Today, we are officially launching Organization Access Tokens! This will allow Enterprise and Business Critical customers to create access tokens for their org detached from the concept of a user. We’ve heard you loud and clear. Having the concept of a “machine account”, or organization-managed access to resources is something that would make the dev process a lot easier. Rather than forcing a single user to be a point of failure in your infrastructure pipelines, Organization Access Tokens are managed by your org’s administrators and have write access to all of your org’s stacks. You can now easily broker access for GitHub Actions and the Pulumi Automation API to Pulumi regardless of your current org memberships. Any organization admin can view, create, and delete tokens in the organization. This is particularly useful for customers who use SAML/SSO and may have trouble creating dedicated bot user accounts in their corporate identity directories. You can read all about it in the Organization Tokens launch blog post. We’re excited to deliver one of the most requested features from the community,. To enhance the benefits provided by this feature, we are investigating access token scoping and would love to hear your feedback. As always, please feel free to submit feature requests and bug reports to https://github.com/pulumi/service-requests

Are these scopes / policies that can be attached to these tokens?

@millions-furniture-75402 not yet, but this is something that is a priorirty and we’re actively exploring

Awesome! Great work! 🎉

Will this rollout to the Team plans at some point?

I would love to see this in the Team plan too!

Would love to see this on the Team plan too. Honestly I find it a bit of a disappointing choice to not have this in a team plan. I'm really struggling a bit how to run Pulumi in CI for my company without creating a token that has access to all my stacks across multiple organizations (incl. my personal projects).

We definitely hear the feedback on wanting this to be available for Team as well! We initially were motivated to add this in large part to support SAML-backed orgs where it was not even possible in many cases to add bot users. And so we initially designed this as something for Enterprise orgs. But ultimately, the feature does meet a need that many Team orgs have too - to have a simple organization scoped token to use in CI. So we're going to be re-visiting this question around where this is available. For now though, the workaround for non-SAML-backed orgs is typically to create a bot user, give that bot user access to the appropriate subset of your stacks, and use that bot users access tokens in CI. Not as smooth of an experience as the new Org Tokens feature, but in general should be an option for folks looking to set up automation.