Just confirming If a Pulumi user has access to a project but

Question

Just confirming If a Pulumi user has access to a project but NONE on a production stack they should not be able to decrypt secrets associated with that stack correct

swift-painter-31084 · Answer

Per <https www pulumi com docs intro console collaboration stack permissions >

colossal-beach-47527 · Answer

Correct If a user has `NONE` for their stack permission then they will not be able to decrypt the secrets for that stack In fact it shouldn t show up in the organization s stack list or in `pulumi stack ls` etc But to clarify I don t know what you mean by has access to a project There isn t any permissions at the project level where project is just a namespace for stacks

colossal-beach-47527 · Answer

If you are an administrator of your organization you can double check the stacks a user has access to and how they got that access by clicking on the name of the person on the organization s PEOPLE page This was a feature we added in the last week or two

swift-painter-31084 · Answer

Thanks for clarifying I hadn t really delved into setting stack permissions in Pulumi but all of that makes sense Is there some way to define Pulumi stack access in Pulumi code or scripts

colossal-beach-47527 · Answer

No there currently isn t any way to manage stack permissions using the CLI We do have a REST API which is what the Pulumi Console uses but that isn t currently documented But if you are enterprising and or want to automate doing things in bulk I can point you towards the right `curl` commands for automating Pulumi Team CRUD