Hey guys 🙂 I’m trying to work with stackReferences The idea is to have a core stack deploying sensitive infra like a k8s cluster. And other stacks that will deploy resources into the cluster. The sensitive cluster needs to export the kubeconfig as output. But i only want that certain stacks can read it. Are there any permission boundaries that can be setup to prevent random stacks in the organization from reading sensitive stack outputs? Or any output in any stack is readable by any other stack, and hence any other user, etc

what state backend are you using?

not sure i understand the questino, but i think the answer is on pulumi itself. The pulumi svc

okay, in that case, you can set stack permissions that allows you to define who can/can't read those values

i think i understand. So only users in there will be able to see outputs. So let’s say stack Services needs outputs from stack Core. Anyone in team Core can see the outputs. But not everyone in team Services will be able to read Core’s outputs. Only users who are both in teams in Core and in teams in Services can see the outputs of Core. Is this correct?

correct!

oh very cool. THank you for explaining. What does pulumi vs github teamType mean? https://www.pulumi.com/registry/packages/pulumiservice/api-docs/team/#teamtype_nodejs i don’t see such a thing in the console

very cool. thank you

@billowy-army-68599 as far as I can tell this requires an Enterprise subscription, is that correct?

correct

Is there a way to allow developers to run pulumi preview against a stack, but not be able to log into the console and see the project there?

no, that isn't possible. Why would you want to do that though?

i’ll rephrase my question: Devs work on a project that they have read/write perms. The project also has a stack reference to a stack they don’t have write perms to. We would not like them to be able to view this stack in the console or get any other information about it. Just use some of its outputs. Is this possible? As opposed to having to hardcode output values into the stacks they are working on. To elaborate a little more: We want the sensitive Core infra to remain isolated. So only admins should be able to read/write to it and view it in the console. However we want some projects to be able to stack reference the cluster so that they can deploy into it. But we don’t want developers of these other projects to be able to see the Core stack in the console. It isn’t relevant to them. Only some of the outputs of the Core stack are.

you can only make the stack read only, you can't hide the stack completely

ok thank you. I guess we need to hardcode then or at least pass in values as env vars. An interesting idea would be to give a CI user read permissions only, and then users would have their code run by the CI.

@steep-portugal-37539 I wonder if this is solvable by using an intermediate stack (call it a demilitarized stack I guess) that references the core project and which is deployed by someone with read access to the core project, which in turn outputs only the minimal information needed for the other projects to deploy

That’s a very smart idea. Perhaps that works… I’m still thinking about it. Lmk if you try this. I would want to see how it looks in practice. I might try it myself soon