Pulumi IAM Expands: Manage Access at Scale with Tags, Roles, and Teams

Enterprises using Pulumi for infrastructure‑as‑code often struggle with the administrative burden of assigning permissions to a growing inventory of stacks, environments, and accounts. The original Pulumi IAM launch introduced custom roles and scoped tokens, but scaling those permissions required manual, error‑prone configuration. By introducing tag‑based access control, Pulumi now lets administrators define role rules that automatically apply to any entity bearing specific key‑value tags. This dynamic approach aligns with modern DevOps practices, where resources are provisioned programmatically and need immediate, appropriate access without human intervention.

The tag‑driven model works hand‑in‑hand with Pulumi Policy, which can enforce tagging standards before deployment. When a stack is created without the required tags, the policy blocks the operation, guaranteeing that RBAC rules fire as intended. This synergy reduces the risk of over‑privileged access and ensures compliance with governance frameworks. Moreover, the OR logic across multiple tag rules and AND logic within a rule give administrators granular control, enabling scenarios such as "production stacks owned by the payments team" to be secured with a single reusable role.

Beyond tags, Pulumi’s new team and user role assignments streamline identity management at scale. Teams can be provisioned via SCIM, automatically inheriting assigned custom roles, while individual users can receive bespoke role assignments for responsibilities that span multiple teams. Because permissions are additive, the system respects both team‑based and personal access needs without conflict. These capabilities position Pulumi IAM as a comprehensive, enterprise‑grade solution for least‑privilege, automated access control in cloud‑native environments, especially for customers on Enterprise or Business Critical plans.