CLI Reference

This documentation is for the up CLI v0.40.0.

The latest version of up can be installed by running:

curl -sL "https://cli.upbound.io" | sh

up

The Upbound CLI

Please report issues and feature requests at https://github.com/upbound/upbound.

Usage

up <command> [flags]

Flags

Flag	Short Form	Description
--help	-h	Show context-sensitive help.
--format		Format for get/list commands. Can be: json, yaml, default
--quiet	-q	Suppress all output.
--pretty		Pretty print output.
--dry-run		dry-run output.

up completion

Generate shell autocompletions

Usage

up completion [flags]

Flags

Flag	Short Form	Description
--uninstall

up composition

Manage Compositions.

Usage

up composition <command> [flags]

Flags

Flag	Short Form	Description
--domain		Root Upbound domain. Overrides the current profile's domain.
--profile		Profile used to execute command.
--account	-a	Deprecated. Use organization instead.
--organization		Organization used to execute command. Overrides the current profile's organization.
--ca-bundle		Path to CA bundle file to prepend to existing CAs
--insecure-skip-tls-verify		[INSECURE] Skip verifying TLS certificates.
--debug	-d	[INSECURE] Run with debug logging. Repeat to increase verbosity. Output might contain confidential data like tokens.
--override-api-endpoint		Overrides the default API endpoint.
--override-auth-endpoint		Overrides the default auth endpoint.
--override-proxy-endpoint		Overrides the default proxy endpoint.
--override-registry-endpoint		Overrides the default registry endpoint.
--override-accounts-endpoint		Overrides the default accounts endpoint.
--kubeconfig		Override default kubeconfig path.
--kubecontext		Override default kubeconfig context.

up composition generate

Generate a Composition.

The generate command creates a composition and adds the required function packages to the project as dependencies.

Examples

Generate a composition from a CompositeResourceDefinition (XRD) and save output to apis/xnetworks/composition.yaml:

up composition generate apis/xnetwork/definition.yaml

Generate a composition from a Composite Resource (XR) and save output to apis/xnetworks/composition.yaml:

up composition generate examples/xnetwork/xnetwork.yaml

Generate a composition from a Composite Resource (XR), prefixing the metadata.name with aws and save output to apis/xnetworks/composition-aws.yaml:

up composition generate examples/network/network-aws.yaml --name aws

Generate a composition from a Composite Resource (XR) with a custom plural form and save output to apis/xdatabases/composition.yaml:

up composition generate examples/xdatabase/database.yaml --plural postgreses

Usage

up composition generate <resource> [flags]

Arguments

Argument	Description
<resource>	File path to Composite Resource Claim (XRC) or Composite Resource (XR) or CompositeResourceDefinition (XRD).

Flags

Flag	Short Form	Description
--name		Name for the new composition.
--plural		Optional custom plural for the CompositeTypeRef.Kind
--path		Optional path to the output file where the generated Composition will be saved.
--project-file	-f	Path to project definition file.
--output	-o	Output format for the results: 'file' to save to a file, 'yaml' to print XRD in YAML format, 'json' to print XRD in JSON format.
--cache-dir		Directory used for caching dependency images.

up composition render

Run a composition locally to render an XR into composed resources.

The render command shows you what composed resources Crossplane would create by printing them to stdout. It also prints any changes that would be made to the status of the XR. It doesn't talk to Crossplane. Instead it runs the Composition Function pipeline specified by the Composition locally, and uses that to render the XR.

Examples

Simulate creating a new XR:

up composition render composition.yaml xr.yaml

Simulate updating an XR that already exists:

up composition render composition.yaml xr.yaml \
    --observed-resources=existing-observed-resources.yaml

Pass context values to the Function pipeline:

up composition render composition.yaml xr.yaml \
    --context-values=apiextensions.crossplane.io/environment='{"key": "value"}'

Pass extra resources requested by functions in the pipeline:

up composition render composition.yaml xr.yaml \
    --extra-resources=extra-resources.yaml

Pass credentials needed by functions in the pipeline:

up composition render composition.yaml xr.yaml \
    --function-credentials=credentials.yaml

Docker Configuration

The render command uses Docker (or any Docker-compatible container runtime) to run composition functions. Configure the Docker connection using these standard environment variables:

• DOCKER_HOST: Docker daemon socket (e.g., unix:///var/run/docker.sock)
• DOCKER_API_VERSION: Docker API version to use
• DOCKER_CERT_PATH: Path to Docker TLS certificates
• DOCKER_TLS_VERIFY: Enable TLS verification (1 or 0)

Usage

up composition render <composition> <composite-resource> [flags]

Arguments

Argument	Description
<composition>	A YAML file specifying the Composition to use to render the Composite Resource (XR).
<composite-resource>	A YAML file specifying the Composite Resource (XR) to render.

Flags

Flag	Short Form	Description
--xrd		A YAML file specifying the CompositeResourceDefinition (XRD) to validate the XR against.
--context-files		Comma-separated context key-value pairs to pass to the Function pipeline. Values must be files containing JSON.
--context-values		Comma-separated context key-value pairs to pass to the Function pipeline. Values must be JSON. Keys take precedence over --context-files.
--include-function-results	-r	Include informational and warning messages from Functions in the rendered output as resources of kind: Result.
--include-full-xr	-x	Include a direct copy of the input XR's spec and metadata fields in the rendered output.
--observed-resources	-o	A YAML file or directory of YAML files specifying the observed state of composed resources.
--extra-resources	-e	A YAML file or directory of YAML files specifying extra resources to pass to the Function pipeline.
--include-context	-c	Include the context in the rendered output as a resource of kind: Context.
--function-credentials		A YAML file or directory of YAML files specifying credentials to use for Functions to render the XR.
--timeout		How long to run before timing out.
--max-concurrency		Maximum number of functions to build at once.
--project-file	-f	Path to project definition file.
--cache-dir		Directory used for caching dependency images.
--no-build-cache		Don't cache image layers while building.
--build-cache-dir		Path to the build cache directory.

up config

Manage global configuration settings.

Usage

up config <command> [flags]

up config get

Get configuration values.

The get command shows global configuration values for the up CLI.

Configuration Keys

• telemetry.disabled: Controls whether anonymous telemetry is collected.

Usage

up config get

up config set

Set configuration values.

The set command sets a global configuration value for the up CLI.

Configuration Keys

• telemetry.disabled: Set to true to disable collection of anonymous telemetry.

Examples

Disable collection of anonymous telemetry:

up config set telemetry.disabled true

Usage

up config set <key> <value>

Arguments

Argument	Description
<key>	Configuration key to set.
<value>	Configuration value to set.

up controlplane

Interact with control planes.

Usage

up controlplane <command> [flags]

Flags

Flag	Short Form	Description
--domain		Root Upbound domain. Overrides the current profile's domain.
--profile		Profile used to execute command.
--account	-a	Deprecated. Use organization instead.
--organization		Organization used to execute command. Overrides the current profile's organization.
--ca-bundle		Path to CA bundle file to prepend to existing CAs
--insecure-skip-tls-verify		[INSECURE] Skip verifying TLS certificates.
--debug	-d	[INSECURE] Run with debug logging. Repeat to increase verbosity. Output might contain confidential data like tokens.
--override-api-endpoint		Overrides the default API endpoint.
--override-auth-endpoint		Overrides the default auth endpoint.
--override-proxy-endpoint		Overrides the default proxy endpoint.
--override-registry-endpoint		Overrides the default registry endpoint.
--override-accounts-endpoint		Overrides the default accounts endpoint.
--kubeconfig		Override default kubeconfig path.
--kubecontext		Override default kubeconfig context.

up controlplane api-connector

Connect an App Cluster to a control plane using API Connector.

Usage

up controlplane api-connector <command> [flags]

up controlplane api-connector install

Install api-connector into an consumer cluster.

The install command installs the API Connector into a consumer cluster.

Note that the API Connector is a preview feature, under active development and subject to breaking changes. Production use is not recommended.

Examples

Install the API Connector into the consumer cluster and connect it to the control plane referred to by the current context:

up controlplane api-connector install --consumer-kubeconfig /path/to/kubeconfig

Install the API Connector into the cluster and connect it to the control plane referred to by the current context using the provided robot name for authentication:

up controlplane api-connector install --consumer-kubeconfig /path/to/kubeconfig \
    --robot-name upbound-robot-name

Install the API Connector into the cluster but do not provision a ClusterConnection resource or create a robot for authentication:

up controlplane api-connector install --consumer-kubeconfig /path/to/kubeconfig \
    --skip-connection

Usage

up controlplane api-connector install [flags]

Flags

Flag	Short Form	Description
--upgrade		Upgrade or downgrade the API Connector to --version, even if it is already installed.
--version		Version of the API Connector to install. If not provided, the latest, known to CLI, will be installed.
--name		Name of the related objects for named connection. If not provided, control plane name will be used with api-connector prefix.
--upbound-token		API token used to authenticate to the provider control plane. Mutually exclusive with --robot-name.
--skip-connection		Skip secret and connection initialization to the control plane. If provided, the connector will be installed without connecting to the control plane.
--consumer-kubeconfig		Path to the kubeconfig file for the consumer cluster. If not provided, the default kubeconfig resolution will be used.
--consumer-context		Context to use in the kubeconfig file. If not provided, the current context will be used.
--helm-directory		Directory to store the Helm chart. If not provided, the default will be used.
--set		Set parameters.
--file	-f	Parameters file.
--bundle		Local bundle path.

up controlplane api-connector uninstall

Uninstall api-connector from an consumer cluster.

The uninstall command uninstalls the API Connector from a cluster.

Examples

Uninstall the API Connector from the cluster but leave the connections and secrets in place:

up controlplane api-connector uninstall --target-kubeconfig kubeconfig-path-for-deployment-cluster

Uninstall the API Connector from the cluster and delete the connections and secrets. API objects created by the API Connector initial installation will not be deleted:

up controlplane api-connector uninstall --all --target-kubeconfig kubeconfig-path-for-deployment-cluster

Usage

up controlplane api-connector uninstall --consumer-kubeconfig=STRING [flags]

Flags

Flag	Short Form	Description
--consumer-kubeconfig		Required Path to the kubeconfig file for the consumer cluster. If not provided, the default kubeconfig resolution will be used.
--consumer-context		Context to use in the kubeconfig file. If not provided, the current context will be used.
--all		Uninstall all resources including the connectors and secrets. If not provided, only the connector will be uninstalled.

up controlplane configuration

Manage Configurations.

Usage

up controlplane configuration <command> [flags]

up controlplane configuration install

Install a Configuration.

Usage

up controlplane configuration install <package> [flags]

Arguments

Argument	Description
<package>	Reference to the Configuration.

Flags

Flag	Short Form	Description
--name		Name of Configuration.
--package-pull-secrets		List of secrets used to pull Configuration.
--wait	-w	Wait duration for successful Configuration installation.

up controlplane connector

Connect an App Cluster to a control plane using MCP Connector.

Usage

up controlplane connector <command> [flags]

up controlplane connector install

Install mcp-connector into an App Cluster.

Usage

up controlplane connector install <name> <namespace> [flags]

Arguments

Argument	Description
<name>	Name of control plane.
<namespace>	Namespace in the control plane where the claims of the cluster will be stored.

Flags

Flag	Short Form	Description
--token		API token used to authenticate. If not provided, a new robot and a token will be created.
--cluster-name		Name of the cluster connecting to the control plane. If not provided, the namespace argument value will be used.
--installation-namespace	-n	Kubernetes namespace for MCP Connector. Default is kube-system.
--control-plane-secret		Name of the secret that contains the kubeconfig for a control plane.
--set		Set parameters.
--file	-f	Parameters file.
--bundle		Local bundle path.

up controlplane connector uninstall

Uninstall mcp-connector from an App Cluster.

Usage

up controlplane connector uninstall <namespace> [flags]

Arguments

Argument	Description
<namespace>	Namespace in the control plane where the claims of the cluster will be stored.

Flags

Flag	Short Form	Description
--cluster-name		Name of the cluster connecting to the control plane. If not provided, the namespace argument value will be used.
--installation-namespace	-n	Kubernetes namespace for MCP Connector. Default is kube-system.

up controlplane create

Create a Spaces control plane.

Usage

up controlplane create <name> [flags]

Arguments

Argument	Description
<name>	Name of control plane.

Flags

Flag	Short Form	Description
--group	-g	The control plane group that the control plane is contained in. This defaults to the group specified in the current context
--crossplane-version		The version of Universal Crossplane to use. The default depends on the selected auto-upgrade channel.
--crossplane-channel		The Crossplane auto-upgrade channel to use. Must be one of: None, Patch, Stable, Rapid
--secret-name		The name of the control plane's secret. Defaults to 'kubeconfig-{control plane name}'. Only applicable for Space control planes.

up controlplane delete

Delete a Spaces control plane.

Usage

up controlplane delete <name> [flags]

Arguments

Argument	Description
<name>	Name of control plane.

Flags

Flag	Short Form	Description
--group	-g	The control plane group that the control plane is contained in. This defaults to the group specified in the current context

up controlplane function

Manage Functions.

Usage

up controlplane function <command> [flags]

up controlplane function install

Install a Function.

Usage

up controlplane function install <package> [flags]

Arguments

Argument	Description
<package>	Reference to the Function.

