Quickstart

Upbound is a global platform for building, deploying, and operating cloud platforms using managed control planes.

The value of Upbound

As your infrastructure scales, it can be difficult to deal with tech sprawl in a cloud native world. By offering abstract APIs, Upbound simplifies complex infrastructure management, making it more accessible for development teams.

Upbound is useful for companies that need a unified control and management system for their diverse cloud infrastructures. Upbound stands out by providing fully managed control planes, a unified operating model for extensive management across various cloud services, and GitOps-driven workflows. This combination of features allows organizations to efficiently manage their cloud footprint, streamline developer operations, and maintain consistency across different cloud environments.

Prerequisites

You need the following:

  • An Upbound account.
  • An AWS, Azure, or GCP account with permissions to manage IAM policies.
  • A GitHub account with permission to install GitHub Apps.
Tip
If you don’t have an Upbound account, sign up for a free trial.

Get started

This quickstart guides you through how to create your first managed control plane in Upbound. Connect Upbound to your cloud provider, and use your control plane to create and manage infrastructure.

After you register your Upbound account, walk through the interactive “Get Started” demo below.

Connect to your cloud provider with OpenID Connect

While Upbound creates your control plane, connect Upbound to AWS.

Upbound recommends using OpenID Connect (OIDC) to authenticate to AWS without exchanging any private information.

Create an AWS IAM Role with a Custom trust policy for the OIDC connector.

Important
You can find your AWS account ID by selecting the account dropdown in the upper right corner of the AWS console.

Provide your AWS account ID, Upbound organization and control plane names in the JSON Policy below.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam:::oidc-provider/proidc.upbound.io"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "proidc.upbound.io:sub": "mcp::provider:provider-aws",
          "proidc.upbound.io:aud": "sts.amazonaws.com"
        }
      }
    }
  ]
}

Follow along with the demo below:

While Upbound creates your control plane, connect Upbound to Azure.

Upbound recommends using OpenID Connect (OIDC) to authenticate to Azure without exchanging any private information.

Create an identity pool

  1. Open the Azure portal.
  2. Select Azure Active Directory.
  3. If this is your first time registering Upbound as an identity provider in Azure Active Directory, select App registrations
  4. At the top of the page, select New registration.
  5. Name the pool, like upbound-oidc-provider.
  6. In the Supported account types section select Accounts in this organizational directory only.
  7. In the Redirect URI section select Web and leave the URL field blank.
  8. Select Register.
Upbound Get Started Configure OIDC screen for Azure

Create a federated credential

To allow the upbound-oidc-provider registration created in the previous step to trust the Upbound Control Plane, do the following in the resource view.

  1. Select Certificates and secrets in the left navigation.
  2. Select Federated credentials tab.
  3. Select Add credential.
  4. In Federated credential scenario select Other Issuer.
  5. In Issuer enter https://proidc.upbound.io.
  6. In Subject identifier enter:
mcp::provider-provider-azure
  1. In Credential details name enter:
upbound--provider-azure
  1. In Credential details description enter:
upbound MCP  Provider provider-azure
  1. Leave Audience unmodified with api://AzureADTokenExchange.
  2. Select Add.
Azure configure app registration

Grant permissions to the service principal

For your control plane to be able to perform actions required by this configuration, you need to grant permissions to the Application Service Principal. Assign a role to the Application Service Principal by following instructions at Assign a role to the application.

  1. Open the Azure portal
  2. Select Subscriptions.
  3. Select your subscription.
  4. Select Access control (IAM) in the left navigation.
  5. Select Add and select Add role assignment.
  6. Find and select the Contributor role on the Privileged administrator roles tab.
  7. Select Next.
  8. In Assign access to select User, group, or service principal.
  9. Select Select members.
  10. Find your application by entering upbound-oidc-provider in the search field.
  11. Select Select.
  12. Select Review + assign.
  13. Make sure everything is correct and press Review + assign again.
Azure grant permissions to service principal

Finish configuring the Upbound identity provider

Back in Upbound, finish configuring the identity provider.

In the Application (client) ID field enter your Application (client) ID.

For the Directory (tenant) ID field, enter your Directory (tenant) ID. You can find this by selecting your Application under Azure Active Directory -> Application Registrations.

In the Azure Subscription ID field, enter your Subscription ID. You can find this by selecting your Subscription in the Azure portal.

