Install, backends & your first project

pulumi new, login, up.

Beginner12 min · lesson 2 of 12

Pulumi is a single CLI plus a language runtime you already have (Node, Python, etc.). Install the CLI, then pulumi new scaffolds a project from a template for your language and cloud. Before you can deploy, Pulumi needs a backend to store state and a way to encrypt secrets — you log in to one with pulumi login.

terminal
$ curl -fsSL https://get.pulumi.com | sh
$ pulumi version
v3.130.0
$ pulumi login s3://acme-pulumi-state # self-managed state backend (or Pulumi Cloud)
$ pulumi new aws-typescript # scaffold a project + first stack
project name: payments-infra
stack name: dev

Backends

Two backend styles. Pulumi Cloud (the default app.pulumi.com) is a managed service storing state and secrets with a UI and history. A self-managed backend stores state in your own S3/Azure Blob/GCS bucket or on local disk — no third party, but you handle locking and secret-key management yourself. Both drive the identical CLI; choose based on whether you want a managed control plane or to keep everything in your own cloud.

terminal
$ pulumi up # preview, then deploy the current stack
Previewing update (dev):
Type Name Plan
+ pulumi:pulumi:Stack payments-infra-dev create
+ └─ aws:s3:Bucket logs create
Do you want to perform this update? yes
Resources: + 2 created
Choose and secure the secrets provider up front
On a self-managed backend, Pulumi encrypts secrets with a passphrase (PULUMI_CONFIG_PASSPHRASE) or a cloud KMS key by default — lose it and you cannot decrypt stack secrets or, sometimes, run updates. Decide on a KMS-backed provider for real stacks (not a passphrase in someone’s head), and back up the key like any other crown-jewel credential.