Stack Permissions
The Pulumi Console provides fine-grained access controls for stacks.
A user’s stack permissions is first based on their role within the containing organization, and then on any additional permissions granted explicitly to that user.
Stack Permission Levels
There are four types of permission levels available to users and teams collaborating on Pulumi stacks.
NoneReadWriteAdmin
These stack permissions allow users to perform the following actions:
| Action | None | Read | Write | Admin |
|---|---|---|---|---|
| View update history | ✅ | ✅ | ✅ | |
| Decrypt secret configuration | ✅ | ✅ | ✅ | |
| Read stack resources | ✅ | ✅ | ✅ | |
| Preview stack changes | ✅ | ✅ | ✅ | |
| Update stack | ✅ | ✅ | ||
Destroy stack (pulumi destroy) |
✅ | ✅ | ||
| Export stack checkpoint | ✅ | ✅ | ✅ | |
| Import stack checkpoint | ✅ | ✅ | ||
Delete stack (pulumi stack rm) |
✅ | |||
| Transfer to another organization | ✅ |
Assigning Stack Permissions
Stack permissions can be assigned in three different ways. The permissions granted from these sources are merged together, granting the highest permission available.
- Organization Settings. An organization admin can configure stack permissions for all members for the organization’s stacks, granting all members of the organization a minimum permission level.
- Stack Creator. The user who created the stack is given
Stack adminpermission, even if the organization’s stack permissions for all members isNone. An organization admin can remove the stack creator by navigating to Stack > Settings > Access and selecting Remove. - Team Membership. Organization admins, and team members can grant members of a team access to stacks and set their permissions.
Thank you for your feedback!
If you have a specific, answerable question about how to use Pulumi, ask it in our Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.
