From f93f23c3440861f002e231c48c210c2def6739b0 Mon Sep 17 00:00:00 2001 From: "claude[bot]" <41898282+claude[bot]@users.noreply.github.com> Date: Thu, 2 Oct 2025 18:48:43 +0000 Subject: [PATCH 1/2] Add OIDC token type availability by Pulumi edition MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This commit clarifies which OIDC token types (personal, organization, team) are available for each Pulumi edition (Individual, Team, Enterprise/Business Critical). Changes: - Added "Token types by edition" section to main OIDC client page - Updated GitHub, GKE, and EKS OIDC guides with info notes linking to token types - Clarified that examples show specific token types but others may be available Fixes #16019 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Meagan --- .../access-management/oidc-client/_index.md | 10 ++++++++++ .../access-management/oidc-client/github.md | 4 ++++ .../access-management/oidc-client/kubernetes-eks.md | 4 ++++ .../access-management/oidc-client/kubernetes-gke.md | 4 ++++ 4 files changed, 22 insertions(+) diff --git a/content/docs/pulumi-cloud/access-management/oidc-client/_index.md b/content/docs/pulumi-cloud/access-management/oidc-client/_index.md index e3a767a22ace..aae626cbefa3 100644 --- a/content/docs/pulumi-cloud/access-management/oidc-client/_index.md +++ b/content/docs/pulumi-cloud/access-management/oidc-client/_index.md @@ -24,6 +24,16 @@ Pulumi supports establishing trust relationships with third party OIDC providers For third party services that have capabilities to issue OIDC id_tokens, it is possible to register them as a trusted OIDC Issuer to leverage these tokens to be exchanged by a short-lived Pulumi access token automatically to avoid having to store hardcoded credentials. +## Token types by edition + +The available OIDC token types vary depending on your Pulumi edition: + +- **Individual**: `personal` tokens only +- **Team**: `personal` and `organization` tokens +- **Enterprise and Business Critical**: `personal`, `organization`, and `team` tokens + +When configuring authorization policies and requesting tokens, ensure you select a token type that is available for your edition. + ## Configuring trust relationships ### Register the OIDC issuer diff --git a/content/docs/pulumi-cloud/access-management/oidc-client/github.md b/content/docs/pulumi-cloud/access-management/oidc-client/github.md index 645e91d47fd4..0080eed1d388 100644 --- a/content/docs/pulumi-cloud/access-management/oidc-client/github.md +++ b/content/docs/pulumi-cloud/access-management/oidc-client/github.md @@ -16,6 +16,10 @@ aliases: This document outlines the steps required to configure Pulumi to accept Github id_tokens to be exchanged by Organization access tokens. +{{< notes type="info" >}} +This guide demonstrates using `organization` tokens. Depending on your [Pulumi edition](/docs/pulumi-cloud/access-management/oidc-client/#token-types-by-edition), you may also use `personal` or `team` tokens by adjusting the token type in the authorization policies and the `requested-token-type` parameter. +{{< /notes >}} + ## Prerequisites * You must be an admin of your Pulumi organization. diff --git a/content/docs/pulumi-cloud/access-management/oidc-client/kubernetes-eks.md b/content/docs/pulumi-cloud/access-management/oidc-client/kubernetes-eks.md index 10490776a7fb..9cc23bab5f7b 100644 --- a/content/docs/pulumi-cloud/access-management/oidc-client/kubernetes-eks.md +++ b/content/docs/pulumi-cloud/access-management/oidc-client/kubernetes-eks.md @@ -19,6 +19,10 @@ aliases: This document outlines the steps required to configure Pulumi to accept Elastic Kubernetes Service (EKS) id_tokens to be exchanged for a personal access token. With this configuration, Kubernetes pods authenticate to Pulumi Cloud using OIDC tokens issued by EKS. +{{< notes type="info" >}} +This guide demonstrates using `personal` tokens. Depending on your [Pulumi edition](/docs/pulumi-cloud/access-management/oidc-client/#token-types-by-edition), you may also use `organization` or `team` tokens by adjusting the token type in the authorization policies and the `requested_token_type` parameter. +{{< /notes >}} + ## Prerequisites * You must be an admin of your Pulumi organization. diff --git a/content/docs/pulumi-cloud/access-management/oidc-client/kubernetes-gke.md b/content/docs/pulumi-cloud/access-management/oidc-client/kubernetes-gke.md index be0ba3ec699a..4f5714296cb8 100644 --- a/content/docs/pulumi-cloud/access-management/oidc-client/kubernetes-gke.md +++ b/content/docs/pulumi-cloud/access-management/oidc-client/kubernetes-gke.md @@ -18,6 +18,10 @@ This document outlines the steps required to configure Pulumi to accept Google K See ["Bound Tokens"](https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-bound-service-account-tokens) for more background. +{{< notes type="info" >}} +This guide demonstrates using `organization` tokens. Depending on your [Pulumi edition](/docs/pulumi-cloud/access-management/oidc-client/#token-types-by-edition), you