Flags

Flag	Short Form	Description
--name		Name of Function.
--package-pull-secrets		List of secrets used to pull Function.
--wait	-w	Wait duration for successful Function installation.

up controlplane get

Get a single Spaces control plane.

Usage

up controlplane get <name> [flags]

Arguments

Argument	Description
<name>	Name of control plane.

Flags

Flag	Short Form	Description
--group	-g	The control plane group that the control plane is contained in. This defaults to the group specified in the current context

up controlplane list

List control planes in a Space.

Usage

up controlplane list [flags]

Flags

Flag	Short Form	Description
--all-groups	-A	List control planes across all groups.
--group	-g	The control plane group that the control plane is contained in. This defaults to the group specified in the current context

up controlplane migration

Migrate control planes to Upbound Managed Control Planes.

The migration command seamlessly migrates control plane resources from Crossplane or Upbound Crossplane (UXP) environments to Managed Control Planes in Upbound Spaces.

This command simplifies the process of transferring your existing Crossplane configurations and states into the Upbound platform, ensuring a smooth transition with minimal downtime.

For detailed information on each command and its options, use the --help flag with the specific command (e.g., up controlplane migration export --help).

Usage

up controlplane migration <command> [flags]

up controlplane migration export

The 'export' command is used to export the current state of a Crossplane or Universal Crossplane (xp/uxp) control plane into an archive file. This file can then be used for migration to Upbound Managed Control Planes.

The export command exports resources from a Crossplane or Upbound Crossplane (UXP) cluster to a tarball, for migration to an Upbound Managed Control Plane.

Use the available options to customize the export process, such as specifying the output file path, including or excluding specific resources and namespaces, and deciding whether to pause claim,composite,managed resources before exporting.

Examples

Pause all claims, composites, and managed resources before exporting the control plane state. The state is exported to the default archive file named xp-state.tar.gz. Resources that were already paused will be annotated with migration.upbound.io/already-paused: "true" to preserve their paused state during the import process:

up migration export --pause-before-export

Export the control plane state to a file called my-export.tar.gz:

up migration export --output=my-export.tar.gz

Export the control plane state from only the provided namespaces to the default file, xp-state.tar.gz, with the additional resources specified:

up migration export --include-extra-resources="customresource.group" \
    --include-namespaces="crossplane-system,team-a,team-b"

Usage

up controlplane migration export [flags]

Flags

Flag	Short Form	Description
--yes		When set to true, automatically accepts any confirmation prompts that may appear during the export process.
--output	-o	Specifies the file path where the exported archive will be saved. Defaults to 'xp-state.tar.gz'.
--include-extra-resources		A list of extra resource types to include in the export in "resource.group" format in addition to all Crossplane resources. By default, it includes namespaces, configmaps, secrets.
--exclude-resources		A list of resource types to exclude from the export in "resource.group" format. No resources are excluded by default.
--include-namespaces		A list of specific namespaces to include in the export. If not specified, all namespaces are included by default.
--exclude-namespaces		A list of specific namespaces to exclude from the export. Defaults to 'kube-system', 'kube-public', 'kube-node-lease', and 'local-path-storage'.
--pause-before-export		When set to true, pauses all claim,composite and managed resources before starting the export process. This can help ensure a consistent state for the export. Defaults to false.

up controlplane migration import

The 'import' command imports a control plane state from an archive file into an Upbound managed control plane.

The import command imports resources from an exported bundle into a Managed Control Plane.

By default, all managed resources will be paused during the import process for possible manual inspection/validation. You can use the --unpause-after-import flag to automatically unpause all claim,composite,managed resources after the import process completes.

Examples

Automatically import the control plane state from my-export.tar.gz. Claim and composite resources that were paused during export will remain paused. Managed resources will be paused. If they were already paused during export, the annotation migration.upbound.io/already-paused: "true" will be added to preserve their paused state:

up migration import --input=`my-export.tar.gz`

Automatically import and unpause claims, composites, and managed resources after importing them. Resources with the annotation migration.upbound.io/already-paused: "true" will remain paused:

up migration import --unpause-after-import

Automatically import and unpause claims, composites, and managed resources after importing them. The metadata.name of claims will be adjusted for MCP Connector compatibility, and the corresponding composite's claimRef will also be updated. Resources annotated with migration.upbound.io/already-paused: "true" will remain paused:

up migration import --unpause-after-import --mcp-connector-claim-namespace=default \
    --mcp-connector-cluster-id=my-cluster-id

Usage

up controlplane migration import [flags]

Flags

Flag	Short Form	Description
--yes		When set to true, automatically accepts any confirmation prompts that may appear during the import process.
--input	-i	Specifies the file path or directory of the archive to be imported. The default path is 'xp-state.tar.gz'.
--unpause-after-import		When set to true, automatically unpauses all managed resources that were paused during the import process. This helps in resuming normal operations post-import. Defaults to false, requiring manual unpausing of resources if needed.
--mcp-connector-cluster-id		MCP Connector cluster ID. Required for importing claims supported my MCP Connector.
--mcp-connector-claim-namespace		MCP Connector claim namespace. Required for importing claims supported by MCP Connector.
--skip-target-check		When set to true, skips the check for a local or managed control plane during import.

up controlplane migration pause-toggle

The 'pause-toggle' command is used to pause or unpause resources affected by a migration, ensuring that only migration-induced pauses are undone.

The pause-toggle command allows you to manage the paused state of resources after a migration attempt.

• When --pause=true, all resources in the target control plane will be paused due to a faulty migration. This is useful after running migration import --unpause-after-import=true and discovering issues in the target.
• When --pause=false, only resources paused during the migration will be unpaused in the source control plane, ensuring that pre-existing paused resources remain unchanged.

Examples

Pause all resources in the target control plane after a migration if the import caused issues. Useful for stopping resources in a faulty target environment:

up migration pause-toggle --pause=true

Unpause only the resources that were paused in the source control plane due to migration. This is helpful when reverting migration-induced pauses in the source after a failed import to the target.

up migration pause-toggle --pause=false

Usage

up controlplane migration pause-toggle [flags]

Flags

Flag	Short Form	Description
--pause		Set to 'true' to pause all resources in the target control plane after a faulty migration, or 'false' to remove the paused annotation in the source control plane after a failed migration.
--yes		When set to true, automatically accepts any confirmation prompts that may appear during the process.

up controlplane oidc-auth

Create OIDC ProviderConfig in a Spaces control plane and Cloud Resources.

Usage

up controlplane oidc-auth <command> [flags]

up controlplane oidc-auth aws

Create OIDC ProviderConfig and AWS Resources

The oidc-auth command sets up OIDC authentication between an Upbound Cloud Control Plane and AWS using an AWS IAM Identity Provider.

This command requires the AWS CLI.

Examples

Check if the IAM IdentityProvider proidc.upbound.io exists and create it if needed. Create an IAM Role trusted by the identity provider and attach the AdministratorAccess policy. Configure the control plane with a ProviderConfig for provider-aws:

up ctp oidc-auth aws example-project-aws-up-cli arn:aws:iam::aws:policy/AdministratorAccess

Check if the IAM IdentityProvider proidc.upbound.io exists and create it if needed. Create an IAM Role with a trust policy using a wildcard match (StringLike) on sub. Useful for allowing access from multiple control planes matching the pattern:

up ctp oidc-auth aws example-project-aws-up-cli arn:aws:iam::aws:policy/AdministratorAccess \
    --sub 'example-*'

Check if the IAM IdentityProvider example.upbound.io exists and create it if needed. Create an IAM Role trusted by the specified identity provider and attach the AdministratorAccess policy. Configure the control plane with the appropriate ProviderConfig for provider-aws:

up ctp oidc-auth aws example-project-aws-up-cli arn:aws:iam::aws:policy/AdministratorAccess \
    --oidc-provider-name example.upbound.io

Show the AWS CLI commands that would be executed to set up OIDC without actually running them:

up ctp oidc-auth aws example-project-aws-up-cli arn:aws:iam::aws:policy/AdministratorAccess \
    --dry-run

Usage

up controlplane oidc-auth aws <name> <policy> [flags]

Arguments

Argument	Description
<name>	AWS IAM Role Name
<policy>	AWS IAM Policy ARN

Flags

Flag	Short Form	Description
--oidc-provider-name		AWS Identity Provider - OIDC Provider Name
--provider-config-name		Provider AWS ProviderConfigName
--sub		Define the control plane name that the IAM Role trust policy will use in the 'sub' claim. Supports wildcards (using StringLike).
--yes		When set to true, automatically accepts any confirmation prompts.

up controlplane provider

Manage Providers.

Usage

up controlplane provider <command> [flags]

up controlplane provider install

Install a Provider.

Usage

up controlplane provider install <package> [flags]

Arguments

Argument	Description
<package>	Reference to the Provider.

Flags

Flag	Short Form	Description
--name		Name of Provider.
--package-pull-secrets		List of secrets used to pull Provider.
--wait	-w	Wait duration for successful Provider installation.

up controlplane pull-secret

Manage package pull secrets.

Usage

up controlplane pull-secret <command> [flags]

up controlplane pull-secret create

Create a package pull secret.

Usage

up controlplane pull-secret create <name> [flags]

Arguments

Argument	Description
<name>	Name of the pull secret.

Flags

Flag	Short Form	Description
--file	-f	Path to credentials file. Credentials from profile are used if not specified.
--namespace	-n	Kubernetes namespace for pull secret.

up controlplane simulate

Alias for 'up controlplane simulation create'.

Usage

up controlplane simulate --changeset=CHANGESET,... <source-name> [flags]

Arguments

Argument	Description
<source-name>	Name of source control plane.

Flags

Flag	Short Form	Description
--group	-g	The control plane group that the control plane is contained in. This defaults to the group specified in the current context
--simulation-name	-n	The name of the simulation resource
--changeset	-f	Required Path to the resources that will be applied as part of the simulation. Can either be a single file or a directory
--recursive	-r	Process the directory used in -f, --changeset recursively.
--complete-after		The maximum amount of time the simulated control plane should run before ending the simulation
--fail-on		Fail and exit with a code of '1' if a certain condition is met
--output	-o	Output the results of the simulation to the provided file. Defaults to standard out if not specified
--wait		Wait for the simulation to complete. If set to false, the command will exit immediately after the changeset is applied
--terminate-on-finish		Terminate the simulation after the completion criteria is met

up controlplane simulation

Manage control plane simulations.

The simulation command manages control plane simulations. Simulations allow you to see what changes would occur in a control plane after applying a set of changes.

Examples

Create a new simulation for the specified control plane, wait for the simulation to complete, then shows results:

up controlplane simulation create control-plane-name

List all simulations for the current context:

up controlplane simulation list

Delete a simulation, removing the simulation results and resources:

up controlplane simulation delete simulation-name

Usage

up controlplane simulation <command> [flags]

up controlplane simulation create

Start a new control plane simulation and wait for the results.

Usage

up controlplane simulation create --changeset=CHANGESET,... <source-name> [flags]

Arguments

Argument	Description
<source-name>	Name of source control plane.

Flags

Flag	Short Form	Description
--group	-g	The control plane group that the control plane is contained in. This defaults to the group specified in the current context
--simulation-name	-n	The name of the simulation resource
--changeset	-f	Required Path to the resources that will be applied as part of the simulation. Can either be a single file or a directory
--recursive	-r	Process the directory used in -f, --changeset recursively.
--complete-after		The maximum amount of time the simulated control plane should run before ending the simulation
--fail-on		Fail and exit with a code of '1' if a certain condition is met
--output	-o	Output the results of the simulation to the provided file. Defaults to standard out if not specified
--wait		Wait for the simulation to complete. If set to false, the command will exit immediately after the changeset is applied
--terminate-on-finish		Terminate the simulation after the completion criteria is met

up controlplane simulation delete

Delete a control plane simulation.

Usage

up controlplane simulation delete <name> [flags]

Arguments

Argument	Description
<name>	Name of the simulation.

Flags

Flag	Short Form	Description
--group	-g	The group that the simulation is contained in. This defaults to the group specified in the current context

up controlplane simulation list

List control plane simulations for the account.

Usage

up controlplane simulation list [flags]

Flags

Flag	Short Form	Description
--all-groups	-A	List simulations across all groups.
--group	-g	The group that the simulation is contained in. This defaults to the group specified in the current context

up ctx

Select an Upbound kubeconfig context.

Usage

up ctx [<argument>] [flags]

Arguments

Argument	Description
<argument>	Optional .. to move to the parent, '-' for the previous context, '.' for the current context, or any relative path.

Flags

Flag	Short Form	Description
--domain		Root Upbound domain. Overrides the current profile's domain.
--profile		Profile used to execute command.
--account	-a	Deprecated. Use organization instead.
--organization		Organization used to execute command. Overrides the current profile's organization.
--ca-bundle		Path to CA bundle file to prepend to existing CAs
--insecure-skip-tls-verify		[INSECURE] Skip verifying TLS certificates.
--debug	-d	[INSECURE] Run with debug logging. Repeat to increase verbosity. Output might contain confidential data like tokens.
--override-api-endpoint		Overrides the default API endpoint.
--override-auth-endpoint		Overrides the default auth endpoint.
--override-proxy-endpoint		Overrides the default proxy endpoint.
--override-registry-endpoint		Overrides the default registry endpoint.
--override-accounts-endpoint		Overrides the default accounts endpoint.
--kubeconfig		Override default kubeconfig path.
--kubecontext		Override default kubeconfig context.
--short	-s	Short output.
--context		Kubernetes context to operate on.
--file	-f	Kubeconfig to modify when saving a new context. Overrides the --kubeconfig flag. Use '-' to write to standard output.

up dependency

Manage configuration dependencies.

