1. Docs
  2. Secrets & Configuration
  3. ESC CLI
  4. Commands
  5. esc login | CLI commands

esc login | CLI commands

    Log in to the Pulumi Cloud

    Synopsis

    Log in to the Pulumi Cloud.

    The Pulumi Cloud manages your Pulumi ESC environments. Simply run

    $ esc login

    and this command will prompt you for an access token, including a way to launch your web browser to easily obtain one. You can script by using PULUMI_ACCESS_TOKEN environment variable.

    By default, this will log in to the managed Pulumi Cloud backend. If you prefer to log in to a self-hosted Pulumi Cloud backend, specify a URL. For example, run

    $ esc login https://api.pulumi.acmecorp.com

    to log in to a self-hosted Pulumi Cloud running at the api.pulumi.acmecorp.com domain.

    For https:// URLs, the CLI will speak REST to a Pulumi Cloud that manages state and concurrency control. You can specify a default org to use when logging into the Pulumi Cloud backend or a self-hosted Pulumi Cloud.

    OIDC token exchange

    For secure authentication in CI/CD pipelines and automated workflows, you can use OIDC token exchange to log in without managing long-lived credentials. This feature exchanges a short-lived OIDC token from your identity provider for a Pulumi Cloud access token.

    To log in using OIDC token exchange, provide an OIDC token and your organization name:

    $ esc login --oidc-token <token> --oidc-org <org-name>

    The --oidc-token flag accepts either a raw token string or a file path prefixed with file://:

    $ esc login --oidc-token file:///path/to/token.txt --oidc-org my-org

    By default, the exchanged token is scoped to your organization. You can optionally scope it to a specific team or user:

    $ esc login --oidc-token <token> --oidc-org my-org --oidc-team my-team

    The exchanged access token expires after 2 hours by default. You can customize the expiration using the --oidc-expiration flag:

    $ esc login --oidc-token <token> --oidc-org my-org --oidc-expiration 4h

    This approach is particularly useful in environments like GitHub Actions, GitLab CI, or any CI/CD system that provides OIDC tokens, as it eliminates the need to store long-lived Pulumi access tokens as secrets.

    Command

    esc login [<url>] [flags]

    Options

      -c, --cloud-url string         A cloud URL to log in to
      --default-org string       A default org to associate with the login.
  -h, --help                     help for login
      --insecure                 Allow insecure server connections when using SSL
      --shared                   Log in to the account in use by the pulumi CLI
      --oidc-expiration string   The expiration for the cloud backend access token in duration format (e.g. '15m', '24h')
      --oidc-org string          The organization to use for OIDC token exchange audience
      --oidc-team string         The team when exchanging for a team token
      --oidc-token string        An OIDC token to exchange for a cloud backend access token. Can be either a raw token or a file path prefixed with 'file://'.
      --oidc-user string         The user when exchanging for a personal token

    SEE ALSO

    • esc - Pulumi ESC command line
    Auto generated by spf13/cobra on 4-Nov-2025
      Neo just got smarter about infrastructure policy automation