may also use `personal` or `team` tokens by adjusting the token type in the authorization policies and the `requested_token_type` parameter. +{{< /notes >}} + ## Prerequisites * You must be an admin of your Pulumi organization. From 8424977e0758db5cd4d61c452a782989e62d867c Mon Sep 17 00:00:00 2001 From: "claude[bot]" <41898282+claude[bot]@users.noreply.github.com> Date: Thu, 2 Oct 2025 18:58:15 +0000 Subject: [PATCH 2/2] Fix OIDC documentation issues MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Fix parameter name: requested_token_type → requested-token-type - Add missing comma in TypeScript syntax (kubernetes-eks.md:189) - Fix capitalization: Github → GitHub - Add missing newline at end of github.md Co-authored-by: Meagan --- .../docs/pulumi-cloud/access-management/oidc-client/_index.md | 2 +- .../docs/pulumi-cloud/access-management/oidc-client/github.md | 1 + .../access-management/oidc-client/kubernetes-eks.md | 4 ++-- .../access-management/oidc-client/kubernetes-gke.md | 2 +- 4 files changed, 5 insertions(+), 4 deletions(-) diff --git a/content/docs/pulumi-cloud/access-management/oidc-client/_index.md b/content/docs/pulumi-cloud/access-management/oidc-client/_index.md index aae626cbefa3..f0cba2ede8a1 100644 --- a/content/docs/pulumi-cloud/access-management/oidc-client/_index.md +++ b/content/docs/pulumi-cloud/access-management/oidc-client/_index.md @@ -155,5 +155,5 @@ curl -X POST \ To configure OIDC, refer to one of our guides: -- [Configuring OIDC for Github](/docs/pulumi-cloud/oidc/client/github/) +- [Configuring OIDC for GitHub](/docs/pulumi-cloud/oidc/client/github/) - [Configuring OIDC for Google Kubernetes Engine](/docs/pulumi-cloud/oidc/client/kubernetes-gke/) diff --git a/content/docs/pulumi-cloud/access-management/oidc-client/github.md b/content/docs/pulumi-cloud/access-management/oidc-client/github.md index 0080eed1d388..2c641b01269f 100644 --- a/content/docs/pulumi-cloud/access-management/oidc-client/github.md +++ b/content/docs/pulumi-cloud/access-management/oidc-client/github.md @@ -90,3 +90,4 @@ jobs: command: preview stack-name: org-name/stack-name ``` + diff --git a/content/docs/pulumi-cloud/access-management/oidc-client/kubernetes-eks.md b/content/docs/pulumi-cloud/access-management/oidc-client/kubernetes-eks.md index 9cc23bab5f7b..988c4a95e3d1 100644 --- a/content/docs/pulumi-cloud/access-management/oidc-client/kubernetes-eks.md +++ b/content/docs/pulumi-cloud/access-management/oidc-client/kubernetes-eks.md @@ -20,7 +20,7 @@ aliases: This document outlines the steps required to configure Pulumi to accept Elastic Kubernetes Service (EKS) id_tokens to be exchanged for a personal access token. With this configuration, Kubernetes pods authenticate to Pulumi Cloud using OIDC tokens issued by EKS. {{< notes type="info" >}} -This guide demonstrates using `personal` tokens. Depending on your [Pulumi edition](/docs/pulumi-cloud/access-management/oidc-client/#token-types-by-edition), you may also use `organization` or `team` tokens by adjusting the token type in the authorization policies and the `requested_token_type` parameter. +This guide demonstrates using `personal` tokens. Depending on your [Pulumi edition](/docs/pulumi-cloud/access-management/oidc-client/#token-types-by-edition), you may also use `organization` or `team` tokens by adjusting the token type in the authorization policies and the `requested-token-type` parameter. {{< /notes >}} ## Prerequisites @@ -186,7 +186,7 @@ const job = new kubernetes.batch.v1.Job("runner", { spec: { template: { spec: { - serviceAccountName: "pulumi-service-account" + serviceAccountName: "pulumi-service-account", containers: [{ name: "runner", image: "pulumi/pulumi:latest", diff --git a/content/docs/pulumi-cloud/access-management/oidc-client/kubernetes-gke.md b/content/docs/pulumi-cloud/access-management/oidc-client/kubernetes-gke.md index 4f5714296cb8..0667b468a3ce 100644 --- a/content/docs/pulumi-cloud/access-management/oidc-client/kubernetes-gke.md +++ b/content/docs/pulumi-cloud/access-management/oidc-client/kubernetes-gke.md @@ -19,7 +19,7 @@ This document outlines the steps required to configure Pulumi to accept Google K See ["Bound Tokens"](https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-bound-service-account-tokens) for more background. {{< notes type="info" >}} -This guide demonstrates using `organization` tokens. Depending on your [Pulumi edition](/docs/pulumi-cloud/access-management/oidc-client/#token-types-by-edition), you may also use `personal` or `team` tokens by adjusting the token type in the authorization policies and the `requested_token_type` parameter. +This guide demonstrates using `organization` tokens. Depending on your [Pulumi edition](/docs/pulumi-cloud/access-management/oidc-client/#token-types-by-edition), you may also use `personal` or `team` tokens by adjusting the token type in the authorization policies and the `requested-token-type` parameter. {{< /notes >}} ## Prerequisites