The dependency command manages dependencies of the project in the current directory. It caches package information in a local file system cache (by default in ~/.up/cache) and manages langauge schemas that can be used for building functions.

Usage

up dependency <command> [flags]

Flags

Flag	Short Form	Description
--domain		Root Upbound domain. Overrides the current profile's domain.
--profile		Profile used to execute command.
--account	-a	Deprecated. Use organization instead.
--organization		Organization used to execute command. Overrides the current profile's organization.
--ca-bundle		Path to CA bundle file to prepend to existing CAs
--insecure-skip-tls-verify		[INSECURE] Skip verifying TLS certificates.
--debug	-d	[INSECURE] Run with debug logging. Repeat to increase verbosity. Output might contain confidential data like tokens.
--override-api-endpoint		Overrides the default API endpoint.
--override-auth-endpoint		Overrides the default auth endpoint.
--override-proxy-endpoint		Overrides the default proxy endpoint.
--override-registry-endpoint		Overrides the default registry endpoint.
--override-accounts-endpoint		Overrides the default accounts endpoint.
--kubeconfig		Override default kubeconfig path.
--kubecontext		Override default kubeconfig context.

up dependency add

Add a dependency to the current project.

The add command retrieves a Crossplane package from a specified registry with an optional version tag and adds it to a project as a dependency. Langauge schemas will be added to the project if the package provides them.

API dependencies can be added using the --api flag. This automatically generates schemas for the dependency.

Examples

Retrieve the latest available version of the EKS provider, add all CRDs to the cache folder, and place language schemas in the project's .up/ folder:

up dependency add xpkg.upbound.io/upbound/provider-aws-eks

Retrieves the latest available version greater than v1.1.0 of the platform-ref-aws configuration, add all XRDs to the cache folder, and place language schemas in the project's .up/ folder:

up dependency add 'xpkg.upbound.io/upbound/platform-ref-aws:>v1.1.0'

Retrieves version v0.4.1 of function-status-transformer:

up dependency add 'xpkg.upbound.io/crossplane-contrib/function-status-transformer:>v0.4.1'

Add core resources from Kubernetes v1.33.0 as an API dependency, adding language schemas to the project's .up/ folder:

up dependency add --api k8s:v1.33.0

Add a specific CRD from an HTTP URL as an API dependency, adding language schemas to the project's .up/ folder:

up dependency add --api https://raw.githubusercontent.com/cert-manager/cert-manager/refs/heads/master/deploy/crds/cert-manager.io_certificaterequests.yaml

Add CRDs from a git repository as an API dependency, adding language schemas to the project's .up/ folder:

up dependency add --api https://github.com/kubernetes-sigs/cluster-api \
    --git-ref=release-1.11 --git-path=config/crd/bases

Usage

up dependency add <package> [flags]

Arguments

Argument	Description
<package>	Package to be added.

Flags

Flag	Short Form	Description
--project-file	-f	Path to project definition file.
--api		Treat the dependency as an API dependency (k8s or CRD).
--git-ref		Git ref for CRD dependencies (branch, tag, or commit SHA). If provided, the CRD will be fetched from git.
--git-path		Path within the git repository for CRD dependencies.
--cache-dir		Directory used for caching package images.

up dependency clean-cache

Clean the dependency cache.

The clean-cache command removes all cached package images from the local cache directory. This can help free up disk space or resolve issues with corrupted cache entries.

Examples

Clean the default cache directory (~/.up/cache/), removing all cached package images:

up dependency clean-cache

Clean a custom cache directory, for example in a CI/CD environment where a shared cache is used:

up dependency clean-cache --cache-dir /path/to/cache

Usage

up dependency clean-cache [flags]

Flags

Flag	Short Form	Description
--cache-dir		Directory used for caching package images.

up dependency update-cache

Update the dependency cache for the current project.

The update-cache command updates the local dependency cache for the current project. It downloads and caches all dependencies specified in the project's upbound.yaml file.

Examples

up dependency update-cache

Updates cache for all dependencies in upbound.yaml. Uses default cache directory (~/.up/cache/).

up dependency update-cache --cache-dir `path/to/cache`

Updates cache using a custom cache directory. Useful for CI/CD environments.

up dependency update-cache -f `custom-project.yaml`

Updates cache for dependencies in a custom project file. Default is upbound.yaml.

Usage

up dependency update-cache [flags]

Flags

Flag	Short Form	Description
--project-file	-f	Path to project definition file.
--cache-dir		Directory used for caching package images.

up example

Manage Claim(XRC) or Composite Resource(XR).

Usage

up example <command> [flags]

up example generate

Generate an Example Composite Resource (XR) or Claim (XRC)

The generate command is used to create an example Composite Resource (XR) or Composite Resource Claim (XRC). For v2 projects only Composite Resources (XRs) are supported. XRs are namespace-scoped by default, but you can choose cluster-scoped using the --scope=cluster flag.

Examples

Creates an example Composite Resource (XR) or Composite Resource Claim (XRC) resource using an interactive wizard:

up example generate

Create an example named example in the namespace default using an interactive wizard to collect additional inputs:

up example generate --name example --namespace default

Create an example Composite Resource Claim (XRC) with specified api-group, api-version, kind, and name, using an interactive wizard to collect additional inputs:

up example generate --type claim --api-group platform.example.com \
    --api-version v1beta1 --kind Cluster --name example

Create an example Composite Resource (XR) or Composite Resource Claim (XRC) based on the fields and default values in an existing CompositeResourceDefinition (XRD). Use an interactive wizard to collect inputs:

up example generate apis/xnetworks/definition.yaml

Create an example Composite Resource (XR) based on the fields and default values in an existing CompositeResourceDefinition (XRD). Use an interactive wizard to collect inputs:

up example generate apis/xnetworks/definition.yaml --type xr

Usage

up example generate [<xrd-file-path>] [flags]

Arguments

Argument	Description
<xrd-file-path>	Optional Specifies the path to the Composite Resource Definition (XRD) file used to generate an example resource.

Flags

Flag	Short Form	Description
--path		Specifies the path to the output file where the Composite Resource (XR) or Composite Resource Claim (XRC) will be saved.
--output	-o	Specifies the output format for the results. Use 'file' to save to a file, 'yaml' to display the Composite Resource (XR) or Composite Resource Claim (XRC) in YAML format, or 'json' to display in JSON format.
--type		Specifies the type of resource to create: 'xrc' for Composite Resource Claim (XRC), 'xr' for Composite Resource (XR).
--scope		Specifies the XR scope (v2 only).
--api-group		Specifies the API group for the resource.
--api-version		Specifies the API version for the resource.
--kind		Specifies the Kind of the resource.
--name		Specifies the Name of the resource.
--namespace		Specifies the Namespace of the resource.
--project-file	-f	Path to project definition file.

up function

Manage Functions.

Usage

up function <command> [flags]

Flags

Flag	Short Form	Description
--domain		Root Upbound domain. Overrides the current profile's domain.
--profile		Profile used to execute command.
--account	-a	Deprecated. Use organization instead.
--organization		Organization used to execute command. Overrides the current profile's organization.
--ca-bundle		Path to CA bundle file to prepend to existing CAs
--insecure-skip-tls-verify		[INSECURE] Skip verifying TLS certificates.
--debug	-d	[INSECURE] Run with debug logging. Repeat to increase verbosity. Output might contain confidential data like tokens.
--override-api-endpoint		Overrides the default API endpoint.
--override-auth-endpoint		Overrides the default auth endpoint.
--override-proxy-endpoint		Overrides the default proxy endpoint.
--override-registry-endpoint		Overrides the default registry endpoint.
--override-accounts-endpoint		Overrides the default accounts endpoint.
--kubeconfig		Override default kubeconfig path.
--kubecontext		Override default kubeconfig context.

up function generate

Generate an Function for a Composition.

The generate command creates an embedded function in the specified language, and optionally adds it to a composition or operation pipeline.

Examples

Create a function with the default language (go-templating) in the folder functions/fn1:

up function generate fn1

Create a Python function in the folder functions/fn2:

up function generate fn2 --language python

Create a KCL function in the folder functions/compose-xcluster and add it as a composition pipeline step in the given composition file:

up function generate compose-xcluster apis/xcluster/composition.yaml --language kcl

Creates a Go function in the folder functions/check-pod-logs and add it as a pipeline step to the operation in operations/watch-pods/operation.yaml:

up function generate check-pod-logs operations/watch-pods/operation.yaml --language go

Usage

up function generate <name> [<pipeline-path>] [flags]

Arguments

Argument	Description
<name>	Name for the new Function.
<pipeline-path>	Optional Path to a composition or operation that will use the new function.

Flags

Flag	Short Form	Description
--project-file	-f	Path to project definition file.
--repository		Repository for the built package. Overrides the repository specified in the project file.
--cache-dir		Directory used for caching dependency images.
--language	-l	Language for function.

up group

Interact with groups inside Spaces.

The group command interacts with groups within the current Space. Use the up profile command to switch between different Upbound profiles and the up ctx command to switch between Spaces within a Cloud profile.

Examples

List all groups in the current Space:

up group list

Create a new group named my-group to organize control planes within a Space:

up group create my-group

Get details about a specific group called my-group, including configuration and metadata:

up group get my-group

Delete the group called my-group, which must not be protected:

up group delete my-group

Usage

up group <command> [flags]

Flags

Flag	Short Form	Description
--domain		Root Upbound domain. Overrides the current profile's domain.
--profile		Profile used to execute command.
--account	-a	Deprecated. Use organization instead.
--organization		Organization used to execute command. Overrides the current profile's organization.
--ca-bundle		Path to CA bundle file to prepend to existing CAs
--insecure-skip-tls-verify		[INSECURE] Skip verifying TLS certificates.
--debug	-d	[INSECURE] Run with debug logging. Repeat to increase verbosity. Output might contain confidential data like tokens.
--override-api-endpoint		Overrides the default API endpoint.
--override-auth-endpoint		Overrides the default auth endpoint.
--override-proxy-endpoint		Overrides the default proxy endpoint.
--override-registry-endpoint		Overrides the default registry endpoint.
--override-accounts-endpoint		Overrides the default accounts endpoint.
--kubeconfig		Override default kubeconfig path.
--kubecontext		Override default kubeconfig context.

up group create

Create a group.

Usage

up group create <name> [flags]

Arguments

Argument	Description
<name>	Name of group.

up group delete

Delete a group.

Usage

up group delete <name> [flags]

Arguments

Argument	Description
<name>	Name of group.

Flags

Flag	Short Form	Description
--force		Force the deletion of the group.

up group get

Get a group.

Usage

up group get <name> [flags]

Arguments

Argument	Description
<name>	Name of group.

up group list

List groups in the space.

Usage

up group list [flags]

up help

Show help.

Usage

up help [flags]

up license

Show license information.

Usage

up license [flags]

up login

Login to Upbound. Will attempt to launch a web browser by default. Use --username and --password flags for automations.

The login command authenticates with Upbound Cloud and stores session credentials.

Authentication Methods

• Web Browser (default) - Opens browser for OAuth authentication
• Device Code - Use --use-device-code for headless environments
• Username/Password - Provide --username and --password flags
• Personal Access Token or Robot Token - Provide --token flag

The command creates or updates a profile with the authenticated session. If no profile name is specified, it uses the currently active profile. A profile named default will be created if no profiles exist.

Examples

Open a browser for OAuth authentication (recommended):

up login

Prompt for password and authenticate with credentials:

up login --username=user@example.com

Authenticate using a personal access token.

up login --token=upat_xxxxx

Use the device code flow for headless/remote environments:

up login --use-device-code

Authenticate and create or update the production profile:

up login --profile=production --organization=my-org

Usage

up login [flags]

Flags

Flag	Short Form	Description
--domain		Root Upbound domain. Overrides the current profile's domain.
--profile		Profile used to execute command.
--account	-a	Deprecated. Use organization instead.
--organization		Organization used to execute command. Overrides the current profile's organization.
--ca-bundle		Path to CA bundle file to prepend to existing CAs
--insecure-skip-tls-verify		[INSECURE] Skip verifying TLS certificates.
--debug	-d	[INSECURE] Run with debug logging. Repeat to increase verbosity. Output might contain confidential data like tokens.
--override-api-endpoint		Overrides the default API endpoint.
--override-auth-endpoint		Overrides the default auth endpoint.
--override-proxy-endpoint		Overrides the default proxy endpoint.
--override-registry-endpoint		Overrides the default registry endpoint.
--override-accounts-endpoint		Overrides the default accounts endpoint.
--kubeconfig		Override default kubeconfig path.
--kubecontext		Override default kubeconfig context.
--username	-u	Username used to execute command.
--password	-p	Password for specified user. '-' to read from stdin.
--token	-t	Upbound API token (personal access token) used to execute command. '-' to read from stdin.
--use-device-code		Use authentication flow based on device code. We will also use this if it can't launch a browser in your behalf, e.g. in remote SSH

up logout

Logout of Upbound.

