No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Just confirming: If a Pulumi user has access to a project, but NONE on a production stack, they should not be able to decrypt secrets associated with that stack, correct?

Per <https://www.pulumi.com/docs/intro/console/collaboration/stack-permissions/>

Correct. If a user has `NONE` for their stack permission, then they will not be able to decrypt the secrets for that stack. (In fact, it shouldn’t show up in the organization’s stack list, or in `pulumi stack ls`, etc.)

But to clarify, I don’t know what you mean by “has access to a project”. There isn’t any permissions at the “project” level (where project is just a namespace for stacks).

If you are an administrator of your organization, you can double check the stacks a user has access to and _how_ they got that access by clicking on the name of the person on the organization’s PEOPLE page. (This was a feature we added in the last week or two.)

Thanks for clarifying! I hadn't really delved into setting stack permissions in Pulumi but all of that makes sense. Is there some way to define Pulumi stack access in Pulumi code or scripts?

No, there currently isn't any way to manage stack permissions using the CLI. We do have a REST API (which is what the Pulumi Console uses), but that isn't currently documented. But if you are enterprising and/or want to automate doing things in-bulk, I can point you towards the right `curl` commands for automating Pulumi Team CRUD.