---
title: Configure access
url: /docs/iac/get-started/azure/configure/
---
## Configure access to Azure

Pulumi's CLI needs access to your Azure account to manage cloud resources.

If you've already [installed](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli) and [configured](https://learn.microsoft.com/en-us/cli/azure/authenticate-azure-cli) the Azure CLI, Pulumi will respect and use your configuration settings.

You must use an Azure account that has rights to deploy and manage resources, such as storage accounts and blob containers.

### Testing access

To test that your Azure access is configured properly, run:

<!-- chooser: os -->
<!-- option: linux -->

```bash
$ az account show
```

<!-- /option -->

<!-- option: windows -->

```powershell
> az account show
```

<!-- /option -->
<!-- /chooser -->

If your Azure subscription details are printed, your configuration is correct. If not, read on:

```json
{
  "environmentName": "AzureCloud",
  "id": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
  "isDefault": true,
  "name": "My Subscription",
  "state": "Enabled",
  "tenantId": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
  "user": {
    "name": "user@example.com",
    "type": "user"
  }
}
```

### Alternative approaches

If you don't have the Azure CLI installed, or you plan on using Pulumi in a CI/CD pipeline, you can [create a service principal](https://learn.microsoft.com/en-us/cli/azure/create-an-azure-service-principal-azure-cli) and set the following environment variables on your workstation:

<!-- chooser: os -->
<!-- option: linux -->

```bash
$ export ARM_CLIENT_ID="<YOUR_CLIENT_ID>"
$ export ARM_CLIENT_SECRET="<YOUR_CLIENT_SECRET>"
$ export ARM_TENANT_ID="<YOUR_TENANT_ID>"
$ export ARM_SUBSCRIPTION_ID="<YOUR_SUBSCRIPTION_ID>"
```

<!-- /option -->

<!-- option: windows -->

```powershell
> $env:ARM_CLIENT_ID = "<YOUR_CLIENT_ID>"
> $env:ARM_CLIENT_SECRET = "<YOUR_CLIENT_SECRET>"
> $env:ARM_TENANT_ID = "<YOUR_TENANT_ID>"
> $env:ARM_SUBSCRIPTION_ID = "<YOUR_SUBSCRIPTION_ID>"
```

<!-- /option -->
<!-- /chooser -->

> **Note:** Consider using [Pulumi ESC's Azure login support](/docs/esc/integrations/dynamic-login-credentials/azure-login) for dynamic,
short-lived Azure credentials via OpenID Connect (OIDC) instead of long-lived static credentials. This is a security best practice.

For detailed information on Pulumi's use of Azure credentials, see [Azure Setup](/registry/packages/azure-native/installation-configuration/).

---
[← Previous step](/docs/iac/get-started/azure/begin/)
[Next: Create project →](/docs/iac/get-started/azure/create-project/)