The logout command invalidates the current session and removes stored credentials.

This command:

• Invalidates the session token with Upbound Cloud
• Removes the session token from the local profile configuration
• Keeps the profile configuration intact (only removes authentication)

Note that this affects only a single profile. Other profiles remain authenticated.

After logout, you can log back in using up login to re-authenticate with the same profile.

Examples

Log out the active profile:

up logout

Log out the production profile:

up logout --profile=production

Usage

up logout [flags]

Flags

Flag	Short Form	Description
--domain		Root Upbound domain. Overrides the current profile's domain.
--profile		Profile used to execute command.
--account	-a	Deprecated. Use organization instead.
--organization		Organization used to execute command. Overrides the current profile's organization.
--ca-bundle		Path to CA bundle file to prepend to existing CAs
--insecure-skip-tls-verify		[INSECURE] Skip verifying TLS certificates.
--debug	-d	[INSECURE] Run with debug logging. Repeat to increase verbosity. Output might contain confidential data like tokens.
--override-api-endpoint		Overrides the default API endpoint.
--override-auth-endpoint		Overrides the default auth endpoint.
--override-proxy-endpoint		Overrides the default proxy endpoint.
--override-registry-endpoint		Overrides the default registry endpoint.
--override-accounts-endpoint		Overrides the default accounts endpoint.
--kubeconfig		Override default kubeconfig path.
--kubecontext		Override default kubeconfig context.

up operation

Manage Operations.

Usage

up operation <command> [flags]

Flags

Flag	Short Form	Description
--domain		Root Upbound domain. Overrides the current profile's domain.
--profile		Profile used to execute command.
--account	-a	Deprecated. Use organization instead.
--organization		Organization used to execute command. Overrides the current profile's organization.
--ca-bundle		Path to CA bundle file to prepend to existing CAs
--insecure-skip-tls-verify		[INSECURE] Skip verifying TLS certificates.
--debug	-d	[INSECURE] Run with debug logging. Repeat to increase verbosity. Output might contain confidential data like tokens.
--override-api-endpoint		Overrides the default API endpoint.
--override-auth-endpoint		Overrides the default auth endpoint.
--override-proxy-endpoint		Overrides the default proxy endpoint.
--override-registry-endpoint		Overrides the default registry endpoint.
--override-accounts-endpoint		Overrides the default accounts endpoint.
--kubeconfig		Override default kubeconfig path.
--kubecontext		Override default kubeconfig context.

up operation generate

Generate an Operation.

The generate command creates a new, empty operation.

Examples

Generates a new, empty, one-shot operation named my-operation:

up operation generate my-operation

Generate a new, empty cron operation named my-operation that runs every hour:

up operation generate my-operation --cron "0 0 * * *"

Generate a new, empty watch operation named my-operation triggered by changes to Deployments in the namespace my-namespace:

up operation generate my-operation --watch-group-version-kind "apps/v1/Deployment" \
    --watch-namespace "my-namespace"

Generate a new operation named claude-pod-watcher that invokes a Claude prompt when pods in the default namespace change:

up operation generate claude-pod-watcher --watch-group-version-kind "apps/v1/Pod" \
    --watch-namespace "default" --functions xpkg.upbound.io/upbound/function-claude

Usage

up operation generate <name> [flags]

Arguments

Argument	Description
<name>	Name for the new operation.

Flags

Flag	Short Form	Description
--path		Optional path to the output file where the generated Operation will be saved.
--project-file	-f	Path to project definition file.
--output	-o	Output format for the results: 'file' to save to a file, 'yaml' to print the Operation in YAML format, 'json' to print the operation in JSON format.
--cache-dir		Directory used for caching dependency images.
--cron		Cron schedule for the operation.
--watch-labels		Labels to match on the resource.
--watch-group-version-kind		The GVK of resources to watch. For example, 'apps/v1/Deployment'.
--watch-namespace		The namespace in which to watch resources.
--functions		Comma-separated list of functions to call in the generated operation's pipeline.

up organization

Interact with Upbound organizations.

Usage

up organization <command> [flags]

Flags

Flag	Short Form	Description
--domain		Root Upbound domain. Overrides the current profile's domain.
--profile		Profile used to execute command.
--account	-a	Deprecated. Use organization instead.
--organization		Organization used to execute command. Overrides the current profile's organization.
--ca-bundle		Path to CA bundle file to prepend to existing CAs
--insecure-skip-tls-verify		[INSECURE] Skip verifying TLS certificates.
--debug	-d	[INSECURE] Run with debug logging. Repeat to increase verbosity. Output might contain confidential data like tokens.
--override-api-endpoint		Overrides the default API endpoint.
--override-auth-endpoint		Overrides the default auth endpoint.
--override-proxy-endpoint		Overrides the default proxy endpoint.
--override-registry-endpoint		Overrides the default registry endpoint.
--override-accounts-endpoint		Overrides the default accounts endpoint.
--kubeconfig		Override default kubeconfig path.
--kubecontext		Override default kubeconfig context.

up organization create

Create an organization.

Usage

up organization create <name> [flags]

Arguments

Argument	Description
<name>	Name of organization.

up organization delete

Delete an organization.

Usage

up organization delete <name> [flags]

Arguments

Argument	Description
<name>	Name of organization.

Flags

Flag	Short Form	Description
--force		Force deletion of the organization.

up organization get

Get an organization.

Usage

up organization get <name> [flags]

Arguments

Argument	Description
<name>	Name of organization.

up organization list

List organizations.

Usage

up organization list [flags]

up organization token

Generates an organization-scoped token to authenticate with a Cloud space.

Usage

up organization token <name> [flags]

Arguments

Argument	Description
<name>	Name of organization.

Flags

Flag	Short Form	Description
--token	-t	Token used to execute command. Overrides the token present in the profile.

up organization user

Manage organization users.

Usage

up organization user <command> [flags]

up organization user invite

Invite a user to the organization.

Usage

up organization user invite <org-name> <email> [flags]

Arguments

Argument	Description
<org-name>	Name of the organization.
<email>	Email address of the user to invite.

Flags

Flag	Short Form	Description
--permission	-p	Role of the user to invite (owner or member).

up organization user list

List users of an organization.

Usage

up organization user list <org-name>

Arguments

Argument	Description
<org-name>	Name of the organization.

up organization user remove

Remove a member from the organization.

Usage

up organization user remove <org-name> <user> [flags]

Arguments

Argument	Description
<org-name>	Name of the organization.
<user>	Username or email of the user to remove.

Flags

Flag	Short Form	Description
--force		Force removal of the member.

up profile

Manage configuration profiles.

Usage

up profile <command> [flags]

Flags

Flag	Short Form	Description
--domain		Root Upbound domain. Overrides the current profile's domain.
--profile		Profile used to execute command.
--account	-a	Deprecated. Use organization instead.
--organization		Organization used to execute command. Overrides the current profile's organization.
--ca-bundle		Path to CA bundle file to prepend to existing CAs
--insecure-skip-tls-verify		[INSECURE] Skip verifying TLS certificates.
--debug	-d	[INSECURE] Run with debug logging. Repeat to increase verbosity. Output might contain confidential data like tokens.
--override-api-endpoint		Overrides the default API endpoint.
--override-auth-endpoint		Overrides the default auth endpoint.
--override-proxy-endpoint		Overrides the default proxy endpoint.
--override-registry-endpoint		Overrides the default registry endpoint.
--override-accounts-endpoint		Overrides the default accounts endpoint.
--kubeconfig		Override default kubeconfig path.
--kubecontext		Override default kubeconfig context.

up profile create

Create a new Upbound profile.

The create command creates a new Upbound profile with the specified configuration.

Profile Types

• cloud - Profile for connecting to Upbound Cloud (default)
• disconnected - Profile for disconnected Spaces environments using local kubeconfig

The command automatically switches to the newly created profile unless --use=false is specified. For cloud profiles, an organization must be provided via the --organization flag. Cloud profiles can also be created using up login.

Examples

Create a new, logged out cloud profile named my-profile for organization my-org:

up profile create my-profile --organization=my-org

Create a new disconnected profile named local-dev using the current kubeconfig context:

up profile create local-dev --type=disconnected

Create a new disconnected profile named local-dev using the kubeconfig context called my-space:

up profile create local-dev --type=disconnected --kubecontext=my-space

Create a new profile but don't make it the curren tprofile:

up profile create staging --organization=my-org --use=false

Usage

up profile create <name> [flags]

Arguments

Argument	Description
<name>	Name of the profile to create.

Flags

Flag	Short Form	Description
--use		Use the new profile after it's created. Defaults to true.
--type		Type of profile to create: cloud or disconnected.

up profile current

Get the current active Upbound profile.

The current command displays the currently active Upbound profile and its configuration.

This command outputs JSON-formatted information about the active profile, including:

• Profile name
• Profile type (cloud or disconnected)
• Organization (for cloud profiles)
• Domain configuration
• Other profile settings (with sensitive data redacted)

Examples

Show the current active profile configuration in JSON format:

up profile current

Usage

up profile current [flags]

up profile delete

Delete an existing Upbound profile.

The delete command removes an Upbound profile from the configuration.

This command permanently deletes the specified profile and all its associated configuration. The profile cannot be recovered after deletion.

Examples

Deletes the profile named staging:

up profile delete staging

Usage

up profile delete <name> [flags]

Arguments

Argument	Description
<name>	Name of the profile to delete.

up profile list

List all configured Upbound profiles.

The list command displays all configured Upbound profiles in a table format.

Output Columns

• CURRENT: Indicates the active profile with an asterisk (*)
• NAME: The name of each profile
• TYPE: Profile type (cloud or disconnected)
• ORGANIZATION: The organization associated with the profile (may be empty for disconnected profiles)

The profiles are listed in alphabetical order by name.

Examples

Show all configured profiles:

up profile list

Usage

up profile list [flags]

up profile rename

Rename an existing Upbound profile.

The rename command changes the name of an existing Upbound profile.

This command renames a profile while preserving all its configuration settings. If the profile being renamed is currently active, it remains active after renaming.

The new name must not conflict with any existing profile names.

Examples

Rename the profile dev to development:

up profile rename dev development

Usage

up profile rename <from> <to> [flags]

Arguments

Argument	Description
<from>	Name of the profile to rename.
<to>	New name for the profile.

up profile set

Set configuration values for the current profile.

The set command updates configuration values for an Upbound profile.

Available Keys

• organization - Sets the organization for the current profile

Examples

Set the default organization to my-org for the current profile:

up profile set organization `my-org`

Set the default organization to other-org for the profile called production:

up profile set organization my-org --profile=production

Usage

up profile set <key> <value> [flags]

Arguments

Argument	Description
<key>	The configuration key to set.
<value>	The configuration value to set.

up profile use

Switch to a different Upbound profile.

The use command switches the active Upbound profile and updates the current kubeconfig context.

This command:

• Sets the specified profile as the default profile
• Updates the kubeconfig to use the last context selected with the profile
• Preserves any existing kubeconfig context information from the profile

Note that if the profile has no associated kubeconfig context (e.g., because up ctx has never been used with the profile), only the profile switch occurs without kubeconfig updates.

Examples

Switch to the production profile and update the kubeconfig context:

up profile use production

Usage

up profile use <name> [flags]

Arguments

Argument	Description
<name>	Name of the Profile to use.

up profile view

View all Upbound profiles in JSON format.

The view command displays all configured Upbound profiles in JSON format.

This command outputs detailed information about all profiles, including:

• Profile names as keys
• Profile configuration details (with sensitive data redacted)
• Profile type, organization, domain, and other settings

The output is formatted as indented JSON for easy reading and processing.

Examples

Show all profiles in JSON format:

up profile view

Use jq to show only the production profile:

up profile view | jq '.["production"]'

Usage

up profile view [flags]

up project

Manage Upbound development projects.

Usage

up project <command> [flags]

Flags

Flag	Short Form	Description
--domain		Root Upbound domain. Overrides the current profile's domain.
--profile		Profile used to execute command.
--account	-a	Deprecated. Use organization instead.
--organization		Organization used to execute command. Overrides the current profile's organization.
--ca-bundle		Path to CA bundle file to prepend to existing CAs
--insecure-skip-tls-verify		[INSECURE] Skip verifying TLS certificates.
--debug	-d	[INSECURE] Run with debug logging. Repeat to increase verbosity. Output might contain confidential data like tokens.
--override-api-endpoint		Overrides the default API endpoint.
--override-auth-endpoint		Overrides the default auth endpoint.
--override-proxy-endpoint		Overrides the default proxy endpoint.
--override-registry-endpoint		Overrides the default registry endpoint.
--override-accounts-endpoint		Overrides the default accounts endpoint.
--kubeconfig		Override default kubeconfig path.
--kubecontext		Override default kubeconfig context.

up project ai

Generate AI tooling for a project.

Usage

up project ai <command> [flags]

up project ai configure-tools

Generate AI tooling configurations for the project.

The configure-tools command generates configuration to make commonly-used AI development tools more effective at working in an Upbound project.

