https://pulumi.com logo
#general
Title
# general
f

faint-oil-7535

04/19/2020, 11:09 PM
Here's an easy one: I demoed Pulumi to my architecture guild. They loved it, but raised a few questions I couldn't answer. The biggest one was around user security of stacks. Let's say I have 4 stacks: 1. the personal dev stack of a devops who wants to test code on his/her own 2. the shared dev stack for a team, which gets updated once code goes to develop 3. the uat stack 4. the prod stack How can I protect stacks so that the dev can create / destroy 1, but our CICD pipeline manages the other 3? So the dev has rights to stack 1, but no rights to muss with stacks 2, 3, and 4?
g

gentle-diamond-70147

04/19/2020, 11:16 PM
The role-based access control features in the Pulumi Console were designed for this. https://www.pulumi.com/docs/intro/console/collaboration/stack-permissions/
👍 1
Your dev would have
WRITE
to 1 and
NONE
to 2, 3, and 4. Your CICD pipeline would have `WRITE to 2, 3, and 4.
Your dev could have
READ
to 2, 3, and 4 if you wanted to allow it. That way they can see the changes that occur and even run previews against those stacks, but would not be allowed to make changes to them.
👍 1
f

faint-oil-7535

04/19/2020, 11:48 PM
Sick, that's exactly what I was after. Cheers.
👍 1