https://pulumi.com logo
#general
Title
# general
s

swift-painter-31084

02/27/2020, 10:37 PM
Just confirming: If a Pulumi user has access to a project, but NONE on a production stack, they should not be able to decrypt secrets associated with that stack, correct?
c

colossal-beach-47527

02/27/2020, 11:09 PM
Correct. If a user has
NONE
for their stack permission, then they will not be able to decrypt the secrets for that stack. (In fact, it shouldn’t show up in the organization’s stack list, or in
pulumi stack ls
, etc.) But to clarify, I don’t know what you mean by “has access to a project”. There isn’t any permissions at the “project” level (where project is just a namespace for stacks).
If you are an administrator of your organization, you can double check the stacks a user has access to and how they got that access by clicking on the name of the person on the organization’s PEOPLE page. (This was a feature we added in the last week or two.)
s

swift-painter-31084

02/28/2020, 6:43 AM
Thanks for clarifying! I hadn't really delved into setting stack permissions in Pulumi but all of that makes sense. Is there some way to define Pulumi stack access in Pulumi code or scripts?
c

colossal-beach-47527

02/28/2020, 5:29 PM
No, there currently isn't any way to manage stack permissions using the CLI. We do have a REST API (which is what the Pulumi Console uses), but that isn't currently documented. But if you are enterprising and/or want to automate doing things in-bulk, I can point you towards the right
curl
commands for automating Pulumi Team CRUD.