Channels
pulumi-ai
package-authoring
pulumi-cdk
oracle-cloud-infrastructure
learn-pulumi-events
linen
registry
built-with-pulumi
pulumi-cloud
contribex
testingtesting321
hacktoberfest
cloudengineering
yaml
pulumi-crosscode
content-share
finops
multi-language-hackathon
office-hours
workshops
blog-posts
localstack
welcome
gitlab
pulumi-kubernetes-operator
jobs
aws
pulumi-deployments
dotnet
golang
announcements
java
pulumiverse
python
install
getting-started
cloudengineering-support
testingtesting123
hackathon-03-19-2020
typescript
google-cloud
contribute
azure
kubernetes
docs
automation-api
status
general
Title
a
acoustic-lock-52416
04/28/2022, 4:59 PMToday, we are officially launching Organization Access Tokens! This will allow Enterprise and Business Critical customers to create access tokens for their org detached from the concept of a user.
We’ve heard you loud and clear. Having the concept of a “machine account”, or organization-managed access to resources is something that would make the dev process a lot easier. Rather than forcing a single user to be a point of failure in your infrastructure pipelines, Organization Access Tokens are managed by your org’s administrators and have write access to all of your org’s stacks. You can now easily broker access for GitHub Actions and the Pulumi Automation API to Pulumi regardless of your current org memberships.
Any organization admin can view, create, and delete tokens in the organization. This is particularly useful for customers who use SAML/SSO and may have trouble creating dedicated bot user accounts in their corporate identity directories. You can read all about it in the Organization Tokens launch blog post.
We’re excited to deliver one of the most requested features from the community,. To enhance the benefits provided by this feature, we are investigating access token scoping and would love to hear your feedback. As always, please feel free to submit feature requests and bug reports to https://github.com/pulumi/service-requests
🤖 8
🗝️ 7
😛arty-pizza: 1
🎉 23
😛ulumipus-dancing-music: 2
🔑 9
m
millions-furniture-75402
04/28/2022, 5:02 PMAre these scopes / policies that can be attached to these tokens?
a
acoustic-lock-52416
04/28/2022, 5:08 PM@millions-furniture-75402 not yet, but this is something that is a priorirty and we’re actively exploring
👍 1
c
clever-sunset-76585
04/28/2022, 5:25 PMAwesome! Great work! 🎉
:thank-you: 1
a
alert-spoon-97538
04/28/2022, 6:25 PMWill this rollout to the Team plans at some point?
☝️ 1
👍 2
g
gifted-island-55702
04/29/2022, 6:37 AMI would love to see this in the Team plan too!
g
glamorous-printer-66548
06/01/2022, 2:46 AMWould love to see this on the Team plan too. Honestly I find it a bit of a disappointing choice to not have this in a team plan. I'm really struggling a bit how to run Pulumi in CI for my company without creating a token that has access to all my stacks across multiple organizations (incl. my personal projects).
➕ 4
w
white-balloon-205
06/01/2022, 11:41 PMWe definitely hear the feedback on wanting this to be available for Team as well!
We initially were motivated to add this in large part to support SAML-backed orgs where it was not even possible in many cases to add bot users. And so we initially designed this as something for Enterprise orgs. But ultimately, the feature does meet a need that many Team orgs have too - to have a simple organization scoped token to use in CI. So we're going to be re-visiting this question around where this is available.
For now though, the workaround for non-SAML-backed orgs is typically to create a bot user, give that bot user access to the appropriate subset of your stacks, and use that bot users access tokens in CI. Not as smooth of an experience as the new Org Tokens feature, but in general should be an option for folks looking to set up automation.