|
| 1 | +--- |
| 2 | +title: "Announcing Pulumi Identity and Access Management (IAM)" |
| 3 | +allow_long_title: true |
| 4 | +date: 2025-06-09 |
| 5 | +draft: false |
| 6 | +meta_desc: "Introducing Pulumi IAM: A new era of granular access control across Pulumi Cloud, starting with Custom Roles and scoped Access Tokens for enhanced security and automation." |
| 7 | +meta_image: "meta.png" |
| 8 | +authors: |
| 9 | + - german-lena |
| 10 | + - devon-grove |
| 11 | + - arun-loganathan |
| 12 | +tags: |
| 13 | + - iam |
| 14 | + - rbac |
| 15 | + - security |
| 16 | + - features |
| 17 | + - pulumi-cloud |
| 18 | + - access-tokens |
| 19 | + - oidc |
| 20 | +--- |
| 21 | + |
| 22 | +Cloud development is accelerating at an unprecedented pace, fueled by AI and the relentless drive for innovation. But this incredible speed demands unwavering trust in your security posture. How do you empower teams to deploy rapidly and frequently without opening doors to risk or violating compliance mandates? Today, we're thrilled to answer that critical challenge by introducing **Pulumi Identity and Access Management** (IAM) – a foundational new capability designed to embed robust, granular security directly into your cloud development lifecycle, enabling you to innovate both quickly and safely with Pulumi. Pulumi IAM provides the unified framework for fine-grained authorization needed to confidently manage modern cloud infrastructure and applications across the entire Pulumi Cloud platform. |
| 23 | + |
| 24 | +<!--more--> |
| 25 | + |
| 26 | +## Our Vision for Pulumi IAM |
| 27 | + |
| 28 | +Pulumi IAM is a foundational investment, delivering enterprise-grade access management through a phased approach. Today's release marks the beginning, with much more planned: |
| 29 | + |
| 30 | +* **Phase 1: Granular Access Tokens & Custom Roles (Available Today)** |
| 31 | + * Define custom, reusable **Permissions** with [fine-grained scopes](/docs/pulumi-cloud/access-management/rbac/scopes) (e.g., `stack:delete` only). |
| 32 | + * Create **Custom Roles** by combining Permissions with specific Pulumi Entities (Stacks, Environments, etc.). |
| 33 | + * Generate **Organization Access Tokens** scoped precisely to these Custom Roles, perfect for secure automation. |
| 34 | + |
| 35 | +* **Phase 2: User & Team Role Assignment (Coming Soon)** |
| 36 | + * Leverage **OIDC configuration** to dynamically assume Custom Roles for secure, tokenless authentication from CI/CD systems like GitHub Actions, GitLab, and more. |
| 37 | + * Assign these powerful Custom Roles directly to **individual users and teams** within your Pulumi organization. |
| 38 | + * Implement a complete overhaul of user and team access management, moving beyond the basic `Admin`/`Member` distinctions, and enabling reusability of custom building blocks permissions and roles that work for your organization |
| 39 | + |
| 40 | +* **Phase 3: Advanced Authorization & Scalability (Future Release)** |
| 41 | + * Introduce **Attribute-Based Access Control (ABAC)**, allowing policies based on tags or other attributes of Pulumi Entities (e.g., "grant 'dev-role' access to all stacks tagged 'env:dev'"). |
| 42 | + * Enable the creation of **Custom RBAC Policies** with conditional logic for highly specific access scenarios and reuse them |
| 43 | + * Provide mechanisms to manage permissions across hundreds or thousands of Pulumi Entities efficiently. |
| 44 | + |
| 45 | +## A Foundation for Zero Trust & Unified Security |
| 46 | + |
| 47 | +Pulumi IAM isn't just another feature; it's a foundational pillar underpinning security across the entire Pulumi Cloud ecosystem, enabling organizations to implement **Zero Trust** principles for their infrastructure management. Modern security models assume breaches will happen and demand rigorous verification for every access request. Static, organization-wide roles no longer suffice where separation of duties, least privilege, and compliance are paramount. |
| 48 | + |
| 49 | +Pulumi IAM addresses these challenges by providing: |
| 50 | + |
| 51 | +* **Least Privilege Enforcement:** Define precisely *who* can do *what* on *which* specific resources, minimizing the potential impact if credentials or accounts are compromised. This is core to Zero Trust – grant only the minimum necessary access, verified at the point of action. |
| 52 | +* **Granular Control Across Pulumi:** |
| 53 | + * **Infrastructure as Code (IaC):** Apply fine-grained controls over Pulumi Stacks |
| 54 | + * **Secrets Management:** Define specific access levels for Pulumi ESC Environments. |
| 55 | + * **Insights:** Manage permissions for Pulumi Insights account settings. |
| 56 | +* **Secure Automation:** Provide secure, least-privilege tokens and OIDC integration for CI/CD pipelines and automation, drastically reducing the risk associated with over-privileged service accounts. |
| 57 | +* **Unified, Scalable Governance:** Establish a consistent authorization model that simplifies administration and scales from small teams to complex enterprise environments, ensuring security doesn't hinder velocity. |
