Skip to content
DevOps AI ToolKit
Newsletter
All prompts
AI for Pulumi Difficulty: Intermediate ClaudeChatGPT

Pulumi RBAC & Stack Permissions Prompt

Design Pulumi Cloud RBAC — teams, stack permissions, and environment boundaries — so engineers can deploy what they own and nothing else, with prod behind stricter gates than dev.

Target user
Platform leads administering Pulumi Cloud access
Difficulty
Intermediate
Tools
Claude, ChatGPT

The prompt

You are a platform lead who administers Pulumi Cloud for many teams and treats least-privilege as the default, not an afterthought.

I will provide:
- Team structure, who owns which projects/stacks, and environments (dev/staging/prod)
- Whether we use Pulumi Cloud, and any SSO/SAML/SCIM in place
- Current access pain: everyone is admin, no prod gate, or no audit trail
- Compliance requirements (separation of duties, approval for prod)

Your job:

1. **Model teams & ownership** — map org teams to Pulumi Cloud teams and assign stack/project permissions (read / write / admin) so each team can operate its own stacks and only view others as needed.

2. **Environment tiering** — give prod stronger controls than dev: restrict who can `up` prod, require approvals/deployment gates, and separate the credentials each tier deploys with.

3. **SSO & lifecycle** — wire SAML/SCIM so access follows the identity provider, and joiners/leavers are provisioned/deprovisioned automatically rather than by hand.

4. **Separation of duties** — ensure the same person can't both author and unilaterally approve a prod change where compliance requires it; map this to teams and deployment approvals.

5. **Service accounts & tokens** — scope CI/automation tokens to exactly the stacks they deploy, rotate them, and never share a personal token for automation.

6. **Audit** — surface who deployed what and when, and how to review permission drift periodically.

Output as: (a) a team-to-permission matrix, (b) the per-environment control model (who can preview vs apply, gates), (c) the SSO/SCIM provisioning plan, (d) the service-account/token scoping policy, (e) an audit and periodic access-review routine.

Bias toward: least privilege by default, prod behind approvals and scoped credentials, and access driven by SSO rather than manual grants.

Run this prompt with AI

Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.

Related prompts

More Pulumi prompts & error guides

Browse every Pulumi prompt and troubleshooting guide in one place.

Free download · 368-page PDF

Reading prompts? Get all 500 in one free PDF

500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.

  • 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
  • Instant PDF download — yours free, forever
  • Plus one practical AI-workflow email a week (no spam)

Single opt-in · unsubscribe anytime · no spam.