pulumi login | CLI commands
Log in to the Pulumi Cloud
Synopsis
Log in to the Pulumi Cloud.
The Pulumi Cloud manages your stack’s state reliably. Simply run
$ pulumi login
and this command will prompt you for an access token, including a way to launch your web browser to
easily obtain one. You can script by using PULUMI_ACCESS_TOKEN environment variable.
By default, this will log in to the managed Pulumi Cloud backend. If you prefer to log in to a self-hosted Pulumi Cloud backend, specify a URL. For example, run
$ pulumi login https://api.pulumi.acmecorp.com
to log in to a self-hosted Pulumi Cloud running at the api.pulumi.acmecorp.com domain.
For https:// URLs, the CLI will speak REST to a Pulumi Cloud that manages state and concurrency control.
You can specify a default org to use when logging into the Pulumi Cloud backend or a self-hosted Pulumi Cloud.
If you prefer to operate Pulumi independently of a Pulumi Cloud, and entirely local to your computer,
pass file://<path>, where <path> will be where state checkpoints will be stored. For instance,
$ pulumi login file://~
will store your state information on your computer underneath ~/.pulumi. It is then up to you to
manage this state, including backing it up, using it in a team environment, and so on.
As a shortcut, you may pass –local to use your home directory (this is an alias for file://~):
$ pulumi login --local
Additionally, you may leverage supported object storage backends from one of the cloud providers to manage the state independent of the Pulumi Cloud. For instance,
AWS S3:
$ pulumi login s3://my-pulumi-state-bucket
GCP GCS:
$ pulumi login gs://my-pulumi-state-bucket
Azure Blob:
$ pulumi login azblob://my-pulumi-state-bucket
PostgreSQL:
$ pulumi login postgres://username:password@hostname:5432/database
pulumi login [<url>] [flags]
Options
-c, --cloud-url string A cloud URL to log in to
--default-org string A default org to associate with the login. Please note, currently, only the managed and self-hosted backends support organizations
-h, --help help for login
--insecure Allow insecure server connections when using SSL
--interactive Show interactive login options based on known accounts
-l, --local Use Pulumi in local-only mode
--oidc-expiration string The expiration for the cloud backend access token in duration format (e.g. '15m', '24h')
--oidc-org string The organization to use for OIDC token exchange audience
--oidc-team string The team when exchanging for a team token
--oidc-token string An OIDC token to exchange for a cloud backend access token. Can be either a raw token or a file path prefixed with 'file://'.
--oidc-user string The user when exchanging for a personal token
Options inherited from parent commands
--color string Colorize output. Choices are: always, never, raw, auto (default "auto")
-C, --cwd string Run pulumi as if it had been started in another directory
--disable-integrity-checking Disable integrity checking of checkpoint files
-e, --emoji Enable emojis in the output
-Q, --fully-qualify-stack-names Show fully-qualified stack names
--logflow Flow log settings to child processes (like plugins)
--logtostderr Log to stderr instead of to files
--memprofilerate int Enable more precise (and expensive) memory allocation profiles by setting runtime.MemProfileRate
--non-interactive Disable interactive mode for all commands
--profiling string Emit CPU and memory profiles and an execution trace to '[filename].[pid].{cpu,mem,trace}', respectively
--tracing file: Emit tracing to the specified endpoint. Use the file: scheme to write tracing data to a local file
-v, --verbose int Enable verbose logging (e.g., v=3); anything >3 is very verbose
SEE ALSO
- pulumi - Pulumi command line
Auto generated by spf13/cobra on 26-Nov-2025
Thank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.