| 58 | + |
| 59 | +## Launching Today: Granular Access Tokens via Custom Roles |
| 60 | + |
| 61 | +This vision begins today with the initial phase of Pulumi IAM, enabling you to define **Custom Roles** built from **fine-grained Permissions** and apply them specifically to **Organization Access Tokens**. This initial step provides immediate, significant security benefits, particularly for automation: |
| 62 | + |
| 63 | +* **True Least Privilege for CI/CD:** Scope pipeline tokens to *only* the actions (e.g., `pulumi up`) and Entities (e.g., `stack: myapp-prod`) they absolutely need. |
| 64 | +* **Reduced Blast Radius:** If a scoped token is compromised, the potential damage is limited strictly to the permissions defined in its associated role. |
| 65 | +* **Enhanced Compliance:** Demonstrate precise control over programmatic access to auditors. |
| 66 | + |
| 67 | +## How to Get Started with Granular Access Tokens |
| 68 | + |
| 69 | +Configuring and using Custom Roles for scoped tokens is done via the Pulumi Cloud console: |
| 70 | + |
| 71 | +#### 1. Define a Custom Permission (Optional) |
| 72 | +Create reusable sets of fine-grained scopes. |
| 73 | + |
| 74 | +* As an admin, navigate to Organization Settings -> Roles -> Permissions |
| 75 | +* Follow instructions for [creating a custom permission](/docs/pulumi-cloud/access-management/rbac/permissions#creating-custom-permissions). |
| 76 | + |
| 77 | +#### 2. Create a Custom Role |
| 78 | +Combine permissions with specific resources. |
| 79 | + |
| 80 | +* As an admin, navigate to Organization Settings -> Roles |
| 81 | +* Follow instructions for [creating a custom role](/docs/pulumi-cloud/access-management/rbac/roles#creating-custom-roles). |
| 82 | + |
| 83 | +#### 3. Generate a Scoped Organization Access Token |
| 84 | +Generate an organization access token with narrowed scope. |
| 85 | + |
| 86 | +* As an admin, navigate to Organization Settings -> Access Tokens -> Organization Access Tokens.* |
| 87 | +* Click "Create token". Provide a description. **Select your Custom Role** from the "Role" dropdown. Generate the token. |
| 88 | + |
| 89 | +## New Scenarios Unlocked Today |
| 90 | + |
| 91 | +This release immediately enables more secure and compliant workflows: |
| 92 | + |
| 93 | +* **Secure Multi-Environment CI/CD:** A single pipeline can use different tokens based on the target environment (dev, staging, prod), each assuming a role with appropriately restricted permissions (e.g., read-only for prod dependencies, write for the target stack). |
| 94 | +* **Restricted Operational Scripts:** An automation script designed only to read audit logs can use a token tied to a role granting *only* `audit_log:read` permission, preventing accidental or malicious modifications. |
| 95 | +* **Safer ChatOps & Tooling:** Integrations like ChatOps bots can operate with tokens scoped down to only necessary actions (e.g., triggering a `pulumi preview` on specific stacks). |
| 96 | + |
| 97 | +{{% notes type="info" %}} |
| 98 | +**Available Today:** Custom Permissions, Custom Roles, and the ability to scope Organization Access Tokens using these roles, is **available now** for customers on the **Pulumi Enterprise** and **Pulumi Business Critical** tiers. Explore these features in your Pulumi Cloud organization settings! |
| 99 | +{{% /notes %}} |
| 100 | + |
| 101 | +## Conclusion: Building a More Secure Future |
| 102 | + |
| 103 | +Pulumi Identity and Access Management (IAM) represents a fundamental advancement in securing cloud development lifecycles managed by Pulumi, providing the controls needed to confidently embrace speed and scale. Today’s launch of Granular Access Tokens via Custom Roles provides immediate security improvements for automation and programmatic access, laying the vital groundwork for our comprehensive IAM vision rooted in Zero Trust principles. |
| 104 | + |
| 105 | +This empowers platform and security teams with the fine-grained control needed to implement least privilege, enhance compliance, and scale Pulumi usage securely without sacrificing velocity. |
| 106 | + |
| 107 | +We encourage our Enterprise and Business Critical customers to explore Custom Roles and Granular Access Tokens today. Dive into the [documentation](/docs/pulumi-cloud/access-management/rbac) and start building roles tailored to your security requirements. We welcome your feedback and feature requests in our [GitHub repository](https://github.com/pulumi/pulumi-cloud-requests/issues). Join us as we build a more secure foundation for cloud engineering! |
| 108 | + |
| 109 | +## Learn More |
| 110 | + |
| 111 | +Learn more about Pulumi Cloud's new IAM & RBAC features: |
| 112 | + |
| 113 | +- [Overview](/docs/pulumi-cloud/access-management/rbac) |
| 114 | +- [Roles](/docs/pulumi-cloud/access-management/rbac/roles) |
| 115 | +- [Permissions](/docs/pulumi-cloud/access-management/rbac/permissions) |
| 116 | +- [Scopes](/docs/pulumi-cloud/access-management/rbac/scopes) |
0 commit comments