Up Command Reference

The up command-line provides a suite of tools to configure and interact with Upbound technologies.

The following flags are available for all commands.

Short flagLong flagDescription
-h--helpShow context-sensitive help.
--prettyPretty print output.
-q--quietSuppress all output.
-v--versionPrint version and exit.

configuration

The up configuration command provides management operations for Git-synced configurations on Upbound.

Tip
up cfg is an alias for up configuration.

All up configuration commands support the following options:

Short flagLong flagDescription
-a--account=STRINGThe username or organization to use for authentication. The default uses the authenticated user from up login.
--domain=<URL>The managed control plane domain to connect to. The default is https://upbound.io
--insecure-skip-tls-verifyUnsafe - Don’t validate the SSL certificate offered by the remote server. This command isn’t recommended.
--profile=<path>Use a custom Up CLI profile at located at the provided path. The default is ~/.up/config.json

configuration list

List the configurations in your Upbound account up configuration list --configuration-name=STRING <name>.

Examples

  • List the configurations associated with an account in Upbound.
up cfg list
NAME                          TEMPLATE ID                      PROVIDER   REPO                          BRANCH   CREATED AT                      SYNCED AT
gcp-control-plane-api         upbound/configuration-cloudsql   github     gcp-control-plane-api         main     2023-03-27 13:48:12 +0000 UTC   2023-03-29 21:09:13.503641 +0000 UTC
internal-cloud-platform-api   upbound/configuration-aws-icp    github     internal-cloud-platform-api   main     2023-03-28 12:52:24 +0000 UTC   2023-04-03 12:35:56.650919 +0000 UTC
my-platform-api               upbound/configuration-eks        github     my-platform-api               main     2023-04-03 13:12:11 +0000 UTC   2023-04-03 13:12:28.722019 +0000 UTC

configuration create

Create a Git-synced configuration in Upbound up configuration create --context=STRING --template-id=STRING <name>.

You can find a list of available templates by up configuration template list.

Short flagLong flagDescription
--context=STRINGName of the GitHub account/org
--template-id=STRINGName of the configuration template
--privateCreate the GitHub repository as private. (Default: false)

Examples

  • Create a configuration in Upbound synced from a public repository from scratch
up cfg create --context=upbound --template-id=upbound/configuration-scratch my-platform-apis
No need to authorize Upbound Github App: already authorized
  • Create a configuration in Upbound synced from a private repository from configuration-eks
up cfg create --context=upbound --template-id=upbound/configuration-eks my-platform-apis-2 --private
No need to authorize Upbound Github App: already authorized
Tip
Replace context with the name of your org/account in GitHub.

configuration get

Get a Git-synced configuration in Upbound up configuration get <name>.

You can find a list of available configurations by up configuration list.

Examples

  • Get a reference to a Git-synced configuration in Upbound called my-platform-apis
up cfg get my-platform-apis
NAME               TEMPLATE ID                     PROVIDER   REPO               BRANCH   CREATED AT                      SYNCED AT
my-platform-apis   upbound/configuration-scratch   github     my-platform-apis   main     2023-04-03 18:25:28 +0000 UTC   2023-04-03 18:25:43.964217 +0000 UTC

configuration delete

Delete a Git-synced configuration in Upbound. This command requires confirmation unless using the --force option. up configuration create --context=STRING --template-id=STRING <name>.

You can find a list of available configurations by up configuration list.

Short flagLong flagDescription
--forceForce deletion of the configuration.

Examples

  • Delete a configuration in Upbound called my-platform-apis
up cfg delete my-platform-apis
Are you sure you want to delete this configuration? [y/n]: y
Deleting configuration my-platform-apis. This cannot be undone,
my-platform-apis deleted
  • Force-delete a configuration in Upbound called my-platform-apis-2
up cfg delete my-platform-apis-2 --force
my-platform-apis-2 deleted

configuration template list

List the available Crossplane configurations that are available to create a new Git-synced configuration from up configuration template list.

Examples

  • List the configuration templates available to create a new Git-synced configuration from
up cfg template list
ID                               DESCRIPTION                   REPO
upbound/configuration-rds        RDS as a Service              github.com/upbound/configuration-rds
upbound/configuration-eks        EKS as a Service              github.com/upbound/configuration-eks
upbound/configuration-aws-icp    AWS Internal Cloud Platform   github.com/upbound/configuration-aws-icp
upbound/configuration-cloudsql   CloudSQL as a Service         github.com/upbound/configuration-cloudsql
upbound/configuration-scratch    Scratch                       github.com/upbound/configuration-scratch

controlplane

The up controlplane command provides management operations for managed control planes on Upbound. It also has commands for installing providers or configurations on Crossplane control planes generically.

