search

pulumi / pulumi-cloud-requests

Welcome to the public issue tracker for Pulumi Cloud (app.pulumi.com)! Feature requests and bug reports welcome!
10 stars 4 forks source link

pulumi stack init --teams defaults to WRITE and not stack read access or stack admin access #314

Closed tusharshahrs closed 1 year ago

tusharshahrs commented 1 year ago

What happened?

To define stack read access or stack admin access with the pulumi stack init --teams command

Using an organization token, we have NONE selected. stack permission screen shot

Upon running the command, the default access is Write

Example

  1. Go to the org: team-ce, note this is NOT the personal org.

  2. Click on Settings -> Access Management

  3. Change the default from WRITE ( screen shot below) Original_permissions to NONE and Save permissions team-ce_-_Access___Pulumi_-_NONE

  4. Create a team via Settings->Teams For example: tusharinitteams

  5. Next, create an ORG token. Settings-> Access Management -> Create token. For example: tushar-testtoken-teams Save the token

  6. Now set the token in your cli via PULUMI_ACCESS_TOKEN=value of tushar-testtoken-teams

  7. Then run pulumi stack init --teams command:

pulumi stack init --teams tusharinitteams Please enter your desired stack name. To create a stack in an organization, use the format / (e.g. acmecorp/dev). stack name (dev): team-ce/shahtdev Created stack 'team-ce/shahtdev'

  1. Now go to the console and check the permissions for that team.
  2. Settings->Teams-> tusharinitteams
  3. The Stack permissions shows Stack write permissions (screen shot below) tusharinitteams_-_Pulumi

Output of pulumi about

pulumi about

CLI
Version      3.86.0
Go Version   go1.21.1
Go Compiler  gc

Host
OS       darwin
Version  11.7.10
Arch     x86_64

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

justinvp commented 1 year ago

This seems like a potential issue in Pulumi Cloud. From the CLI's perspective, when you run pulumi stack init --teams, we're just passing along the specified teams to the Pulumi Cloud API endpoint used to create stacks.

tusharshahrs commented 1 year ago

Default stack permission controls what access org members have on any given stack within the org by default. The stack creator, whether this be a team or a member has always had write permissions by design.

tusharshahrs commented 1 year ago

To enable the feature requested, we have opened: Add support for specifying permission to pulumi stack init --team

EvanBoyle commented 1 year ago

Closing as by design. https://github.com/pulumi/pulumi/issues/14326 tracks unblocking the scenario.