Upbound is a global platform for building, deploying, and operating cloud platforms using managed control planes.
The value of Upbound
As your infrastructure scales, it can be difficult to deal with tech sprawl in a cloud native world. By offering abstract APIs, Upbound simplifies complex infrastructure management, making it more accessible for development teams.
Upbound is useful for companies that need a unified control and management system for their diverse cloud infrastructures. Upbound stands out by providing fully managed control planes, a unified operating model for extensive management across various cloud services, and GitOps-driven workflows. This combination of features allows organizations to efficiently manage their cloud footprint, streamline developer operations, and maintain consistency across different cloud environments.
Prerequisites
You need the following:
- An Upbound account.
- An AWS, Azure, or GCP account with permissions to manage IAM policies.
- A GitHub account with permission to install GitHub Apps.
Get started
This quickstart guides you through how to create your first managed control plane in Upbound. Connect Upbound to your cloud provider, and use your control plane to create and manage infrastructure.
After you register your Upbound account, walk through the interactive “Get Started” demo below.
Connect to your cloud provider with OpenID Connect
While Upbound creates your control plane, connect Upbound to AWS.
Upbound recommends using OpenID Connect (OIDC) to authenticate to AWS without exchanging any private information.
Create an AWS IAM Role with a Custom trust policy for the OIDC connector.
Provide your AWS account ID, Upbound organization and control plane names in the JSON Policy below.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam:::oidc-provider/proidc.upbound.io"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"proidc.upbound.io:sub": "mcp::provider:provider-aws",
"proidc.upbound.io:aud": "sts.amazonaws.com"
}
}
}
]
}
Follow along with the demo below:
While Upbound creates your control plane, connect Upbound to Azure.
Upbound recommends using OpenID Connect (OIDC) to authenticate to Azure without exchanging any private information.
Create an identity pool
- Open the Azure portal.
- Select Azure Active Directory.
- If this is your first time registering Upbound as an identity provider in Azure Active Directory, select App registrations
- At the top of the page, select New registration.
- Name the pool, like upbound-oidc-provider.
- In the Supported account types section select Accounts in this organizational directory only.
- In the Redirect URI section select Web and leave the URL field blank.
- Select Register.
Create a federated credential
To allow the upbound-oidc-provider
registration created in the previous step to trust the Upbound Control Plane, do the following in the resource view.
- Select Certificates and secrets in the left navigation.
- Select Federated credentials tab.
- Select Add credential.
- In Federated credential scenario select Other Issuer.
- In Issuer enter https://proidc.upbound.io.
- In Subject identifier enter:
mcp::provider:provider-azure
- In Credential details name enter:
upbound--provider-azure
- In Credential details description enter:
upbound MCP Provider provider-azure
- Leave Audience unmodified with api://AzureADTokenExchange.
- Select Add.
Grant permissions to the service principal
For your control plane to be able to perform actions required by this configuration, you need to grant permissions to the Application Service Principal. Assign a role to the Application Service Principal by following instructions at Assign a role to the application.
- Open the Azure portal
- Select Subscriptions.
- Select your subscription.
- Select Access control (IAM) in the left navigation.
- Select Add and select Add role assignment.
- Find and select the Contributor role on the Privileged administrator roles tab.
- Select Next.
- In Assign access to select User, group, or service principal.
- Select Select members.
- Find your application by entering upbound-oidc-provider in the search field.
- Select Select.
- Select Review + assign.
- Make sure everything is correct and press Review + assign again.
Finish configuring the Upbound identity provider
Back in Upbound, finish configuring the identity provider.
In the Application (client) ID field enter your Application (client) ID.
For the Directory (tenant) ID field, enter your Directory (tenant) ID. You can find this by selecting your Application under Azure Active Directory -> Application Registrations.
In the Azure Subscription ID field, enter your Subscription ID. You can find this by selecting your Subscription in the Azure portal.
Select Authenticate. Select Launch Control Plane.
While Upbound creates your control plane, connect Upbound to GCP.
Upbound recommends using OpenID Connect (OIDC) to authenticate to GCP without exchanging any private information.
GCP doesn’t authenticate a second OIDC pool in the same project connecting to Upbound.
Add a new Service Account to the existing pool instead.
Create an identity pool
- Open the GCP IAM Admin console.
- Select Workload Identity Federation.
- If this is your first Workload Identity Federation configuration select Get Started
- At the top of the page, select Create Pool.
- Name the pool, like upbound-oidc-pool.
- Enter a description like An identity provider for Upbound.
- Enable the pool.
- Select Continue
Add Upbound to the pool
Under the Add a provider to pool configuration under Select a provider use OpenID Connect (OIDC)
Provider Name: upbound-oidc-provider Provider ID: upbound-oidc-provider-id Issuer (URL): https://proidc.upbound.io
Select Allowed audiences For Audience 1 enter sts.googleapis.com
Select Continue.
Configure provider attributes
The provider attributes restrict which remote entities you allow access to your resources.
When Upbound authenticates to GCP it provides an OIDC subject (sub
) in the form:
mcp:<account>/<mcp-name>:provider:<provider-name>
Configure the google.subject attribute as assertion.sub
Under Attribute Conditions select Add Condition.
To authenticate any managed control plane in your organization, in the Conditional CEL input box put
google.subject.contains("mcp:")
Select Save.
Create a GCP Service Account
GCP requires Upbound to use a Service Account. The required GCP roles of the service account depend on the services managed by your control plane.
- Open the GCP IAM Admin console.
- Select Service Accounts.
- From the top of the page, select Create Service Account.
Service account details
Under Service account details enter Service account name: upbound-service-account Service account ID: upbound-service-account-id Description: Upbound managed control planes service account
Select Create and Continue.
Grant this service account access to project
For the CloudSQL as a service configuration the service account requires the roles: Cloud SQL Admin Workload Identity User
Select Done.
Record the service account email address
At the list of service accounts copy the service account email. Upbound requires this to authenticate your managed control plane.
Add the service account to the identity pool
Add the service account to the Workload Identity Federation pool to authenticate to Upbound with OIDC.
- Return to the Workload Identity Federation page and select the upbound-oidc-pool.
- Near the top of the page select Grant Access.
- Select the new service account, upbound-service-account.
- Under Select principals use All identities in the pool.
Select Save. In the Configure your application window, select Dismiss.
Enable the Cloud SQL Admin GCP API
GCP requires explicitly enabling the Cloud SQL Admin API.
Go to the Cloud SQL Admin API page in the GCP console.
Select Enable.
Finish configuring the Upbound identity provider
Back in Upbound, finish configuring the identity provider.
In the Identifier of GCP project field enter your GCP project ID.
For the Name of federated identity provider, edit your GCP Project Number and enter:
projects//locations/global/workloadIdentityPools/upbound-oidc-pool/providers/upbound-oidc-provider
The identity provider format is:
projects/<GCP_PROJECT_NUMBER>/locations/global/workloadIdentityPools/<OIDC_POOL_NAME>/providers/<OIDC_POOL_PROVIDER_NAME>
In the Identifier of GCP Project enter the Project ID.
In the Name of federated identity provider field.
In the Attached service account email address field enter the service account email.
Select Finalize & Launch Control Plane.
Create your first resource
Use the suggested values below for your cluster information:
- name: my-app-cluster
- namespace: default
- id: my-app-cluster
- count: 1
- size: small
Congratulations, you created your first resources with your MCP.
Next steps
To learn more about the core concepts of Upbound, read the concepts documentation. To learn how to begin building your own platform on Upbound, read the Crossplane Architecture Framework.