Supported Tools

• Claude Code
• Cursor
• Gemini CLI

Examples

Create GEMINI.md and .gemini/settings.json:

up project ai configure-tools --gemini-cli

Create CLAUDE.md, .claude/settings.json, and .mcp.json:

up project ai configure-tools --claude-code

Create .cursor:

up project ai configure-tools --cursor

Create configuration for all three tools:

up project ai configure-tools --gemini-cli --claude-code --cursor

Usage

up project ai configure-tools [flags]

Flags

Flag	Short Form	Description
--project-file	-f	Path to project definition file.
--gemini-cli		Generate gemini CLI configurations.
--claude-code		Generate claude code CLI configurations.
--cursor		Generate cursor configurations.

up project build

Build a project into a Crossplane package.

Usage

up project build [flags]

Flags

Flag	Short Form	Description
--project-file	-f	Path to project definition file.
--repository		Repository for the built package. Overrides the repository specified in the project file.
--output-dir	-o	Path to the output directory, where packages will be written.
--no-build-cache		Don't cache image layers while building.
--build-cache-dir		Path to the build cache directory.
--max-concurrency		Maximum number of functions to build at once.
--cache-dir		Directory used for caching dependencies.

up project init

Initialize a new project.

This command initializes a new project. By default, it will start a wizard to help you create a new project. The project will be created in a new directory named after the project. You can specify which template to use with the --template flag along with the --language flag.

Supported Languages

The following slugs are accepted as arguments by the --langauge and --test-language flags:

Language	Slug	Supported for Tests
Go	go	No
Go Templates	go-templating	No
KCL	kcl	Yes
Python	python	Yes

Examples

Initialize a project called my-new-project using the AWS S3 bucket example with Python functions and tests:

up project init my-new-project --template project-template-aws \
    --language python

Initialize a project called my-new-project with Go functions and Python tests:

up project init my-new-project --template project-template-aws \
    --language go --test-language python

Initialize a project using a public template repository at a specific ref:

up project init my-new-project \
    --template 'https://github.com/upbound/project-template-aws@main' \
    --language kcl

Initialize a project from a template using Git token authentication:

up project init my-new-project \
    --template 'https://github.com/template/project-template-private.git' \
    --language kcl  \
    --username 'username' \
    --password 'token'

Initialize a project from a template using SSH authentication:

up project init my-new-project \
    --template 'git@github.com:upbound/project-template-private.git' \
    --language kcl \
    --ssh-key /Users/username/.ssh/id_rsa

Initialize a new project from a private template using SSH authentication with an SSH key password:

up project init my-new-project \
    --template 'git@github.com:upbound/project-template-private.git' \
    --language kcl \
    --ssh-key /Users/username/.ssh/id_rsa \
    --password 'ssh-key-password'

Usage

up project init <name> [flags]

Arguments

Argument	Description
<name>	The name of the new project to initialize.

Flags

Flag	Short Form	Description
--directory		The directory to initialize. It must be empty. It will be created if it doesn't exist.
--scratch		Create a new project from scratch.
--template	-t	The template to use to initialize the new project.
--values		Values to use for templating the project.
--state-file		Path to wizard state file.
--language	-l	The language to use to initialize the new project.
--test-language		The language to use for tests in the new project.
--ssh-key		Optional. Specify an SSH key for authentication when initializing the new package. Used when transport protocol is 'ssh'.
--username		Optional. Specify a username for authentication. Used when transport protocol is 'https' and an SSH key is not provided, or with an SSH key when the transport protocol is 'ssh'.
--password		Optional. Specify a password for authentication. Used with the username when the transport protocol is 'https', or with an SSH key that requires a passphrase when the transport protocol is 'ssh'.

up project move

Update the repository for a project

Usage

up project move <new-repository> [flags]

Arguments

Argument	Description
<new-repository>	The new repository for the project.

Flags

Flag	Short Form	Description
--project-file	-f	Path to the project definition file.

up project push

Push a project's packages to the Upbound Marketplace.

Usage

up project push [flags]

Flags

Flag	Short Form	Description
--project-file	-f	Path to project definition file.
--repository		Repository to push to. Overrides the repository specified in the project file.
--tag	-t	Tag for the built package. If not provided, a semver tag will be generated.
--package-file		Package file to push. Discovered by default based on repository and tag.
--max-concurrency		Maximum number of functions to build at once.
--public		Create new repositories with public visibility.

up project run

Run a project on a development control plane for testing.

The run command builds and runs a project on a development control plane for testing.

This command:

• Builds all embedded functions defined in the project
• Creates or uses an existing development control plane
• Pushes packages to the container registry
• Installs the project configuration on the control plane
• Updates kubeconfig to use the development control plane

Development Control Planes

There are two kinds of development control planes:

1. Local development control planes, which run in a KIND cluster on the development machine.
2. Cloud development control planes, which run in Upbound Cloud Spaces.

Cloud development control planes are used by default when the current up context is an Upbound Cloud Space. Use up ctx to update the current context. Local development control planes are used by default otherwise, and can be explicitly requested using the --local flag.

It is also possible to run a project on an arbitrary UXP cluster referenced by the current kubeconfig context by using the --use-current-context flag. Note that this can be destructive, as it will create resources and install packages in your cluster; it is not recommended to use up project run on shared or production clusters.

Examples

Run the project using the default development control plane type (see above):

up project run

Run the project on a control plane with a specific name, using the default type. The control plane will be created if it doesn't exist:

up project run --control-plane-name=my-dev-cp

Force a local development control plane to be used instead of a cloud development control plane:

up project run --local

Create a local development control plane with an ingress controller enabled. The Web UI will be accessible at localhost on a randomly assigned port:

up project run --local --ingress

Create a local development control plane with ingress mapped to specific port. The Web UI will be accessible at http://127-0-0-1.nip.io:8080:

up project run --local --ingress --ingress-port=8080:80

Run a project using the current kubeconfig context:

up project run --use-current-context

Override the repository specified in the project file to push to a different container registry. Note that when using a local development control plane packages are side-loaded, avoiding the need to push:

up project run --repository=xpkg.upbound.io/example/my-project

Run on a Spaces control plane with a specific name, allowing a non-development control plane to be used. This works with disconnected Spaces as well as Cloud Spaces:

up project run --force --control-plane-name=my-cp

Usage

up project run [flags]

Flags

Flag	Short Form	Description
--project-file	-f	Path to project definition file.
--repository		Repository for the built package. Overrides the repository specified in the project file.
--no-build-cache		Don't cache image layers while building.
--build-cache-dir		Path to the build cache directory.
--max-concurrency		Maximum number of functions to build and push at once.
--control-plane-group		The control plane group that the control plane to use is contained in. This defaults to the group specified in the current context.
--control-plane-name		Name of the control plane to use. It will be created if not found. Defaults to the project name.
--skip-control-plane-check		Allow running on a non-development control plane.
--local		Use a local dev control plane, even if Spaces is available.
--local-registry-path		Directory to use for local registry images. The default is system-dependent.
--no-update-kubeconfig		Do not update kubeconfig to use the dev control plane as its current context.
--use-current-context		Run the project with the current kubeconfig context rather than creating a new dev control plane.
--cache-dir		Directory used for caching dependencies.
--public		Create new repositories with public visibility.
--timeout		Maximum time to wait for the project to become ready in the control plane. Set to zero to wait forever.
--ingress		Enable ingress controller for the local dev control plane.
--ingress-port		Port mapping for the local dev control plane (e.g., '8080:80'). If not specified, a random available port will be selected when ingress is enabled.
--cluster-admin		Allow Crossplane cluster admin privileges in the local dev control plane. Defaults to true.

up project simulate

Run a project as a simulation against an existing control plane.

Usage

up project simulate <source-control-plane-name> [flags]

Arguments

Argument	Description
<source-control-plane-name>	Name of the source control plane

Flags

Flag	Short Form	Description
--project-file	-f	Path to project definition file.
--repository		Repository for the built package. Overrides the repository specified in the project file.
--no-build-cache		Don't cache image layers while building.
--build-cache-dir		Path to the build cache directory.
--max-concurrency		Maximum number of functions to build and push at once.
--name	-n	The name of the simulation resource
--tag		An existing tag of the project to simulate. If not specified, defaults to building and pushing a new version
--output	-o	Output the results of the simulation to the provided file. Defaults to standard out if not specified
--terminate-on-finish		Terminate the simulation after the completion criteria is met
--wait		Wait until the simulation completes and output the difference.
--complete-after		The amount of time the simulated control plane should run before ending the simulation
--control-plane-group	-g	The control plane group that the control plane to use is contained in. This defaults to the group specified in the current context.
--cache-dir		Directory used for caching dependencies.
--public		Create new repositories with public visibility.
--timeout		Maximum time to wait for the project to become ready in the control plane. Set to zero to wait forever.

up project simulation

Manage project simulations.

The simulate command manages project simulations. Simulations allow you to see what changes would occur in a control plane after applying the latest version of an Upbound project.

Examples

Create a new simulation for the specified control plane, wait for the simulation to complete, then show results:

up project simulate create control-plane-name

Force completion of an in-progress project simulation (for example, because a simulation is stuck or taking too long):

up project simulate complete simulation-name

Delete a simulation, removing the simulation results and resources:

up project simulate delete simulation-name

Usage

up project simulation <command> [flags]

up project simulation complete

Force complete an in-progress project simulation

Usage

up project simulation complete <name> [flags]

Arguments

Argument	Description
<name>	The name of the simulation resource

Flags

Flag	Short Form	Description
--project-file	-f	Path to project definition file.
--output	-o	Output the results of the simulation to the provided file. Defaults to standard out if not specified
--terminate-on-finish		Terminate the simulation after the completion criteria is met
--control-plane-group	-g	The control plane group that the control plane to use is contained in. This defaults to the group specified in the current context.

up project simulation create

Start a new project simulation and wait for the results.

Usage

up project simulation create <source-control-plane-name> [flags]

Arguments

Argument	Description
<source-control-plane-name>	Name of the source control plane

Flags

Flag	Short Form	Description
--project-file	-f	Path to project definition file.
--repository		Repository for the built package. Overrides the repository specified in the project file.
--no-build-cache		Don't cache image layers while building.
--build-cache-dir		Path to the build cache directory.
--max-concurrency		Maximum number of functions to build and push at once.
--name	-n	The name of the simulation resource
--tag		An existing tag of the project to simulate. If not specified, defaults to building and pushing a new version
--output	-o	Output the results of the simulation to the provided file. Defaults to standard out if not specified
--terminate-on-finish		Terminate the simulation after the completion criteria is met
--wait		Wait until the simulation completes and output the difference.
--complete-after		The amount of time the simulated control plane should run before ending the simulation
--control-plane-group	-g	The control plane group that the control plane to use is contained in. This defaults to the group specified in the current context.
--cache-dir		Directory used for caching dependencies.
--public		Create new repositories with public visibility.
--timeout		Maximum time to wait for the project to become ready in the control plane. Set to zero to wait forever.

up project simulation delete

Delete a control plane simulation.

Usage

up project simulation delete <name> [flags]

Arguments

Argument	Description
<name>	The name of the simulation resource

Flags

Flag	Short Form	Description
--project-file	-f	Path to project definition file.
--control-plane-group	-g	The control plane group that the control plane to use is contained in. This defaults to the group specified in the current context.

up project stop

Tear down a development control plane started by the run command.

Usage

up project stop [flags]

Flags

Flag	Short Form	Description
--project-file	-f	Path to project definition file.
--control-plane-group		The control plane group that the control plane to use is contained in. This defaults to the group specified in the current context.
--control-plane-name		Name of the control plane to stop. Defaults to the project name.
--skip-control-plane-check		Allow stopping a non-development control plane.
--force		Do not ask for confirmation before stopping the control plane.
--local		Find and stop a local dev control plane, even if Spaces is available.

up project upgrade

Upgrade a project to a newer API version.

The upgrade command upgrades a project to a newer API version.

Examples

Upgrade the project in the current directory to the latest supported version:

up project upgrade

Upgrade a project with a custom project file name:

up project upgrade --project-file custom-project.yaml

Supported Upgrade Paths

• v1alpha1 → v2alpha1: Adds Crossplane v2 features.

Usage

up project upgrade [flags]

Flags

Flag	Short Form	Description
--project-file	-f	Path to project definition file.

up repository

Interact with repositories.

Usage

up repository <command> [flags]

Flags

Flag	Short Form	Description
--domain		Root Upbound domain. Overrides the current profile's domain.
--profile		Profile used to execute command.
--account	-a	Deprecated. Use organization instead.
--organization		Organization used to execute command. Overrides the current profile's organization.
--ca-bundle		Path to CA bundle file to prepend to existing CAs
--insecure-skip-tls-verify		[INSECURE] Skip verifying TLS certificates.
--debug	-d	[INSECURE] Run with debug logging. Repeat to increase verbosity. Output might contain confidential data like tokens.
--override-api-endpoint		Overrides the default API endpoint.
--override-auth-endpoint		Overrides the default auth endpoint.
--override-proxy-endpoint		Overrides the default proxy endpoint.
--override-registry-endpoint		Overrides the default registry endpoint.
--override-accounts-endpoint		Overrides the default accounts endpoint.
--kubeconfig		Override default kubeconfig path.
--kubecontext		Override default kubeconfig context.

up repository create

Create a repository.

Usage

up repository create <name> [flags]

Arguments

Argument	Description
<name>	Name of repository.

Flags

Flag	Short Form	Description
--private		Make the new repository private.
--publish		Enable Upbound Marketplace listing page for the new repository.

up repository delete

Delete a repository.

