That's right, create credentials for a service account and then expose those as secrets in your CI/CD. You can run under any credentials you want to use, and those credentials will not leave the CI machine.

Does it support dependency on another stack? Or how can you reference resources/objects from other stacks?

Today you can loosely couple stacks by exporting from one stack and then setting those values as Pulumi config on the other. This is a little manual, and we are looking at options to allow one stack to directly look up outputs of another in a slightly more coupled way to make this really simple.

ETA on PKI encryption? Use case, I provide a public key to Pulumi to encrypt the secrets for our stacks rather than Pulumi encrypting those secret config items.

It's top of mind, if it's blocking your ability to use Pulumi in the near term we can definitely prioritize. There's some discussion related to this on https://github.com/pulumi/pulumi/issues/1867.

Thanks very much Luke. So GCP service account that has API creds to Pulumi? Just trying to get the wiring. Because the account running the operation would need to be able talk to Pulumi for the stack updates and also modify our GCP env

There are two things here: 1. You will need to ambiently in the environment have GCP service account credentials - similar to if you were using

gcloud

inside the CI environment to interact with GCP. 2. You will also need a Pulumi Access Token for an account in Pulumi with priveleges to update your stack. You can get this for your user at https://app.pulumi.com/account/tokens. We've seen folks create "Bot" users within their organizations as a way to assign these access keys to a neutral account whose rights can be managed independently.

@orange-tailor-85423 re gcp service account. In our CI environment we basically expose 3 important environment variables: NPM_TOKEN - which contains a token to authenticate against npm to download some private npm modules - i.e. our internal pulumi util library GCP_SERVICE_ACCOUNT_KEY - which contains a GCP json IAM service account key that is used exclusively by our CI environment. You have to create an GCP IAM service account for this. PULUMI_ACCESS_TOKEN - which contains a pulumi access token that is used exclusively by our ci environment. You have to create a github bot user for this and grant him permissions to the pulumi project. Then before we run any ci job, this script runs which authenticates the ci server with all necessary services and also downloads npm modules:

#!/usr/bin/env bash
 echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ~/.npmrc && npm ci
  pulumi login
  export GOOGLE_CREDENTIALS=$GCP_SERVICE_ACCOUNT_KEY
  echo $GCP_SERVICE_ACCOUNT_KEY | gcloud auth activate-service-account --project my-gcp-project --key-file=-
gcloud auth configure-docker