Deploy CloudSmith to Azure
Deploy CloudSmith to your Azure subscription using the Deploy to Azure button below. A guided wizard collects all required settings and provisions all Azure resources automatically. No command-line tools are required.
Prerequisites
- An Azure subscription
- Contributor role on the target resource group, plus Role Based Access Control Administrator on the subscription — or the Owner role, which covers both
The deployment creates a role assignment internally (the managed identity is assigned Key Vault Secrets User on the Key Vault). Contributor alone is not sufficient — RBAC Administrator or Owner is required.
Deploy
Click the button to open the CloudSmith guided deployment wizard in the Azure Portal:
The button opens a multi-step guided wizard in the Azure Portal — not the raw parameter form. You do not need to know about master keys, connection strings, or Azure resource naming.
Wizard steps
Step 1 — Basics
| Field | Required | What to enter |
|---|---|---|
| Subscription | Yes | Select your Azure subscription |
| Resource group | Yes | Create a new resource group (for example, rg-cloudsmith-prod) or select an existing one |
| Region | Yes | Azure region for all resources — Central US is recommended for initial deployments |
| Administrator Password | Yes | Password for the initial CloudSmith administrator account. See password rules |
Step 2 — CloudSmith Settings
| Field | Required | Default | What to enter |
|---|---|---|---|
| Environment | Yes | dev |
Deployment tier — dev, test, staging, or prod. Controls PostgreSQL SKU and Container App replica count. See Environment explained |
| Container Image Tag | Yes | v1.0.0 |
CloudSmith container image version. Use v1.0.0 for the latest stable release. See releases page for available tags |
| Database Administrator Username | No | cloudsmith |
PostgreSQL server administrator username. This is a low-level database account, separate from the CloudSmith portal login |
| Cost Center | No | Engineering |
Cost center tag for billing allocation. Applied to all Azure resources created by the deployment |
| Owner Email | No | (blank) | Email address of the person or team responsible for this deployment. Used for budget alerts and operational notifications |
Step 3 — Review + create
Review the summary of resources that will be created. Click Create to start the deployment.
Deployment typically takes 10–15 minutes. PostgreSQL Flexible Server is the slowest resource to provision.
About commonTags
The deployment automatically generates an Azure Policy-compliant tag set from your wizard inputs:
commonTags = {
Environment: <your Environment value>
CostCenter: <your Cost Center value>
Owner: <your Owner Email value>
Workload: cloudsmith
DataClassification: Internal
Criticality: Low
ManagedBy: arm
}
These tags are applied to every resource in the deployment. You do not fill in commonTags directly — the wizard builds it from your Cost Center and Owner Email inputs. If you deploy via the raw ARM parameter form (not the wizard), you will see commonTags as a required parameter — use the wizard link above to avoid this.
Field reference
Administrator Password rules
The administrator password must meet all of the following:
- Minimum 12 characters
- At least one uppercase letter (A-Z)
- At least one lowercase letter (a-z)
- At least one digit (0-9)
- At least one special character from:
! @ # $ % ^ & * ( ) _ + - = [ ] { } | ; : , . < > ?
The password is stored in Key Vault after deployment and is not visible in the Azure Portal.
Environment explained
| Environment | PostgreSQL SKU | Container Apps replicas | Use for |
|---|---|---|---|
dev |
Burstable B1ms | Scale to zero (cold start) | Local development, feature testing |
test |
Burstable B2s | Scale to zero | Automated testing, QA |
staging |
General Purpose D2s | Minimum 1 replica | Pre-production validation |
prod |
General Purpose D4s | Minimum 1 replica, HA enabled | Production workloads |
The environment value appears in all resource names (for example, ca-cloudsmith-api-prod-cus-001).
Container Image Tag
Tags follow semantic versioning and map directly to CloudSmith releases:
| Tag format | Meaning |
|---|---|
v1.0.0 |
Specific stable release — recommended for production |
sha-abc1234 |
Specific git commit SHA — used for testing specific builds |
Do not use main or latest — these tags do not exist in the CloudSmith container registry. If deployment fails with an image pull error, verify the tag exists on the releases page.