Upbound configuration to connect to Azure with OIDC

Select Authenticate. Select Launch Control Plane.

While Upbound creates your control plane, connect Upbound to GCP.

Upbound recommends using OpenID Connect (OIDC) to authenticate to GCP without exchanging any private information.

Warning

GCP doesn’t authenticate a second OIDC pool in the same project connecting to Upbound.

Add a new Service Account to the existing pool instead.

Create an identity pool

  1. Open the GCP IAM Admin console.
  2. Select Workload Identity Federation.
  3. If this is your first Workload Identity Federation configuration select Get Started
  4. At the top of the page, select Create Pool.
  5. Name the pool, like upbound-oidc-pool.
  6. Enter a description like An identity provider for Upbound.
  7. Enable the pool.
  8. Select Continue
Upbound Get Started Configure OIDC screen for GCP

Add Upbound to the pool

Under the Add a provider to pool configuration under Select a provider use OpenID Connect (OIDC)

Provider Name: upbound-oidc-provider Provider ID: upbound-oidc-provider-id Issuer (URL): https://proidc.upbound.io

Select Allowed audiences For Audience 1 enter sts.googleapis.com

Select Continue.

GCP add a provider to pool configuration

Configure provider attributes

The provider attributes restrict which remote entities you allow access to your resources. When Upbound authenticates to GCP it provides an OIDC subject (sub) in the form:

mcp:<account>/<mcp-name>:provider:<provider-name>

Configure the google.subject attribute as assertion.sub

Under Attribute Conditions select Add Condition.

To authenticate any managed control plane in your organization, in the Conditional CEL input box put

google.subject.contains("mcp:")
Warning
Not providing a CEL condition allows any Upbound managed control plane to access your GCP account if they know the project ID and service account name.

Select Save.

GCP configure provider attributes configuration

Create a GCP Service Account

GCP requires Upbound to use a Service Account. The required GCP roles of the service account depend on the services managed by your control plane.

  1. Open the GCP IAM Admin console.
  2. Select Service Accounts.
  3. From the top of the page, select Create Service Account.
Service account details

Under Service account details enter Service account name: upbound-service-account Service account ID: upbound-service-account-id Description: Upbound managed control planes service account

Select Create and Continue.

GCP service account creation screen
Grant this service account access to project

For the CloudSQL as a service configuration the service account requires the roles: Cloud SQL Admin Workload Identity User

Select Done.

GCP service project access screen
Record the service account email address

At the list of service accounts copy the service account email. Upbound requires this to authenticate your managed control plane.

list of GCP service accounts

Add the service account to the identity pool

Add the service account to the Workload Identity Federation pool to authenticate to Upbound with OIDC.

  1. Return to the Workload Identity Federation page and select the upbound-oidc-pool.
  2. Near the top of the page select Grant Access.
  3. Select the new service account, upbound-service-account.
  4. Under Select principals use All identities in the pool.
Pool select service account screen

Select Save. In the Configure your application window, select Dismiss.

Enable the Cloud SQL Admin GCP API

GCP requires explicitly enabling the Cloud SQL Admin API.

Go to the Cloud SQL Admin API page in the GCP console.

Select Enable.

Enable the Cloud SQL Admin API in the GCP console

Finish configuring the Upbound identity provider

Back in Upbound, finish configuring the identity provider.

In the Identifier of GCP project field enter your GCP project ID.

For the Name of federated identity provider, edit your GCP Project Number and enter:

projects//locations/global/workloadIdentityPools/upbound-oidc-pool/providers/upbound-oidc-provider

Note

The identity provider format is:

projects/<GCP_PROJECT_NUMBER>/locations/global/workloadIdentityPools/<OIDC_POOL_NAME>/providers/<OIDC_POOL_PROVIDER_NAME>

In the Identifier of GCP Project enter the Project ID.

In the Name of federated identity provider field.

In the Attached service account email address field enter the service account email.

Upbound configuration to connect to GCP with OIDC

Select Finalize & Launch Control Plane.

Create your first resource

Use the suggested values below for your cluster information:

  • name: my-app-cluster
  • namespace: default
  • id: my-app-cluster
  • count: 1
  • size: small

Congratulations, you created your first resources with your MCP.

Next steps

To learn more about the core concepts of Upbound, read the concepts documentation. To learn how to begin building your own platform on Upbound, read the Crossplane Architecture Framework.