No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Is there documentation on the credentials needed for a Pulumi preview command? I'd like to set up CI to preview with minimal permissions

Hi <@ULT5ZRAM6>,

The credentials will still be the same required, i.e. if AWS then we need ACCESS_KEY_ID and SECRET_ACCESS_KEY etc

I mean the permissions that the AWS role would require

I'm going to make a special role with minimal IAM permissions preferably read-only since it's a `preview`

Sorry that was a poorly worded question :slightly_smiling_face:

so that all depends on what your pulumi program is doing - IAM permissions / policies will be specific to each of the providers. So there is no *base* that we can suggest

Okay, can you confirm that it doesn't need write permissions to the objects ?

e.g. ```{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Action": [
            "iam:Get*",
            "iam:List*",
            "iam:Generate*"
        ],
        "Resource": "*"
    }
}```

After creating permissions for other resources than iam, I'm getting an interesting error on my Kubernetes preview

```❯ pulumi preview
Previewing update (dev):

     Type                                       Name         Plan     Info
     pulumi:pulumi:Stack                        kubiome-dev
     └─ kubernetes:<http://storage.k8s.io:StorageClass|storage.k8s.io:StorageClass>  fsx-sc                1 error

Diagnostics:
  kubernetes:<http://storage.k8s.io:StorageClass|storage.k8s.io:StorageClass> (fsx-sc):
    error: Failed to check for changes in resource default/fsx-sc because of an error communicating with the API server: the server has asked for the client to provide credentials```