1. Docs
  2. Pulumi Cloud
  3. Self-hosting
  4. Components
  5. Pulumi console

Pulumi Cloud self-hosted console

    Self-hosting is only available with Pulumi Business Critical. If you would like to evaluate the Self-Hosted Pulumi Cloud, sign up for the 30 day trial or contact us.

    To manage your state with a self-managed backend, such as a cloud storage bucket, see State and Backends.

    The Pulumi Cloud allows users to view the stacks they have created and see any past activities recorded for those stacks. It also allows you to manage RBAC for your users.

    In order for the CLI to persist the state of a particular stack, a user must login to the CLI. In order to login to the CLI, you should have created an account using the Console first.


    The Console service depends on the API service. It relies on the API service for authentication callbacks. Depending on the type of authentication mechanism you choose for your users, the services in the Console container may need to communicate with the API container.


    • Provide a server or virtual machine to install and run the Pulumi components (see Minimum System Requirements below).

    You can run this container on the same host that your API container is running or on a different host. If you are running this container on a separate host than the API, be sure to set the appropriate environment variables (more on that below) in order for the Console to be able to reach the API service.

    Minimum System Requirements

    Compute1 CPU core w/ 1 GB memory

    What’s In The Container?

    The container image repository is private. Contact us if you would like to evaluate the Self-Hosted Pulumi Cloud.

    The Console container runs a web server using a Node 18-based image.


    The container runs a single web server which handles delivering UI static assets to your web browser, as well as handling authentication callbacks. The console will be served using port 3000 over HTTP by default. If TLS is configured the console will instead be served using port 3443 over HTTPS.

    Primary Environment Variables

    The following are the core environment variables that are required at a minimum.

    Tip: The quickstart solutions set reasonable default values for these variables, so you can get started without worrying about configuration.

    Variable NameDescription
    PULUMI_APIThe endpoint URL where the cloud APIs can be reached. This should match the value of PULUMI_API_DOMAIN. Default is http://localhost:8080.
    PULUMI_API_INTERNAL_ENDPOINTThe endpoint URL local to the container using which the Console app can reach the API container using a container-to-container network.
    PULUMI_CONSOLE_DOMAINPULUMI_CONSOLE_DOMAIN is used to redirect the user after they have signed-in using a social identity or SAML SSO e.g., “pulumi.example.com”
    PULUMI_HOMEPAGE_DOMAINPULUMI_HOMEPAGE_DOMAIN is used to redirect the user after they have signed-out e.g., “pulumi.example.com”

    Environment Variables For Identities

    Variable NameDescription
    RECAPTCHA_SITE_KEYUsed for password reset requests by users. Create a new reCaptcha v2.
    SAML_SSO_ENABLEDDefault is false. Set to true to enable the SAML SSO signin/signup option. Before enabling, make sure you have completed the steps in the Enabling SAML SSO guide.

    GitHub OAuth

    Variable NameDescription
    GITHUB_OAUTH_IDGitHub OAuth app client ID. Used for GitHub OAuth signins. Create a new GitHub OAuth app.
    GITHUB_OAUTH_SECRETGitHub OAuth app client secret. See above.

    GitLab OAuth

    Variable NameDescription
    GITLAB_OAUTH_IDGitLab OAuth app client ID. Used for GitLab OAuth signins. Create a new GitLab OAuth app.
    GITLAB_OAUTH_SECRETGitLab OAuth app client secret. See above.
    GITLAB_OAUTH_ENDPOINTThe domain for your GitLab instance. It defaults to https://gitlab.com, which should be used unless you are running GitLab on a custom domain.

    Bitbucket OAuth

    Variable NameDescription
    BITBUCKET_OAUTH_IDAtlassian Bitbucket OAuth consumer client ID. Used for Bitbucket OAuth signins.

    Email and password

    Variable NameDescription
    PULUMI_HIDE_EMAIL_LOGINWhen true, hides the email identity as a login option but does not disable the API handler. To disable the API handler for email logins set the API container environment variable PULUMI_DISABLE_EMAIL_LOGIN. Refer to the API container environment variables for more information.
    PULUMI_HIDE_EMAIL_SIGNUPWhen true hides the email identity as a signup option but does not disable the API handler. To disable the API handler for email signups set the API container environment variable PULUMI_DISABLE_EMAIL_SIGNUP. Refer to the API container environment variables for more information.

    TLS Environment Variables

    The following environment variables must be configured to enable TLS. The values of the environment variables may either be a filepath or the actual value of the entity. If these variables are set, the console will be served over HTTPS (i.e. using TLS) using port 3443. If the following variables are not set the console will default to serving over HTTP using port 3000.

    Variable NameDescription
    CONSOLE_TLS_CERTIFICATEThe TLS certificate. The certificate must be supplied in X.509 format and must be PEM encoded.
    CONSOLE_TLS_PRIVATE_KEYThe private key associated with the TLS certificate. The private key must be PEM encoded.
    CONSOLE_MIN_TLS_VERSIONThe minimum version of TLS to allow (must be in <major>.<minor> format, e.g. 1.2). This variable is optional, if not set a minimum version will not be enforced.
    ALLOW_INVALID_CERTSThis optional value can be set to allow connections originating from the Console container to the Cloud container to connect without TLS verification. This can be helpful in scenarios like testing or when using self-signed certs for internal traffic.

    Note: Self-signed certificates may be used to configure TLS in the event the need for a trusted entity is not necessary. A self-signed cert and private key may be generated using OpenSSL. The following command uses OpenSSL to generate a self-signed certificate. This example will output two files, the certificate (cert.pem) and the private key (key.pem) used to sign it.

    openssl \
      req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem \
      -days { days_until_expiration } -nodes -subj "/CN={ common_name }"
      Introducing Pulumi Copilot - Intelligent Cloud Management