--- title: Pulumi | Keycard description: Manage cloud infrastructure with Pulumi IaC --- List stacks, search managed resources with Lucene queries, review policy violations, list organization users, run Pulumi Neo automation (bridge, tasks, continue, reset), look up Pulumi Registry types/resources/functions, and deploy application code to AWS via generated infrastructure. Adding Pulumi provisions three things in your zone: an upstream resource pointing at `https://mcp.ai.pulumi.com/mcp` (kept inside Keycard), a Keycard MCP Gateway URL - the downstream resource - that you install in Cursor, Claude Code, or any MCP client, and a provider for token exchange with Pulumi’s OAuth issuer. When your AI client makes a tool call, it sends a Keycard-issued access token to the gateway URL. Keycard’s STS exchanges that token for an upstream Pulumi token, the gateway calls the upstream MCP, and the response is proxied back. Your zone’s [identity provider](/admin/identity-providers/index.md), [access policies](/admin/access-policies/index.md), and audit log apply to every call - the upstream credential never leaves Keycard. Each call is recorded in the audit log with the user identity, the resource accessed, and the policy decision. ## Tools TOOLS Tools the upstream server exposes through the Keycard MCP Gateway. Pulumi exposes 14 tools through the gateway: - get-stacks List all stacks in the org (no filters); use resource-search for filtered or named stack queries - resource-search Search and analyze Pulumi-managed resources and stacks (Lucene syntax) - get-policy-violations Open policy violations by project, stack, or organization (security and compliance) - get-users List organization members when asked about users, admins, or teams - neo-bridge Run Pulumi Neo tasks: send follow-ups on the same taskId, paginate while has\_more, approvals only with explicit user consent - neo-get-tasks List Neo tasks with ids, statuses, and console links - neo-continue-task Poll a Neo task for status and new messages (read-only); send new instructions via neo-bridge with taskId - neo-reset-conversation Reset the Neo conversation for a specific task - get-type JSON schema for a specific Registry JSON schema type reference - get-resource Registry metadata for a Pulumi resource type - get-function Registry metadata for a Pulumi function - list-resources List resource types for a provider and module - list-functions List function types for a provider and module - deploy-to-aws Deploy app code to AWS by generating Pulumi infrastructure from project files (no prior analysis step required) ## Install INSTALL Add Pulumi to your zone and install the gateway URL into Cursor, Claude Code, or any MCP client. 1. **Open the catalog** In your zone’s [Keycard Console](https://console.keycard.ai), go to **Applications** → **Add Application** → **Explore MCP Servers**. 2. **Find and install Pulumi** Search for `Pulumi` in the catalog and click **Install**. 3. **Connect your development tool** Once installed, Pulumi appears on the **Applications** page with a **Keycard MCP Gateway URL**. Use the **Install** dropdown to add it to Cursor, Claude Code, or any MCP-compatible client. ## Related RELATED - [Catalog overview](/admin/catalog/index.md) - browse other MCP and API servers - [Access policies](/admin/access-policies/index.md) - control who can use Pulumi - [Identity providers](/admin/identity-providers/index.md) - control who can sign in [PreviousPayPal](/admin/catalog/mcp-servers/paypal/index.md)[NextSentry](/admin/catalog/mcp-servers/sentry/index.md)