Usage

up repository delete <name> [flags]

Arguments

Argument	Description
<name>	Name of repository.

Flags

Flag	Short Form	Description
--force		Force deletion of repository.

up repository get

Get a repository for the account.

Usage

up repository get <name> [flags]

Arguments

Argument	Description
<name>	Name of repo.

up repository list

List repositories for the account.

Usage

up repository list [flags]

up repository permission

Manage permissions of a repository for a team in the account.

Usage

up repository permission <command> [flags]

up repository permission grant

Grant repository permission for a team.

Usage

up repository permission grant <team-name> <repository-name> <permission>

Arguments

Argument	Description
<team-name>	Name of team.
<repository-name>	Name of repository.
<permission>	Permission type (admin, read, write, view).

up repository permission list

List all repository permissions for teams.

Usage

up repository permission list <team-name>

Arguments

Argument	Description
<team-name>	Name of the team.

up repository permission revoke

Revoke repository permission from a team.

Usage

up repository permission revoke <team-name> <repository-name> [flags]

Arguments

Argument	Description
<team-name>	Name of team.
<repository-name>	Name of repository.

Flags

Flag	Short Form	Description
--force		Force the revoke of the repository permission even if conflicts exist.

up repository update

Update a repository.

Usage

up repository update --private --publish <name> [flags]

Arguments

Argument	Description
<name>	Name of repository. Required.

Flags

Flag	Short Form	Description
--private		Required The desired repository visibility. Required.
--publish		Required The desired repository publishing policy. Required.
--force		Force the repository update.

up robot

Interact with robots.

Usage

up robot <command> [flags]

Flags

Flag	Short Form	Description
--domain		Root Upbound domain. Overrides the current profile's domain.
--profile		Profile used to execute command.
--account	-a	Deprecated. Use organization instead.
--organization		Organization used to execute command. Overrides the current profile's organization.
--ca-bundle		Path to CA bundle file to prepend to existing CAs
--insecure-skip-tls-verify		[INSECURE] Skip verifying TLS certificates.
--debug	-d	[INSECURE] Run with debug logging. Repeat to increase verbosity. Output might contain confidential data like tokens.
--override-api-endpoint		Overrides the default API endpoint.
--override-auth-endpoint		Overrides the default auth endpoint.
--override-proxy-endpoint		Overrides the default proxy endpoint.
--override-registry-endpoint		Overrides the default registry endpoint.
--override-accounts-endpoint		Overrides the default accounts endpoint.
--kubeconfig		Override default kubeconfig path.
--kubecontext		Override default kubeconfig context.

up robot create

Create a robot.

Usage

up robot create <name> [flags]

Arguments

Argument	Description
<name>	Name of robot.

Flags

Flag	Short Form	Description
--description		Description of robot.

up robot delete

Delete a robot.

Usage

up robot delete <name> [flags]

Arguments

Argument	Description
<name>	Name of robot.

Flags

Flag	Short Form	Description
--force		Force delete robot even if conflicts exist.

up robot get

Get a robot for the account.

Usage

up robot get <name> [flags]

Arguments

Argument	Description
<name>	Name of robot.

up robot list

List robots for the account.

Usage

up robot list [flags]

up robot team

Interact with robot teams.

Usage

up robot team <command> [flags]

up robot team join

Add the robot to a team.

Usage

up robot team join <team-name> <robot-name>

Arguments

Argument	Description
<team-name>	Name of team.
<robot-name>	Name of robot.

up robot team leave

Remove the robot from a team.

Usage

up robot team leave <team-name> <robot-name> [flags]

Arguments

Argument	Description
<team-name>	Name of team.
<robot-name>	Name of robot.

Flags

Flag	Short Form	Description
--force		Force the removal of a robot from a team even if conflicts exist.

up robot team list

List all teams the robot is a member of.

Usage

up robot team list <robot-name>

Arguments

Argument	Description
<robot-name>	Name of robot.

up robot token

Interact with robot tokens.

Usage

up robot token <command> [flags]

up robot token create

Create a token for the robot.

Usage

up robot token create <robot-name> <token-name> [flags]

Arguments

Argument	Description
<robot-name>	Name of robot.
<token-name>	Name of token.

Flags

Flag	Short Form	Description
--file	-f	file to write Token JSON, Use '-' to write to standard output.

up robot token delete

Delete a token for the robot.

Usage

up robot token delete <robot-name> <token-name> [flags]

Arguments

Argument	Description
<robot-name>	Name of robot.
<token-name>	Name of token.

Flags

Flag	Short Form	Description
--force		Force delete token even if conflicts exist.

up robot token get

Get a token for the robot.

Usage

up robot token get <robot-name> <token-name>

Arguments

Argument	Description
<robot-name>	Name of robot.
<token-name>	Name of token.

up robot token list

List the tokens for the robot.

Usage

up robot token list <robot-name>

Arguments

Argument	Description
<robot-name>	Name of robot.

up space

Interact with Spaces.

Usage

up space <command> [flags]

up space billing

Usage

up space billing <command>

up space billing export

Export a billing report for submission to Upbound.

The export command collects billing data from cloud storage and creates a billing report.

The storage location for the billing data used to create the report is supplied using the optional --provider, --bucket, and --endpoint flags. If these flags are missing, their values will be retrieved from the Spaces cluster from your kubeconfig. Set --endpoint="" to use the storage provider's default endpoint without checking your Spaces cluster for a custom endpoint.

Credentials and other storage provider configuration are supplied according to the instructions for each provider below.

AWS S3

Supply configuration by setting these environment variables: AWS_REGION, AWS_ACCESS_KEY_ID, and AWS_SECRET_ACCESS_KEY. For more options, see the documentation at https://docs.aws.amazon.com/sdk-for-go/v2/developer-guide/welcome.html

GCP Cloud Storage

Supply credentials by setting the environment variable GOOGLE_APPLICATION_CREDENTIALS with the location of a credential JSON file. For more options, see the documentation at https://cloud.google.com/docs/authentication/application-default-credentials.

Azure Blob Storage

Supply configuration by setting these environment variables: AZURE_TENANT_ID, AZURE_CLIENT_ID, and AZURE_CLIENT_SECRET. For more options, see the documentation at https://learn.microsoft.com/en-us/azure/developer/go/azure-sdk-authentication.

Examples

Export a billing report for January 2024 from AWS S3 and write it to a file called upbound_billing_report.tgz in the current directory:

up space billing export --provider=aws --bucket=my-bucket --account=my-account --billing-month=2024-01

Export a billing report for a custom date range from GCP Cloud Storage. Note that the date range is inclusive (Jan 1-15, 2024):

up space billing export --provider=gcp --bucket=my-bucket --account=my-account --billing-custom=2024-01-01/2024-01-15

Export a billing report for February 2024 from Azure Blob Storage and write it to a custom output location, report.tgz:

up space billing export --provider=azure --bucket=my-container --azure-storage-account=storage-account --account=my-account --billing-month=2024-02 -o report.tgz

Usage

up space billing export --provider=PROVIDER --bucket=STRING --account=STRING --billing-month=TIME --billing-custom=BILLING-CUSTOM [flags]

Flags

Flag	Short Form	Description
--out	-o	Name of the output file.
--provider		Required Storage provider. Must be one of: aws, gcp, azure.
--bucket		Required Storage bucket.
--endpoint		Custom storage endpoint.
--account		Required Name of the Upbound account whose billing report is being collected.
--azure-storage-account		Name of the Azure storage account. Required for --provider=azure.
--billing-month		Required Export a report for a billing period of one calendar month. Format: 2006-01.
--billing-custom		Required Export a report for a custom billing period. Date range is inclusive. Format: 2006-01-02/2006-01-02.
--force-incomplete		Export a report for an incomplete billing period.

up space connect

Connect an Upbound Space to the Upbound web console.

Usage

up space connect [<space>] [flags]

Arguments

Argument	Description
<space>	Optional Name of the Upbound Space. If name is not a supplied, one is generated.

Flags

Flag	Short Form	Description
--domain		Root Upbound domain. Overrides the current profile's domain.
--profile		Profile used to execute command.
--account	-a	Deprecated. Use organization instead.
--organization		Organization used to execute command. Overrides the current profile's organization.
--ca-bundle		Path to CA bundle file to prepend to existing CAs
--insecure-skip-tls-verify		[INSECURE] Skip verifying TLS certificates.
--debug	-d	[INSECURE] Run with debug logging. Repeat to increase verbosity. Output might contain confidential data like tokens.
--override-api-endpoint		Overrides the default API endpoint.
--override-auth-endpoint		Overrides the default auth endpoint.
--override-proxy-endpoint		Overrides the default proxy endpoint.
--override-registry-endpoint		Overrides the default registry endpoint.
--override-accounts-endpoint		Overrides the default accounts endpoint.
--kubeconfig		Override default kubeconfig path.
--kubecontext		Override default kubeconfig context.
--registry-repository		Set registry for where to pull OCI artifacts from. This is an OCI registry reference, i.e. a URL without the scheme or protocol prefix.
--registry-endpoint		Set registry endpoint, including scheme, for authentication.
--token-file		File containing authentication token. Expecting a JSON file. Example: {"accessId": "", "token": ""}
--registry-username		Set the registry username.
--registry-password		Set the registry password.
--robot-token		The Upbound robot token contents used to authenticate the connection.
--up-environment		Override the default Upbound Environment.

up space destroy

Remove the Upbound Spaces deployment.

Usage

up space destroy [flags]

Flags

Flag	Short Form	Description
--domain		Root Upbound domain. Overrides the current profile's domain.
--profile		Profile used to execute command.
--account	-a	Deprecated. Use organization instead.
--organization		Organization used to execute command. Overrides the current profile's organization.
--ca-bundle		Path to CA bundle file to prepend to existing CAs
--insecure-skip-tls-verify		[INSECURE] Skip verifying TLS certificates.
--debug	-d	[INSECURE] Run with debug logging. Repeat to increase verbosity. Output might contain confidential data like tokens.
--override-api-endpoint		Overrides the default API endpoint.
--override-auth-endpoint		Overrides the default auth endpoint.
--override-proxy-endpoint		Overrides the default proxy endpoint.
--override-registry-endpoint		Overrides the default registry endpoint.
--override-accounts-endpoint		Overrides the default accounts endpoint.
--kubeconfig		Override default kubeconfig path.
--kubecontext		Override default kubeconfig context.
--registry-repository		Set registry for where to pull OCI artifacts from. This is an OCI registry reference, i.e. a URL without the scheme or protocol prefix.
--registry-endpoint		Set registry endpoint, including scheme, for authentication.
--yes-really-delete-space-and-all-data		Bypass safety checks and destroy Spaces
--orphan		Remove Space components but retain Control Planes and data

up space disconnect

Disconnect an Upbound Space from the Upbound web console.

Usage

up space disconnect [<space>] [flags]

Arguments

Argument	Description
<space>	Optional Name of the Upbound Space. If name is not a supplied, it will be determined from the connection info in the space.

Flags

Flag	Short Form	Description
--domain		Root Upbound domain. Overrides the current profile's domain.
--profile		Profile used to execute command.
--account	-a	Deprecated. Use organization instead.
--organization		Organization used to execute command. Overrides the current profile's organization.
--ca-bundle		Path to CA bundle file to prepend to existing CAs
--insecure-skip-tls-verify		[INSECURE] Skip verifying TLS certificates.
--debug	-d	[INSECURE] Run with debug logging. Repeat to increase verbosity. Output might contain confidential data like tokens.
--override-api-endpoint		Overrides the default API endpoint.
--override-auth-endpoint		Overrides the default auth endpoint.
--override-proxy-endpoint		Overrides the default proxy endpoint.
--override-registry-endpoint		Overrides the default registry endpoint.
--override-accounts-endpoint		Overrides the default accounts endpoint.
--kubeconfig		Override default kubeconfig path.
--kubecontext		Override default kubeconfig context.
--registry-repository		Set registry for where to pull OCI artifacts from. This is an OCI registry reference, i.e. a URL without the scheme or protocol prefix.
--registry-endpoint		Set registry endpoint, including scheme, for authentication.

up space init

Initialize an Upbound Spaces deployment.

Usage

up space init <version> [flags]

Arguments

Argument	Description
<version>	Upbound Spaces version to install.

Flags

Flag	Short Form	Description
--domain		Root Upbound domain. Overrides the current profile's domain.
--profile		Profile used to execute command.
--account	-a	Deprecated. Use organization instead.
--organization		Organization used to execute command. Overrides the current profile's organization.
--ca-bundle		Path to CA bundle file to prepend to existing CAs
--insecure-skip-tls-verify		[INSECURE] Skip verifying TLS certificates.
--debug	-d	[INSECURE] Run with debug logging. Repeat to increase verbosity. Output might contain confidential data like tokens.
--override-api-endpoint		Overrides the default API endpoint.
--override-auth-endpoint		Overrides the default auth endpoint.
--override-proxy-endpoint		Overrides the default proxy endpoint.
--override-registry-endpoint		Overrides the default registry endpoint.
--override-accounts-endpoint		Overrides the default accounts endpoint.
--kubeconfig		Override default kubeconfig path.
--kubecontext		Override default kubeconfig context.
--registry-repository		Set registry for where to pull OCI artifacts from. This is an OCI registry reference, i.e. a URL without the scheme or protocol prefix.
--registry-endpoint		Set registry endpoint, including scheme, for authentication.
--token-file		File containing authentication token. Expecting a JSON file. Example: {"accessId": "", "token": ""}
--registry-username		Set the registry username.
--registry-password		Set the registry password.
--set		Set parameters.
--file	-f	Parameters file.
--bundle		Local bundle path.
--yes		Answer yes to all questions
--public-ingress		For AKS,EKS,GKE expose ingress publically

up space list

List all accessible spaces in Upbound.

