Upbound Docs - Deploy your first control plane with AWS

Deploy your first control plane with AWS

This quickstart guides you through how to create your first managed control plane in Upbound. Connect Upbound to AWS, and use your control plane to create and manage EKS clusters.

Prerequisites

You need the following:

An Upbound account.
An AWS account with permissions to manage IAM policies.
A GitHub account with permission to install GitHub Apps.

Tip

If you don’t have an Upbound account, sign up for a free trial.

Get started

The first time you sign in to Upbound, you are through a Get Started experience designed to bootstrap your environment in the matter of minutes. Go to Upbound to start the experience.

Create an organization

Your first time in Upbound you must create an organization. Give your organization an ID and a friendly name.

Select Create Organization.

On the next screen, start your free trial. This trial allows you to create up to three managed control planes, three configurations, and invite a total of 10 team members in an organization.

Upbound offers a curated gallery of Crossplane configurations for you to choose from. These configurations provide ready-built APIs that Upbound installs in your control plane. You can select the source link to view the configuration files that define this API in GitHub.

Select the Configuration called EKS as a service.

Connect to GitHub

After you’ve selected a Configuration, you need to connect Upbound to your GitHub account. Upbound uses GitHub’s authorization flow and installs a GitHub app into your account.

Select Connect to GitHub.

a marketplace search filter with Providers and Official filters set

Tip

Git connectivity is at the core of Upbound’s workflows. To learn more about git integration, read the GitOps with MCP section.

After you’ve connected to GitHub, select an account owner and repository name. Upbound creates a new repository under your account and clones the contents of the Configuration into that repository.

Give your repository a name, like my-control-plane-api.

Select Clone configuration to GitHub.

Create a managed control plane

After Upbound clones the Configuration into your own repository, create a managed control plane.

Give your control plane a name, like my-control-plane.

Select Create Control Plane.

Connect to AWS with OIDC

While Upbound creates your control plane, connect Upbound to AWS.

Upbound recommends using OpenID Connect (OIDC) to authenticate to AWS without exchanging any private information.

Add Upbound as an OpenID Connect provider

Open the AWS IAM console.
Under the AWS IAM services, select Identity Providers > Add Provider.
Select OpenID Connect and use
https://proidc.upbound.io as the Provider URL and
sts.amazonaws.com as the Audience.
Select Get thumbprint.
Select Add provider.

Create an AWS IAM Role for Upbound

Create an AWS IAM Role with a Custom trust policy for the OIDC connector.

Important

Provide your AWS account ID, Upbound organization and control plane names in the JSON Policy below.

You can find your AWS account ID by selecting the account dropdown in the upper right corner of the AWS console.

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Principal": {
				"Federated": "arn:aws:iam:::oidc-provider/proidc.upbound.io"
			},
			"Action": "sts:AssumeRoleWithWebIdentity",
			"Condition": {
				"StringEquals": {
					"proidc.upbound.io:sub": "mcp::provider:provider-aws",
					"proidc.upbound.io:aud": "sts.amazonaws.com"
				}
			}
		}
	]
}

Attach the AmazonEC2FullAccess permission policy.
Name the role upbound-eks-role and select Create role.
View the new role and copy the role ARN.

Provide the ARN to Upbound

Return to Upbound and paste the ARN you copied in the previous step into the input at the bottom of the form.
Select Authenticate.
Select Confirm and Launch Control Plane.

Upbound Get Started Confirm and Launch screen

Welcome to the Upbound Console

After completing the Get Started experience, you are in the Upbound Console and greeted by the Control Planes screen.

The control plane details view gives users a view into what’s happening on their control planes.

Tip

Read about the Upbound Console for a full tour of what the Console has to offer.

Create your first resource

From the control planes view, select the Portal tab, and select Open Control Plane Portal.

The Control Plane Portal lists the available resources that users can claim in the left-side menu.
These resources are your abstracted APIs presented to users.

Control plane portal with a Kubernetes Cluster resource

Select the KubernetesCluster resource and then select the Create New button at the top of the page.

The form are the parameters defined in your custom API. Fill-in the form with the following:

name: my-app-cluster
namespace: default
id: my-app-cluster
count: 1
size: small

When you Create Instance the portal generates a Crossplane claim.

Note

After creating an instance, the Events section are logs directly from Kubernetes.

Crossplane commonly generates a Kubernetes error cannot apply composite resource: cannot patch object: Operation cannot be fulfilled that may appear as an Event.

Events showing the error cannot apply composite resource: cannot patch object

You can ignore this error. For more information about what causes this, read Crossplane issue #2114.

Observe your resources

Navigate back to Upbound Console window and to your control plane in the Overview tab.

There’s now a claim card next to the KubernetesCluster type card.

Select the claim and Upbound renders the full resource tree that’s getting created and managed by your managed control plane.

Congratulations, you created your first resources with your MCP.

Next steps

To learn more about the core concepts of Upbound, read the concepts documentation. To learn how to begin building your own platform on Upbound, read the Crossplane Architecture Framework.