Skip to content

Pulumi Access Token

Service Name: Pulumi

Service Description: Pulumi is an infrastructure as code platform that allows developers to create, deploy, and manage cloud infrastructure using familiar programming languages like JavaScript, TypeScript, Python, Go, and .NET.

Service Address: https://www.pulumi.com/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the organization level through Pulumi's RBAC settings.

Secret Access Scope: Grants programmatic access to Pulumi resources, allowing users to create, update, and manage infrastructure stacks across cloud providers.

Secret Revokement URL: https://app.pulumi.com/account/tokens

Secret Example: pul-1234a5b6c7d8e9f0g1h2i3j4k5l6m7n8o9p0

Suspicious Activity Investigation Instructions:

  • Review the Pulumi activity logs for unauthorized stack operations.
  • Check for unexpected infrastructure deployments or modifications.
  • Examine resource creation timestamps and user attribution.
  • Verify if the token was used from unusual IP addresses or locations.
  • Review audit logs for stack updates, previews, or deployments that weren't authorized.

Mitigation Instructions:

  • Log in to the Pulumi Console at https://app.pulumi.com/.
  • Navigate to your account settings by clicking on your profile picture in the top right corner.
  • Select "Settings" from the dropdown menu.
  • Go to the "Access Tokens" tab.
  • Locate the compromised token and click "Revoke".
  • Generate a new token if needed.
  • Update any CI/CD pipelines or automation tools with the new token.
  • Consider implementing shorter token expiration periods for future tokens.
  • Review and update Pulumi RBAC permissions to enforce the Principle of Least Privilege.