Usage

up space list [flags]

Flags

Flag	Short Form	Description
--domain		Root Upbound domain. Overrides the current profile's domain.
--profile		Profile used to execute command.
--account	-a	Deprecated. Use organization instead.
--organization		Organization used to execute command. Overrides the current profile's organization.
--ca-bundle		Path to CA bundle file to prepend to existing CAs
--insecure-skip-tls-verify		[INSECURE] Skip verifying TLS certificates.
--debug	-d	[INSECURE] Run with debug logging. Repeat to increase verbosity. Output might contain confidential data like tokens.
--override-api-endpoint		Overrides the default API endpoint.
--override-auth-endpoint		Overrides the default auth endpoint.
--override-proxy-endpoint		Overrides the default proxy endpoint.
--override-registry-endpoint		Overrides the default registry endpoint.
--override-accounts-endpoint		Overrides the default accounts endpoint.
--kubeconfig		Override default kubeconfig path.
--kubecontext		Override default kubeconfig context.

up space mirror

Managing the mirroring of artifacts to local storage or private container registries.

The mirror command mirrors all required OCI artifacts for a specific Spaces version.

Examples

Mirror all artifacts for Spaces version 1.9.0 into a local directory as .tar.gz files, using the token file for authentication:

up space mirror -v 1.9.0 --output-dir=/tmp/output --token-file=upbound-token.json

Mirror all artifacts for Spaces version 1.9.0 to a specified container registry, using the token file for authentication. Note that you must log in to the mirror registry first using a command like docker login myregistry.io:

up space mirror -v 1.9.0 --destination-registry=myregistry.io --token-file=upbound-token.json

Print the artifacts that would be mirrored into a local directory for Spaces version 1.9.0, using the token file for authentication. A request is made to the Upbound registry to confirm network access:

up space mirror -v 1.9.0 --output-dir=/tmp/output --token-file=upbound-token.json --dry-run

Usage

up space mirror --version=STRING [flags]

Flags

Flag	Short Form	Description
--registry-repository		Set registry for where to pull OCI artifacts from. This is an OCI registry reference, i.e. a URL without the scheme or protocol prefix.
--registry-endpoint		Set registry endpoint, including scheme, for authentication.
--token-file		File containing authentication token. Expecting a JSON file. Example: {"accessId": "", "token": ""}
--registry-username		Set the registry username.
--registry-password		Set the registry password.
--output-dir	-t	The local directory path where exported artifacts will be saved as .tgz files.
--destination-registry	-d	The target container registry where the artifacts will be mirrored.
--version	-v	Required The specific Spaces version for which the artifacts will be mirrored.

up space upgrade

Upgrade the Upbound Spaces deployment.

Usage

up space upgrade <version> [flags]

Arguments

Argument	Description
<version>	Upbound Spaces version to upgrade to.

Flags

Flag	Short Form	Description
--domain		Root Upbound domain. Overrides the current profile's domain.
--profile		Profile used to execute command.
--account	-a	Deprecated. Use organization instead.
--organization		Organization used to execute command. Overrides the current profile's organization.
--ca-bundle		Path to CA bundle file to prepend to existing CAs
--insecure-skip-tls-verify		[INSECURE] Skip verifying TLS certificates.
--debug	-d	[INSECURE] Run with debug logging. Repeat to increase verbosity. Output might contain confidential data like tokens.
--override-api-endpoint		Overrides the default API endpoint.
--override-auth-endpoint		Overrides the default auth endpoint.
--override-proxy-endpoint		Overrides the default proxy endpoint.
--override-registry-endpoint		Overrides the default registry endpoint.
--override-accounts-endpoint		Overrides the default accounts endpoint.
--kubeconfig		Override default kubeconfig path.
--kubecontext		Override default kubeconfig context.
--registry-repository		Set registry for where to pull OCI artifacts from. This is an OCI registry reference, i.e. a URL without the scheme or protocol prefix.
--registry-endpoint		Set registry endpoint, including scheme, for authentication.
--token-file		File containing authentication token. Expecting a JSON file. Example: {"accessId": "", "token": ""}
--registry-username		Set the registry username.
--registry-password		Set the registry password.
--set		Set parameters.
--file	-f	Parameters file.
--bundle		Local bundle path.
--yes		Answer yes to all questions
--rollback		Rollback to previously installed version on failed upgrade.

up team

Interact with teams.

Usage

up team <command> [flags]

Flags

Flag	Short Form	Description
--domain		Root Upbound domain. Overrides the current profile's domain.
--profile		Profile used to execute command.
--account	-a	Deprecated. Use organization instead.
--organization		Organization used to execute command. Overrides the current profile's organization.
--ca-bundle		Path to CA bundle file to prepend to existing CAs
--insecure-skip-tls-verify		[INSECURE] Skip verifying TLS certificates.
--debug	-d	[INSECURE] Run with debug logging. Repeat to increase verbosity. Output might contain confidential data like tokens.
--override-api-endpoint		Overrides the default API endpoint.
--override-auth-endpoint		Overrides the default auth endpoint.
--override-proxy-endpoint		Overrides the default proxy endpoint.
--override-registry-endpoint		Overrides the default registry endpoint.
--override-accounts-endpoint		Overrides the default accounts endpoint.
--kubeconfig		Override default kubeconfig path.
--kubecontext		Override default kubeconfig context.

up team create

Create a team.

Usage

up team create <name> [flags]

Arguments

Argument	Description
<name>	Name of Team.

up team delete

Delete a team.

Usage

up team delete <name> [flags]

Arguments

Argument	Description
<name>	Name of team.

Flags

Flag	Short Form	Description
--force		Force delete team even if conflicts exist.

up team get

Get a team.

Usage

up team get <name> [flags]

Arguments

Argument	Description
<name>	Name of team.

up team list

List teams.

Usage

up team list [flags]

up test

Manage and run tests for projects.

Usage

up test <command> [flags]

Flags

Flag	Short Form	Description
--domain		Root Upbound domain. Overrides the current profile's domain.
--profile		Profile used to execute command.
--account	-a	Deprecated. Use organization instead.
--organization		Organization used to execute command. Overrides the current profile's organization.
--ca-bundle		Path to CA bundle file to prepend to existing CAs
--insecure-skip-tls-verify		[INSECURE] Skip verifying TLS certificates.
--debug	-d	[INSECURE] Run with debug logging. Repeat to increase verbosity. Output might contain confidential data like tokens.
--override-api-endpoint		Overrides the default API endpoint.
--override-auth-endpoint		Overrides the default auth endpoint.
--override-proxy-endpoint		Overrides the default proxy endpoint.
--override-registry-endpoint		Overrides the default registry endpoint.
--override-accounts-endpoint		Overrides the default accounts endpoint.
--kubeconfig		Override default kubeconfig path.
--kubecontext		Override default kubeconfig context.

up test generate

Generate a Test for a project.

The generate command creates tests in the specified language.

Examples

Create a composition test with the default language (KCL) in the folder tests/test-xstoragebucket:

up test generate xstoragebucket

Create a composition test in Python and write it to the folder tests/test-xstoragebucket:

up test generate xstoragebucket --language python

Create an e2e test in Python and write it to the folder tests/e2etest-xstoragebucket:

up test generate xstoragebucket --language python --e2e

Usage

up test generate <name> [flags]

Arguments

Argument	Description
<name>	Name for the new Function.

Flags

Flag	Short Form	Description
--project-file	-f	Path to project definition file.
--cache-dir		Directory used for caching dependency images.
--language	-l	Language for test.
--e2e		create e2e tests

up test run

Run project tests.

The run command executes project tests. By default, only composition tests are executed; with the --e2e flag, only e2e tests are executed.

Examples

Run all composition tests located in the 'tests/' directory:

up test run tests/*

Run all end-to-end (e2e) tests located in the 'tests/' directory:

up test run tests/* --e2e

Run e2e tests in tests/ while specifying custom paths for the kubectl binary:

up test run tests/* --e2e --kubectl=.tools/kubectl

Usage

up test run <patterns> ... [flags]

Arguments

Argument	Description
<patterns>	The path to the test manifests

Flags

Flag	Short Form	Description
--project-file	-f	Path to project definition file.
--repository		Repository for the built package. Overrides the repository specified in the project file.
--no-build-cache		Don't cache image layers while building.
--build-cache-dir		Path to the build cache directory.
--max-concurrency		Maximum number of functions to build and push at once.
--control-plane-group		The control plane group that the control plane to use is contained in. This defaults to the group specified in the current context.
--control-plane-name-prefix		Prefix of the control plane name to use. It will be created if not found.
--skip-control-plane-check		Allow running on a non-development control plane.
--local		Use a local dev control plane, even if Spaces is available.
--cluster-admin		Allow Crossplane cluster admin privileges in the local dev control plane. Defaults to true.
--local-registry-path		Directory to use for local registry images. The default is system-dependent.
--skip-control-plane-cleanup		Skip cleanup of the control plane after the test run.
--use-current-context		Run the project with the current kubeconfig context rather than creating a new dev control plane.
--cache-dir		Directory used for caching dependencies.
--kubectl		Absolute path to the kubectl binary. Defaults to the one in $PATH.
--public		Create new repositories with public visibility.
--e2e		Run E2E

up token

Interact with personal access tokens.

Usage

up token <command> [flags]

Flags

Flag	Short Form	Description
--domain		Root Upbound domain. Overrides the current profile's domain.
--profile		Profile used to execute command.
--account	-a	Deprecated. Use organization instead.
--organization		Organization used to execute command. Overrides the current profile's organization.
--ca-bundle		Path to CA bundle file to prepend to existing CAs
--insecure-skip-tls-verify		[INSECURE] Skip verifying TLS certificates.
--debug	-d	[INSECURE] Run with debug logging. Repeat to increase verbosity. Output might contain confidential data like tokens.
--override-api-endpoint		Overrides the default API endpoint.
--override-auth-endpoint		Overrides the default auth endpoint.
--override-proxy-endpoint		Overrides the default proxy endpoint.
--override-registry-endpoint		Overrides the default registry endpoint.
--override-accounts-endpoint		Overrides the default accounts endpoint.
--kubeconfig		Override default kubeconfig path.
--kubecontext		Override default kubeconfig context.

up token create

Create a personal access token for the current user.

Usage

up token create <token-name> [flags]

Arguments

Argument	Description
<token-name>	Name of token.

Flags

Flag	Short Form	Description
--file	-f	file to write Token JSON, Use '-' to write to standard output.

up token delete

Delete a personal access token for the current user.

Usage

up token delete <token-name> [flags]

Arguments

Argument	Description
<token-name>	Name of token.

Flags

Flag	Short Form	Description
--force		Force delete token even if conflicts exist.

up token get

Get a personal access token for the current user.

Usage

up token get <token-name> [flags]

Arguments

Argument	Description
<token-name>	Name of token.

up token list

Get all personal access tokens for the current user.

Usage

up token list [flags]

up uxp

Interact with UXP.

Usage

up uxp <command> [flags]

Flags

Flag	Short Form	Description
--domain		Root Upbound domain. Overrides the current profile's domain.
--profile		Profile used to execute command.
--account	-a	Deprecated. Use organization instead.
--organization		Organization used to execute command. Overrides the current profile's organization.
--ca-bundle		Path to CA bundle file to prepend to existing CAs
--insecure-skip-tls-verify		[INSECURE] Skip verifying TLS certificates.
--debug	-d	[INSECURE] Run with debug logging. Repeat to increase verbosity. Output might contain confidential data like tokens.
--override-api-endpoint		Overrides the default API endpoint.
--override-auth-endpoint		Overrides the default auth endpoint.
--override-proxy-endpoint		Overrides the default proxy endpoint.
--override-registry-endpoint		Overrides the default registry endpoint.
--override-accounts-endpoint		Overrides the default accounts endpoint.
--kubeconfig		Override default kubeconfig path.
--kubecontext		Override default kubeconfig context.

up uxp install

Install UXP.

Usage

up uxp install [<version>] [flags]

Arguments

Argument	Description
<version>	Optional UXP version to install.

Flags

Flag	Short Form	Description
--unstable		Allow installing unstable versions.
--disable-web-ui		Disable the UXP web UI.
--cluster-admin		Install UXP with cluster admin permissions. NOT FOR PRODUCTION PURPOSES.
--set		Set parameters.
--file	-f	Parameters file.
--bundle		Local bundle path.

up uxp license

Manage UXP licenses.

Usage

up uxp license <command> [flags]

up uxp license apply

Apply a UXP license to a control plane. Specify either a license file or use --dev for development clusters.

Usage

up uxp license apply [<license-file>] [flags]

Arguments

Argument	Description
<license-file>	Optional File containing the license key (required unless using --dev).

Flags

Flag	Short Form	Description
--dev		Apply embedded development license for single-node kind clusters.
--namespace		Namespace in which to create the license key secret.

up uxp license remove

Remove the UXP license from a control plane.

