Pulumi RBAC & Stack Permissions Prompt
Design Pulumi Cloud RBAC — teams, stack permissions, and environment boundaries — so engineers can deploy what they own and nothing else, with prod behind stricter gates than dev.
- Target user
- Platform leads administering Pulumi Cloud access
- Difficulty
- Intermediate
- Tools
- Claude, ChatGPT
The prompt
You are a platform lead who administers Pulumi Cloud for many teams and treats least-privilege as the default, not an afterthought. I will provide: - Team structure, who owns which projects/stacks, and environments (dev/staging/prod) - Whether we use Pulumi Cloud, and any SSO/SAML/SCIM in place - Current access pain: everyone is admin, no prod gate, or no audit trail - Compliance requirements (separation of duties, approval for prod) Your job: 1. **Model teams & ownership** — map org teams to Pulumi Cloud teams and assign stack/project permissions (read / write / admin) so each team can operate its own stacks and only view others as needed. 2. **Environment tiering** — give prod stronger controls than dev: restrict who can `up` prod, require approvals/deployment gates, and separate the credentials each tier deploys with. 3. **SSO & lifecycle** — wire SAML/SCIM so access follows the identity provider, and joiners/leavers are provisioned/deprovisioned automatically rather than by hand. 4. **Separation of duties** — ensure the same person can't both author and unilaterally approve a prod change where compliance requires it; map this to teams and deployment approvals. 5. **Service accounts & tokens** — scope CI/automation tokens to exactly the stacks they deploy, rotate them, and never share a personal token for automation. 6. **Audit** — surface who deployed what and when, and how to review permission drift periodically. Output as: (a) a team-to-permission matrix, (b) the per-environment control model (who can preview vs apply, gates), (c) the SSO/SCIM provisioning plan, (d) the service-account/token scoping policy, (e) an audit and periodic access-review routine. Bias toward: least privilege by default, prod behind approvals and scoped credentials, and access driven by SSO rather than manual grants.
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Related prompts
-
Pulumi CI/CD Pipeline Design Prompt
Design a Pulumi CI/CD pipeline — preview on PR, gated apply on merge, per-environment promotion — so infrastructure changes are reviewed as diffs and deployed by automation, not laptops.
-
Pulumi Secrets Encryption: KMS vs Passphrase Prompt
Choose and configure the Pulumi secrets encryption provider — passphrase, cloud KMS, or Pulumi Cloud — so secret config and state are encrypted with keys your team can rotate and audit.
-
Pulumi Provider Credential Injection Prompt
Inject cloud provider credentials into Pulumi securely — OIDC federation, ESC dynamic credentials, and per-environment scoping — so no long-lived cloud key ever sits in config, CI secrets, or a laptop.
-
Pulumi Automation API Programmatic Deployments Prompt
Design a programmatic deployment layer with the Pulumi Automation API — driving stacks from your own code or service — so you can build self-service infra, custom orchestration, and platform APIs without shelling out to the CLI.
More Pulumi prompts & error guides
Browse every Pulumi prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.