Working on CI/CD - suggestions for following scenario. We are an Azure DevOps shop. Set up kind of a shell Github team so that we could federate with Pulumi stack permissions. But I want a token for a "service account". How to accomplish this with Pulumi/Github. Or create a user that's aliased to our team email, sign them up for Github etc etc. TL;DR - what accounts are y'all granting tokens to for API access.
11/02/2018, 3:48 PM
i ended up using a personal token for ci/cd as well. would be nice to have team managed tokens
11/02/2018, 3:52 PM
Yes - creating a “bot” user for this is a pretty standard approach. That user can then be given appropriate permissions and you can use tokens for that not user in CI. For example we use https://github.com/pulumi-bot ourselves.
We have thought about adding “service tokens” separate from users, but these need to have most of the capabilities of users (RBAC). We’ll look into this further.
11/02/2018, 3:55 PM
Pretty much what Luke said. I definitely see us adding an easy way to support robot account tokens, etc. But for today the best practice is to create a CI/CD-specific access token, perhaps with a separate GitHub account. (So that you can set access controls differently for that robot account than yourself.)
We’ve also considered being able to limit the scope of resources a personal access token has access to as well… There are a lot of good features to enable in this area, it’s just a matter of adding them 🙂
11/02/2018, 5:59 PM
Appreciate the feedback - will set up a "bot" user for now