Usage

up uxp license remove [flags]

Flags

Flag	Short Form	Description
--force		Do not ask for confirmation before removing the license.

up uxp license show

Show the UXP license for a control plane.

Usage

up uxp license show

up uxp uninstall

Uninstall UXP.

Usage

up uxp uninstall [flags]

up uxp upgrade

Upgrade UXP.

Usage

up uxp upgrade [<version>] [flags]

Arguments

Argument	Description
<version>	Optional UXP version to upgrade to.

Flags

Flag	Short Form	Description
--rollback		Rollback to previously installed version on failed upgrade.
--force		Force upgrade even if versions are incompatible.
--unstable		Allow installing unstable versions.
--set		Set parameters.
--file	-f	Parameters file.
--bundle		Local bundle path.

up uxp web-ui

Manage the UXP web UI.

Usage

up uxp web-ui <command> [flags]

up uxp web-ui disable

Disable the UXP web UI.

Usage

up uxp web-ui disable [flags]

Flags

Flag	Short Form	Description
--unstable		Allow upgrading unstable chart versions.

up uxp web-ui enable

Enable the UXP web UI.

Usage

up uxp web-ui enable [flags]

Flags

Flag	Short Form	Description
--unstable		Allow upgrading unstable chart versions.

up uxp web-ui open

Open the UXP web UI.

Usage

up uxp web-ui open [flags]

Flags

Flag	Short Form	Description
--host		Host to listen on for port-forward.
--port		Port to listen on for port-forward (0 for automatic selection).
--browser		Open the web UI in a browser window.

up version

Show current version.

The version command prints the current version of up as well as the Space or UXP cluster referenced by the current context.

Usage

up version [flags]

Flags

Flag	Short Form	Description
--domain		Root Upbound domain. Overrides the current profile's domain.
--profile		Profile used to execute command.
--account	-a	Deprecated. Use organization instead.
--organization		Organization used to execute command. Overrides the current profile's organization.
--ca-bundle		Path to CA bundle file to prepend to existing CAs
--insecure-skip-tls-verify		[INSECURE] Skip verifying TLS certificates.
--debug	-d	[INSECURE] Run with debug logging. Repeat to increase verbosity. Output might contain confidential data like tokens.
--override-api-endpoint		Overrides the default API endpoint.
--override-auth-endpoint		Overrides the default auth endpoint.
--override-proxy-endpoint		Overrides the default proxy endpoint.
--override-registry-endpoint		Overrides the default registry endpoint.
--override-accounts-endpoint		Overrides the default accounts endpoint.
--kubeconfig		Override default kubeconfig path.
--kubecontext		Override default kubeconfig context.
--client		If true, shows client version only (no server required).

up xpkg

Deprecated. Please migrate to up project or use the crossplane CLI.

This command is deprecated and will be removed in a future release.

To build Crossplane packages with up, use the project commands. To work with non-project Crossplane packages, use the crossplane CLI.

Usage

up xpkg <command> [flags]

up xpkg append

Append additional files to an xpkg.

The append command creates a tarball from a local directory of additional package assets, such as images or documentation, and appends them to a remote package.

If your remote image is already signed, this command will invalidate current signatures and the updated image will need to be re-signed.

Examples

Add all files from ./extensions to a remote image and create a new index with the extensions included:

up alpha xpkg-append --extensions-root=./extensions \
    registry.example.com/my-organization/my-repo@sha256:digest

Add documentation files to a package and save to a different tag, preserving the original package at the source reference:

up alpha xpkg-append --extensions-root=./docs \
    --destination=registry.example.com/my-organization/my-repo:v1.0.1 \
    registry.example.com/my-organization/my-repo@sha256:digest

Usage

up xpkg append <remote-ref> [flags]

Arguments

Argument	Description
<remote-ref>	The fully qualified remote image reference

Flags

Flag	Short Form	Description
--domain		Root Upbound domain. Overrides the current profile's domain.
--profile		Profile used to execute command.
--account	-a	Deprecated. Use organization instead.
--organization		Organization used to execute command. Overrides the current profile's organization.
--ca-bundle		Path to CA bundle file to prepend to existing CAs
--insecure-skip-tls-verify		[INSECURE] Skip verifying TLS certificates.
--debug	-d	[INSECURE] Run with debug logging. Repeat to increase verbosity. Output might contain confidential data like tokens.
--override-api-endpoint		Overrides the default API endpoint.
--override-auth-endpoint		Overrides the default auth endpoint.
--override-proxy-endpoint		Overrides the default proxy endpoint.
--override-registry-endpoint		Overrides the default registry endpoint.
--override-accounts-endpoint		Overrides the default accounts endpoint.
--kubeconfig		Override default kubeconfig path.
--kubecontext		Override default kubeconfig context.
--destination		Optional OCI reference to write to. If not set, the command will modify the input reference.
--extensions-root		An optional directory of arbitrary files for additional consumers of the package.

up xpkg batch

Batch build and push a family of service-scoped provider packages.

Usage

up xpkg batch --family-base-image=STRING --provider-name=STRING --family-package-url-format=STRING [flags]

Flags

Flag	Short Form	Description
--domain		Root Upbound domain. Overrides the current profile's domain.
--profile		Profile used to execute command.
--account	-a	Deprecated. Use organization instead.
--organization		Organization used to execute command. Overrides the current profile's organization.
--ca-bundle		Path to CA bundle file to prepend to existing CAs
--insecure-skip-tls-verify		[INSECURE] Skip verifying TLS certificates.
--debug	-d	[INSECURE] Run with debug logging. Repeat to increase verbosity. Output might contain confidential data like tokens.
--override-api-endpoint		Overrides the default API endpoint.
--override-auth-endpoint		Overrides the default auth endpoint.
--override-proxy-endpoint		Overrides the default proxy endpoint.
--override-registry-endpoint		Overrides the default registry endpoint.
--override-accounts-endpoint		Overrides the default accounts endpoint.
--kubeconfig		Override default kubeconfig path.
--kubecontext		Override default kubeconfig context.
--family-base-image		Required Family image used as the base for the smaller provider packages.
--provider-name		Required Provider name, such as provider-aws to be used while formatting smaller provider package repositories.
--family-package-url-format		Required Family package URL format to be used for the smaller provider packages. Must be a valid OCI image URL with the format specifier "%s", which will be substituted with -.
--smaller-providers		Smaller provider names to build and push, such as ec2, eks or config.
--concurrency		Maximum number of packages to process concurrently. Setting it to 0 puts no limit on the concurrency, i.e., all packages are processed in parallel.
--push-retry		Number of retries when pushing a provider package fails.
--platform		Platforms to build the packages for. Each platform should use the _ syntax. An example is: linux_arm64.
--provider-bin-root	-p	Provider binary paths root. Smaller provider binaries should reside under the platform directories in this folder.
--output-dir	-o	Path of the package output directory.
--store-packages		Smaller provider names whose provider package should be stored under the package output directory specified with the --output-dir option.
--package-metadata-template		Smaller provider metadata template. The template variables {{ .Service }} and {{ .Name }} will be substituted when the template is executed among with the supplied template variable substitutions.
--template-var		Smaller provider metadata template variables to be used for the specified template.
--examples-group-override		Overrides for the location of the example manifests folder of a smaller provider.
--crd-group-override		Overrides for the locations of the CRD folders of the smaller providers.
--package-repo-override		Overrides for the package repository names of the smaller providers.
--providers-with-auth-ext		Smaller provider names for which we need to configure the authentication extension.
--examples-root	-e	Path to package examples directory.
--crd-root		Path to package CRDs directory.
--auth-ext		Path to an authentication extension file.
--ignore		Paths to exclude from the smaller provider packages.
--create		Create repository on push if it does not exist.
--build-only		Only build the smaller provider packages and do not attempt to push them to a package repository.
--provider-name-suffix-for-push		Suffix for provider name during pushing the packages. This suffix is added to the end of the provider name. If there is a service name for the corresponded provider, then the suffix will be added to the base provider name and the service-scoped name will be after this suffix. Examples: provider-family-aws-suffix, provider-aws-suffix-s3

up xpkg build

Build a package, by default from the current directory.

This command is deprecated and will be removed in a future release.

To build Crossplane packages with up, use the project commands. To work with non-project Crossplane packages, use the crossplane CLI.

Usage

up xpkg build [flags]

Flags

Flag	Short Form	Description
--name		[DEPRECATED: use --output] Name of the package to be built. Uses name in crossplane.yaml if not specified. Does not correspond to package tag.
--output	-o	Path for package output.
--controller		Controller image used as base for package.
--package-root	-f	Path to package directory.
--examples-root	-e	Path to package examples directory.
--helm-root	-h	Path to helm directory.
--auth-ext	-a	Path to an authentication extension file.
--ignore		Paths, specified relative to --package-root, to exclude from the package.

up xpkg push

Push a package.

Usage

up xpkg push <tag> [flags]

Arguments

Argument	Description
<tag>	Tag of the package to be pushed. Must be a valid OCI image tag.

Flags

Flag	Short Form	Description
--domain		Root Upbound domain. Overrides the current profile's domain.
--profile		Profile used to execute command.
--account	-a	Deprecated. Use organization instead.
--organization		Organization used to execute command. Overrides the current profile's organization.
--ca-bundle		Path to CA bundle file to prepend to existing CAs
--insecure-skip-tls-verify		[INSECURE] Skip verifying TLS certificates.
--debug	-d	[INSECURE] Run with debug logging. Repeat to increase verbosity. Output might contain confidential data like tokens.
--override-api-endpoint		Overrides the default API endpoint.
--override-auth-endpoint		Overrides the default auth endpoint.
--override-proxy-endpoint		Overrides the default proxy endpoint.
--override-registry-endpoint		Overrides the default registry endpoint.
--override-accounts-endpoint		Overrides the default accounts endpoint.
--kubeconfig		Override default kubeconfig path.
--kubecontext		Override default kubeconfig context.
--package	-f	Path to packages. If not specified and only one package exists in current directory it will be used.
--create		Create repository on push if it does not exist.

up xpkg xp-extract

Extract package contents into a Crossplane cache compatible format. Fetches from a remote registry by default.

Usage

up xpkg xp-extract [<package>] [flags]

Arguments

Argument	Description
<package>	Optional Name of the package to extract. Must be a valid OCI image tag or a path if using --from-xpkg.

Flags

Flag	Short Form	Description
--domain		Root Upbound domain. Overrides the current profile's domain.
--profile		Profile used to execute command.
--account	-a	Deprecated. Use organization instead.
--organization		Organization used to execute command. Overrides the current profile's organization.
--ca-bundle		Path to CA bundle file to prepend to existing CAs
--insecure-skip-tls-verify		[INSECURE] Skip verifying TLS certificates.
--debug	-d	[INSECURE] Run with debug logging. Repeat to increase verbosity. Output might contain confidential data like tokens.
--override-api-endpoint		Overrides the default API endpoint.
--override-auth-endpoint		Overrides the default auth endpoint.
--override-proxy-endpoint		Overrides the default proxy endpoint.
--override-registry-endpoint		Overrides the default registry endpoint.
--override-accounts-endpoint		Overrides the default accounts endpoint.
--kubeconfig		Override default kubeconfig path.
--kubecontext		Override default kubeconfig context.
--from-daemon		Indicates that the image should be fetched from the Docker daemon.
--from-xpkg		Indicates that the image should be fetched from a local xpkg. If package is not specified and only one exists in current directory it will be used.
--output	-o	Package output file path. Extension must be .gz or will be replaced.

up xpls

Start xpls language server.

Usage

up xpls <command> [flags]

up xpls serve

run a server for Crossplane definitions using the Language Server Protocol.

Usage

up xpls serve [flags]

Flags

Flag	Short Form	Description
--cache		Directory path for dependency schema cache.
--verbose		Run server with verbose logging.

up xrd

Manage XRDs from Composite Resources(XR) or Claims(XRC).

Usage

up xrd <command> [flags]

up xrd generate

Generate an XRD from a Composite Resource (XR) or Claim (XRC).

The generate command creates a CompositeResourceDefinition (XRD) from a given Composite Resource (XR) and generates associated language models for function usage.

Examples

Generate a CompositeResourceDefinition (XRD) based on the specified Composite Resource and save it to the default APIs folder in the project:

up xrd generate examples/cluster/example.yaml

Generate a CompositeResourceDefinition (XRD) with a specified plural form, useful for cases where automatic pluralization may not be accurate (e.g., "postgres"):

up xrd generate examples/postgres/example.yaml --plural postgreses

Generate a CompositeResourceDefinition (XRD) and save it to a custom path within the project's default APIs folder.

up xrd generate examples/postgres/example.yaml --path database/definition.yaml

Usage

up xrd generate <file> [flags]

Arguments

Argument	Description
<file>	Path to the file containing the Composite Resource (XR) or Composite Resource Claim (XRC).

Flags

Flag	Short Form	Description
--cache-dir		Directory used for caching dependency images.
--path		Path to the output file where the Composite Resource Definition (XRD) will be saved.
--plural		Optional custom plural form for the Composite Resource Definition (XRD).
--output	-o	Output format for the results: 'file' to save to a file, 'yaml' to print XRD in YAML format, 'json' to print XRD in JSON format.
--project-file	-f	Path to project definition file.