No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

honestly, you’re going to be constantly playing whack-a-mole if you’re trying to chase Pulumi code -&gt; IAM perms. I generally just give out admin perms

Part of the reason for this is that every single modification of code is going to need a permission update which is I think what you’re seeing.

A pretty common pattern I’ve seen is using an admin role in development, using iamlive to scope the perms and then for production, locking down the iam role

That makes a lot of sense, I agree. One middle ground is perhaps to assign more “freely” like `rds:*`if a repo needs rds or `s3:*` if it needs S3 access. After all assuming GitHub Actions (enterprise) are secure, main branch protected and we are using idp for actions it should be fairly unlikely that someone manages to do a lot of harm to our infrastructure.