Deploy CloudSmith to Azure — CLI script

Deploy CloudSmith with a single script. The install script handles generating all secrets, tagging, and running the deployment — you only need your owner email.

Looking for the one-click portal wizard instead? See Deploy to Azure (Portal wizard)

Prerequisites

  • Azure CLI installed (az --version — 2.50.0 or later)
  • Azure subscription with Owner role (or Contributor + RBAC Administrator)
  • Logged in: az login

Linux / macOS

curl -fsSL https://raw.githubusercontent.com/cloudsmith-cloud/cloudsmith-installer/main/scripts/install-paas.sh | bash -s -- \
  --owner-email "ops@contoso.com"

Or download and run locally:

curl -fsSL -o install-paas.sh \
  https://raw.githubusercontent.com/cloudsmith-cloud/cloudsmith-installer/main/scripts/install-paas.sh
chmod +x install-paas.sh
./install-paas.sh --owner-email "ops@contoso.com"

Windows / PowerShell 7+

.\Install-CloudSmith-PaaS.ps1 -OwnerEmail "ops@contoso.com"

Or download and run in one line:

Invoke-WebRequest -Uri "https://raw.githubusercontent.com/cloudsmith-cloud/cloudsmith-installer/main/scripts/Install-CloudSmith-PaaS.ps1" -OutFile "Install-CloudSmith-PaaS.ps1"
.\Install-CloudSmith-PaaS.ps1 -OwnerEmail "ops@contoso.com"

What the script does

The script handles everything automatically:

  1. Verifies the Azure CLI and Bicep extension are installed — emits a clear error if either is missing
  2. Verifies you are logged into Azure
  3. Generates a secure master encryption key using openssl rand -base64 32 (Linux/macOS) or System.Security.Cryptography.RandomNumberGenerator (Windows) — you never see this value
  4. Generates a strong database password using the same secure random source
  5. Writes a cloudsmith-deploy.json file with all parameters — you can review or edit before deploying
  6. Downloads the latest CloudSmith Bicep template from GitHub
  7. Runs the Azure subscription-level deployment
  8. Prints the Portal URL and API URL when done

Parameters

Parameter Required Default Description
--owner-email / -OwnerEmail Yes Email for resource tagging and budget alerts
--location / -Location No centralus Azure region
--environment / -Environment No prod dev, test, stage, or prod — controls PostgreSQL SKU and Container App replica count
--instance / -Instance No 001 Short suffix to keep resource names unique across multiple deployments
--cost-center / -CostCenter No Engineering Cost center tag for billing allocation
--params-file / -ParamsFile No cloudsmith-deploy.json Path to write the parameters file before deployment

After deployment

When the script completes it prints:

CloudSmith deployed successfully
  Portal : https://ca-cloudsmith-portal-prod-cus-001-...
  API    : https://ca-cloudsmith-api-prod-cus-001-...

Open the Portal URL in a browser and complete the first-run setup wizard to create your admin account.

Advanced — customise before deploying

The script writes cloudsmith-deploy.json before running the deployment. To review or change values before the deployment runs, edit the file after it is written and then run the deployment manually:

# Linux / macOS — run script to generate params only, then inspect
./install-paas.sh --owner-email "ops@contoso.com" --params-file my-params.json
# Edit my-params.json if needed, then:
az deployment sub create \
  --name "cloudsmith-$(date +%Y%m%d%H%M)" \
  --location centralus \
  --template-file main.bicep \
  --parameters @my-params.json

Advanced — manual az deployment sub create

If you prefer full control without the script, you can deploy directly using the Azure CLI with the Bicep template from the repository:

git clone https://github.com/cloudsmith-cloud/cloudsmith-installer
cd cloudsmith-installer

MASTER_KEY=$(openssl rand -base64 32)
PG_PASS=$(openssl rand -base64 16 | tr -d '/+=' | head -c 16)
PG_PASS="${PG_PASS}Aa1!"

az deployment sub create \
  --name "cloudsmith-manual-001" \
  --location centralus \
  --template-file iac/main.bicep \
  --parameters \
    environment=prod \
    instance=001 \
    imageTag=v1.0.0 \
    postgresAdminUser=cloudsmith \
    postgresAdminPassword="$PG_PASS" \
    masterKey="$MASTER_KEY" \
    Owner="ops@contoso.com" \
    CostCenter=Engineering

Note: passing complex object parameters (like commonTags) via inline --parameters is not supported in PowerShell due to JSON quoting. Use a parameters file (@file.json) for those cases.

Troubleshooting

az: command not found — Install the Azure CLI: https://aka.ms/installazurecliwindows

Bicep extension missing — Run az bicep install to add it.

Deployment fails with VaultAlreadyExists — A soft-deleted Key Vault from a previous deployment is conflicting. Either use a different resource group (recommended) or purge the soft-deleted vault: az keyvault purge --name <vault-name> --location <region>.

RequestDisallowedByPolicy — Your subscription may enforce additional tags. Edit cloudsmith-deploy.json and add the required tags, then re-run the az deployment sub create command with --parameters @cloudsmith-deploy.json.