Skip to main content
Sign in Dashboard Get started
  1. Docs
  2. Deployments & Workflows
  3. Guides
  4. Private Sources

Private Sources

    A Pulumi Deployment runs in an isolated environment that, by default, can only reach public repositories and package registries. If your program pulls code or packages from private sources, you need to give the deployment credentials to reach them. This page covers the two most common cases:

    • Private Git dependencies — a Go module, a Pulumi component, or any other dependency your program fetches directly from a private Git repository.
    • Private package feeds — a private npm, PyPI, or NuGet registry that hosts your packages.
    This page is about private dependencies that a deployment pulls during a run. To deploy from a private repository that holds your Pulumi program itself, configure source control through the Pulumi GitHub App instead — that grants Pulumi Deployments access to the program’s own repository.

    Private Git dependencies

    When your program depends on code in another private Git repository — for example a private Go module, or a component referenced from a private repo — the deployment needs Git access to clone it. Configure an SSH key with read access to the required repositories and tell Git to use SSH for GitHub. The same mechanism works regardless of the language or the kind of dependency, because the deployment is ultimately performing a git clone.

    1. Add the following code to the Pre-run commands and toggle on Skip automatic dependency installation step in Advanced Settings. This writes the SSH key, trusts GitHub’s host key, and rewrites https://github.com URLs to use SSH so private clones authenticate with your key:

      mkdir /root/.ssh && printf -- "$SSHKEY" > /root/.ssh/id_ed25519
chmod 600 /root/.ssh/id_ed25519
ssh-keyscan github.com >> ~/.ssh/known_hosts
cd .. && git config --global --add url.\"git@github.com:\".insteadOf \"https://github.com\"

    2. Add SSHKEY as a secret environment variable on the deployment, with the contents of a private key that has read access to the repositories you need. Marking it secret ensures the value is encrypted and never shown in logs.

    Because the insteadOf rule applies to all of GitHub, a single key with access to every required repository covers multiple private dependencies at once — there is no per-repository configuration to repeat.

    Private package feeds

    If your dependencies come from a private package registry rather than a Git repository, authenticate to that registry instead of configuring SSH. Provide the registry token as a secret environment variable, then write the appropriate per-language configuration in the Pre-run commands:

    • npm: Add the registry and auth token to a project .npmrc, for example:

      printf -- "//registry.example.com/:_authToken=%s\n@my-scope:registry=https://registry.example.com/\n" "$NPM_TOKEN" > .npmrc

    • PyPI: Point pip at your index using a token-authenticated URL, for example via PIP_INDEX_URL:

      export PIP_INDEX_URL="https://__token__:$PYPI_TOKEN@pypi.example.com/simple"

    • NuGet: Register the source with credentials:

      dotnet nuget add source https://nuget.example.com/v3/index.json --name private --username pulumi --password "$NUGET_TOKEN" --store-password-in-clear-text

    In each case, store the token (NPM_TOKEN, PYPI_TOKEN, NUGET_TOKEN) as a secret environment variable so it is encrypted and kept out of logs. Leave Skip automatic dependency installation step off if you want Pulumi Deployments to install dependencies after your pre-run commands have configured the feed.