After deployment — find your URLs
When the deployment finishes, click Go to resource group, then select Deployments from the left menu and open the deployment named starting with cloudsmith.
Click Outputs to find:
| Output | Description |
|---|---|
portalUrl |
URL of the CloudSmith web portal |
apiUrl |
URL of the CloudSmith REST API |
Bookmark the portal URL — this is where you and your team will manage CloudSmith.
Complete first-run setup
Open the portal URL in a browser. CloudSmith shows the first-run setup wizard.
Fill in the following fields:
| Field | What to enter |
|---|---|
| Platform name | Display name for this CloudSmith instance (for example, Contoso Infrastructure) |
| Admin username | Your administrator login username |
| Admin email | Email address for the admin account |
| Admin password | Password for the admin account — this is the same password you entered in the wizard Basics step |
Click Complete setup. CloudSmith creates the admin account and redirects you to the dashboard.
What gets created
| Resource type | Name pattern | Purpose |
|---|---|---|
| Log Analytics Workspace | log-cloudsmith-{env}-{region}-{instance} |
Centralized log collection |
| Application Insights | appi-cloudsmith-{env}-{region}-{instance} |
Performance monitoring and distributed tracing |
| User-Assigned Managed Identity | id-cloudsmith-{env}-{region}-{instance} |
Keyless Key Vault access from Container Apps |
| Key Vault | kv-cloudsmith-{env}-{region}-{4-char-suffix} |
Stores master encryption key and database password |
| PostgreSQL Flexible Server | psql-cloudsmith-{env}-{region}-{instance} |
CloudSmith platform database |
| Container Apps Environment | cae-cloudsmith-{env}-{region}-{instance} |
Shared networking and scaling environment |
| Container App — API | ca-cloudsmith-api-{env}-{region}-{instance} |
.NET 9 REST API |
| Container App — Portal | ca-cloudsmith-portal-{env}-{region}-{instance} |
React portal served by nginx |
The Key Vault name includes a 4-character unique suffix derived from your resource group ID. This ensures vault names do not conflict with other deployments in the same region, even across different subscriptions.
Troubleshooting
I see a raw parameter form with a commonTags field
You followed a link to the raw ARM parameter form instead of the wizard. Use the Deploy to Azure button at the top of this page, which opens the guided wizard. The wizard builds commonTags from your inputs automatically — you never fill it in manually.
Deployment fails with VaultAlreadyExists
The resource group you chose may have a soft-deleted Key Vault from a previous deployment. You have two options:
- Use a new resource group — Key Vault names include a unique suffix per resource group, so a new RG always gets a fresh vault name.
- Purge the soft-deleted vault (if purge protection is not enabled):
az keyvault purge --name <vault-name> --location <region>
Deployment fails with a quota error
Azure Container Apps consume vCPU quota. Check your subscription quota for containerApps in the target region: Azure Portal > Subscriptions > (your subscription) > Usage + quotas. Request a quota increase if needed before redeploying.
Portal won’t load after a successful deployment
On dev and test environments, Container Apps may cold-start on the first request. Wait 60 seconds and refresh. If the portal still does not load, navigate to the portal Container App in Azure Portal, select Revisions and replicas, and confirm the active revision shows Running. Check Log stream for startup errors — the most common cause is an invalid image tag.
First-run wizard shows “Initial admin token has expired”
The initial admin token expires 24 hours after the API first starts. If more than 24 hours have passed, restart the API Container App twice (the second restart generates a fresh token).
Next steps
- Install the relay agent so CloudSmith can reach your on-premises infrastructure: Install the CloudSmith Relay
- Register your first cluster: Operations > Resources > Add site
- Configure an external identity provider (optional): Platform Management > Identity > Identity Providers