Azure Native

v1.48.0 published on Monday, Nov 29, 2021 by Pulumi

Installation

The Azure Native provider is available as a package in all Pulumi languages:

Setup

To provision resources with the Pulumi Azure provider, you need to have an Azure CLI installed and you need to have Azure credentials. These instructions assume you’re using the Azure CLI 2.0. Your Azure credentials are never sent to Pulumi.com. Pulumi uses the Azure SDK and the credentials in your environment to authenticate requests from your computer to Azure.

Pulumi can authenticate to Azure using a Service Principal or the Azure CLI.

If you’re running the Pulumi CLI locally, in a developer scenario, we recommend using the Azure CLI. For team environments, particularly in CI, we recommend using a Service Principal.

Note: Authenticating using the CLI will not work for Service Principal logins (e.g., az login --service-principal). For such cases, authenticate using the Service Principal method instead.

Option 1: Use the CLI

Simply login to the Azure CLI and Pulumi will automatically use your credentials:

$ az login
The default web browser has been opened at https://login.microsoftonline.com/common/oauth2/authorize. Please continue the login in the web browser. If no web browser is available or if the web browser fails to open, use device code flow with `az login --use-device-code`.

Do as instructed to login. After completed, az login will return and you are ready to go.

Note: If you’re using Government, China, or German Clouds, you’ll need to configure the Azure CLI to work with that cloud. Do so by running az cloud set --name <Cloud>, where <Cloud> is one of AzureUSGovernment, AzureChinaCloud, or AzureGermanCloud.

The Azure CLI, and thus Pulumi, will use the Default Subscription by default. You can override the subscription by setting your subscription ID to the id output from az account list’s output:

$ az account list

Pick out the <id> from the list and run:

$ az account set --subscription=<id>

Option 2: Use a Service Principal

A Service Principal is an application in Azure Active Directory with three authorization tokens: a client ID, a client secret, and a tenant ID. Using a Service Principal is the recommended way to connect Pulumi to Azure in a team or CI setting.

Create your Service Principal and get your tokens

To use a Service Principal, you must first create one. If you already have one, skip this section.

You can create a Service Principal using the Azure CLI, using the Azure Cloud Shell, or using the Azure Portal.

After creating a Service Principal, you will obtain three important tokens, mapping to the three shown earlier:

  • appId is the client ID
  • password is the client secret
  • tenant is the tenant ID

For example, a common Service Principal as displayed by the Azure CLI looks something like this:

{
  "appId": "WWWWWWWW-WWWW-WWWW-WWWW-WWWWWWWWWWWW",
  "displayName": "ServicePrincipalName",
  "name": "http://ServicePrincipalName",
  "password": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
  "tenant": "YYYYYYYY-YYYY-YYYY-YYYY-YYYYYYYYYYYY"
}

You also need to obtain a Subscription ID. To retrieve your current Subscription ID, you can use:

$ az account show --query id -o tsv

To list all available subscriptions, you can use:

$ az account list --query '[].{subscriptionName:name,subscriptionId:id}' -o tsv

Make tokens available to Pulumi

Once you have the Service Principal’s authorization tokens, choose one of the ways below to make them available to Pulumi:

  1. Set them using configuration (and remember to pass --secret when setting clientSecret so that it is properly encrypted):

    $ pulumi config set azure-native:clientId <clientID>
    $ pulumi config set azure-native:clientSecret <clientSecret> --secret
    $ pulumi config set azure-native:tenantId <tenantID>
    $ pulumi config set azure-native:subscriptionId <subscriptionId>
    
  2. Set the environment variables ARM_CLIENT_ID, ARM_CLIENT_SECRET, ARM_TENANT_ID, and ARM_SUBSCRIPTION_ID

Configuration options

Use pulumi config set azure-native:<option> or pass options to the constructor of new azure-native.Provider.

OptionRequired/OptionalDescription
auxiliaryTenantIdsOptionalIt can also be sourced from the following environment variable: ARM_AUXILIARY_TENANT_IDS
clientCertificatePasswordOptionalThe password associated with the Client Certificate. For use when authenticating as a Service Principal using a Client Certificate It can also be sourced from the following environment variable: ARM_CLIENT_CERTIFICATE_PASSWORD
clientCertificatePathOptionalThe path to the Client Certificate associated with the Service Principal for use when authenticating as a Service Principal using a Client Certificate. It can also be sourced from the following environment variable: ARM_CLIENT_CERTIFICATE_PATH
clientIdOptionalThe Client ID which should be used. It can also be sourced from the following environment variable: ARM_CLIENT_ID
clientSecretOptionalThe Client Secret which should be used. For use When authenticating as a Service Principal using a Client Secret. It can also be sourced from the following environment variable: ARM_CLIENT_SECRET
disablePulumiPartnerIdOptionalThis will disable the Pulumi Partner ID which is used if a custom partnerId isn’t specified. It can also be sourced from the following environment variable: ARM_DISABLE_PULUMI_PARTNER_ID
environmentOptionalThe Cloud Environment which should be used. Possible values are public, usgovernment, german, and china. Defaults to public. It can also be sourced from the following environment variable: ARM_ENVIRONMENT
msiEndpointOptionalThe path to a custom endpoint for Managed Service Identity - in most circumstances this should be detected automatically. It can also be sourced from the following environment variable: ARM_MSI_ENDPOINT
partnerIdOptionalA GUID/UUID that is registered with Microsoft to facilitate partner resource usage attribution. It can also be sourced from the following environment variable: ARM_PARTNER_ID
subscriptionIdOptionalThe Subscription ID which should be used. It can also be sourced from the following environment variable: ARM_SUBSCRIPTION_ID
tenantIdOptionalThe Tenant ID which should be used. It can also be sourced from the following environment variable: ARM_TENANT_ID
useMsiOptionalAllowed Managed Service Identity be used for Authentication. It can also be sourced from the following environment variable: ARM_USE_MSI