Azure Native
Installation
The Azure Native provider is available as a package in all Pulumi languages:
- JavaScript/TypeScript:
@pulumi/azure-native
- Python:
pulumi-azure-native
- Go:
github.com/pulumi/pulumi-azure-native/sdk/go/azure
- .NET:
Pulumi.AzureNative
- Java:
com.pulumi.azurenative
Setup
To provision resources with the Pulumi Azure provider, you need to have an Azure CLI installed and you need to have Azure credentials. These instructions assume you’re using the Azure CLI 2.0. Your Azure credentials are never sent to Pulumi.com. Pulumi uses the Azure SDK and the credentials in your environment to authenticate requests from your computer to Azure.
Pulumi can authenticate to Azure using a Service Principal or the Azure CLI.
If you’re running the Pulumi CLI locally, in a developer scenario, we recommend using the Azure CLI. For team environments, particularly in CI, we recommend using a Service Principal.
Note: Authenticating using the CLI will not work for Service Principal logins (e.g.,
az login --service-principal
). For such cases, authenticate using the Service Principal method instead.
Option 1: Use the CLI
Simply login to the Azure CLI and Pulumi will automatically use your credentials:
$ az login
The default web browser has been opened at https://login.microsoftonline.com/common/oauth2/authorize. Please continue the login in the web browser. If no web browser is available or if the web browser fails to open, use device code flow with `az login --use-device-code`.
Do as instructed to login. After completed, az login
will return and you are ready to go.
Note: If you’re using Government, China, or German Clouds, you’ll need to configure the Azure CLI to work with that cloud. Do so by running
az cloud set --name <Cloud>
, where<Cloud>
is one ofAzureUSGovernment
,AzureChinaCloud
, orAzureGermanCloud
.
The Azure CLI, and thus Pulumi, will use the Default Subscription by default. You can override the subscription by setting your subscription ID to the id
output from az account list
’s output:
$ az account list
Pick out the <id>
from the list and run:
$ az account set --subscription=<id>
Option 2: Use a Service Principal
A Service Principal is an application in Azure Active Directory with three authorization tokens: a client ID, a client secret, and a tenant ID. Using a Service Principal is the recommended way to connect Pulumi to Azure in a team or CI setting.
Create your Service Principal and get your tokens
To use a Service Principal, you must first create one. If you already have one, skip this section.
You can create a Service Principal using the Azure CLI, using the Azure Cloud Shell, or using the Azure Portal.
After creating a Service Principal, you will obtain three important tokens, mapping to the three shown earlier:
appId
is the client IDpassword
is the client secrettenant
is the tenant ID
For example, a common Service Principal as displayed by the Azure CLI looks something like this:
{
"appId": "WWWWWWWW-WWWW-WWWW-WWWW-WWWWWWWWWWWW",
"displayName": "ServicePrincipalName",
"name": "http://ServicePrincipalName",
"password": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
"tenant": "YYYYYYYY-YYYY-YYYY-YYYY-YYYYYYYYYYYY"
}
You also need to obtain a Subscription ID. To retrieve your current Subscription ID, you can use:
$ az account show --query id -o tsv
To list all available subscriptions, you can use:
$ az account list --query '[].{subscriptionName:name,subscriptionId:id}' -o tsv
Make tokens available to Pulumi
Once you have the Service Principal’s authorization tokens, choose one of the ways below to make them available to Pulumi:
Set them using configuration (and remember to pass
--secret
when settingclientSecret
so that it is properly encrypted):$ pulumi config set azure-native:clientId <clientID> $ pulumi config set azure-native:clientSecret <clientSecret> --secret $ pulumi config set azure-native:tenantId <tenantID> $ pulumi config set azure-native:subscriptionId <subscriptionId>
Set the environment variables
ARM_CLIENT_ID
,ARM_CLIENT_SECRET
,ARM_TENANT_ID
, andARM_SUBSCRIPTION_ID
Configuration options
Use pulumi config set azure-native:<option>
or pass options to the constructor of new azure-native.Provider
.
Option | Required/Optional | Description |
---|---|---|
auxiliaryTenantIds | Optional | It can also be sourced from the following environment variable: ARM_AUXILIARY_TENANT_IDS |
clientCertificatePassword | Optional | The password associated with the Client Certificate. For use when authenticating as a Service Principal using a Client Certificate It can also be sourced from the following environment variable: ARM_CLIENT_CERTIFICATE_PASSWORD |
clientCertificatePath | Optional | The path to the Client Certificate associated with the Service Principal for use when authenticating as a Service Principal using a Client Certificate. It can also be sourced from the following environment variable: ARM_CLIENT_CERTIFICATE_PATH |
clientId | Optional | The Client ID which should be used. It can also be sourced from the following environment variable: ARM_CLIENT_ID |
clientSecret | Optional | The Client Secret which should be used. For use When authenticating as a Service Principal using a Client Secret. It can also be sourced from the following environment variable: ARM_CLIENT_SECRET |
disablePulumiPartnerId | Optional | This will disable the Pulumi Partner ID which is used if a custom partnerId isn’t specified. It can also be sourced from the following environment variable: ARM_DISABLE_PULUMI_PARTNER_ID |
environment | Optional | The Cloud Environment which should be used. Possible values are public, usgovernment, german, and china. Defaults to public. It can also be sourced from the following environment variable: ARM_ENVIRONMENT |
msiEndpoint | Optional | The path to a custom endpoint for Managed Service Identity - in most circumstances this should be detected automatically. It can also be sourced from the following environment variable: ARM_MSI_ENDPOINT |
partnerId | Optional | A GUID/UUID that is registered with Microsoft to facilitate partner resource usage attribution. It can also be sourced from the following environment variable: ARM_PARTNER_ID |
subscriptionId | Optional | The Subscription ID which should be used. It can also be sourced from the following environment variable: ARM_SUBSCRIPTION_ID |
tenantId | Optional | The Tenant ID which should be used. It can also be sourced from the following environment variable: ARM_TENANT_ID |
useMsi | Optional | Allowed Managed Service Identity be used for Authentication. It can also be sourced from the following environment variable: ARM_USE_MSI |