pulumi login: Backends, Tokens & CI Errors
Point Pulumi at the backend that stores your state - and authenticate.
pulumi login selects and authenticates the state backend: Pulumi Cloud by default, or a self-managed backend (S3, Azure Blob, GCS, local). CI usually authenticates via an env var instead of an interactive login.
What it does
pulumi login establishes which backend holds your stacks’ state and stores credentials for it. With no argument it targets Pulumi Cloud; with a URL like s3://my-bucket it uses self-managed object storage. In CI, setting PULUMI_ACCESS_TOKEN (Cloud) or PULUMI_BACKEND_URL avoids the interactive flow.
Common usage
# Log into Pulumi Cloud (interactive opens a browser)
pulumi login
# Self-managed state in S3
pulumi login s3://my-pulumi-state
# CI: authenticate via env, no browser
export PULUMI_ACCESS_TOKEN=pul-xxxxxxxx
pulumi whoamiCommon error in CI: token missing or browser flow attempted
CI fails with "error: PULUMI_ACCESS_TOKEN must be set for login during non-interactive CI/CD" or stalls trying to open a browser. Fix: set PULUMI_ACCESS_TOKEN from a CI secret (Pulumi Cloud), or for self-managed backends pulumi login s3://... plus the cloud SDK credentials (AWS_*, etc.) the bucket needs. Verify with pulumi whoami early so auth fails fast with a clear message.
Key options
| Option | Purpose |
|---|---|
| (none) | Log into Pulumi Cloud |
| <backend-url> | Use a self-managed backend (s3://, gs://, azblob://, file://) |
| --local | Use local filesystem state |
| logout | Clear stored credentials |