The up CLI relies on a kubeconfig file to connect to the target Kubernetes cluster.

Tip
up ctp is an alias for up controlplane.

All up controlplane commands support the following options:

Short flagLong flagDescription
-a--account=STRINGThe username or organization to use for authentication. The default uses the authenticated user from up login.
--domain=<URL>The managed control plane domain to connect to. The default is https://upbound.io
--kubeconfig=<path>Use a custom kubeconfig file located at the given path. The default uses the active kubeconfig.
--insecure-skip-tls-verifyUnsafe - Don’t validate the SSL certificate offered by the remote server. This command isn’t recommended.
--profile=<path>Use a custom Up CLI profile at located at the provided path. The default is ~/.up/config.json

controlplane list

List the managed control planes in your Upbound account up controlplane list.

Examples

  • List the managed control planes associated with an account.
up ctp list
NAME                           ID                                     STATUS   DEPLOYED CONFIGURATION        CONFIGURATION STATUS
first-control-plane            b93baazd-a426-4a9b-8c85-c402bb67ba05   ready    first-configuration           ready
second-control-plane           cb1sb6aa-3b22-4c69-a5a8-ae3dd5b5eb80   ready    first-configuration           ready
third-control-plane            f2h88eb1-59e0-4211-96af-f92428a4561f   ready    second-configuration          ready

controlplane create

Create a managed control plane in Upbound and install referenced configuration on it up controlplane create --configuration-name=STRING <name>.

View available configurations to install on the managed control plane with up configuration list.

Short flagLong flagDescription
-d--description=STRINGProvide a text description for the managed control plane

Examples

  • Create a managed control plane and install a configuration called my-control-plane-api on it.
up ctp create --configuration-name=my-control-plane-api my-control-plane
my-control-plane created
Tip
The configuration my-control-plane-api must first exist and have already been created in your account for this command to succeed.

controlplane delete

Delete a managed control plane in Upbound up controlplane delete --configuration-name=STRING <name>.

View available managed control planes to delete with up controlplane list.

Examples

  • Delete a managed control plane.
up ctp delete my-control-plane
my-control-plane deleted

controlplane get

Get a managed control plane in Upbound up controlplane get <name>.

View available managed control planes with up controlplane list.

Examples

  • Get a managed control plane called my-control-plane.
up ctp get my-control-plane
NAME                ID                                     STATUS   DEPLOYED CONFIGURATION        CONFIGURATION STATUS
my-control-plane    2012c379-5743-4f65-a473-30037861ef6e   ready    my-configuration              ready

controlplane connect

Set the current context of your kubeconfig to a managed control plane up controlplane connect <name> --token=STRING.

Providing a token is only required when connecting to a control plane in Upbound’s SaaS environment. The token is an API token. This flag gets ignored when used in the context of an Upbound Space.

Examples

  • Connect to a managed control plane called my-control-plane in an Upbound Space.
up ctp connect my-control-plane
  • Connect to a managed control plane called second-control-plane in Upbound’s SaaS environment.
up ctp connect second-control-plane --token=<redacted>

controlplane connector

The up controlplane connector commands connect or disconnect a Kubernetes app cluster from a managed control plane in Upbound.

All up controlplane connector commands support the following options:

Short flagLong flagDescription
-a--account=STRINGThe username or organization to use for authentication. The default uses the authenticated user from up login.
--domain=<URL>The managed control plane domain to connect to. The default is https://upbound.io
--insecure-skip-tls-verifyUnsafe - Don’t validate the SSL certificate offered by the remote server. This command isn’t recommended.
--profile=<path>Use a custom Up CLI profile at located at the provided path. The default is ~/.up/config.json

controlplane connector install

Connect a Kubernetes app cluster outside of Upbound to a managed control plane in Upbound. This command creates an APIService resource in the Kubernetes app cluster for every claim API in the managed control plane. As a result, the claim APIs are available in the Kubernetes app cluster just like all native Kubernetes API. up controlplane connector install <control-plane-name> <namespace-to-sync-to>.

Important
Your kubeconfig should be pointing at your Kubernetes app cluster in order for this command to succeed.
Short flagLong flagDescription
--token=STRINGAPI token used to authenticate. Creates a new robot and a token if a token isn’t provided.
--cluster-name=STRINGName of the cluster connecting to the control plane. Uses the namespace argument if a cluster-name isn’t provided.
--kubeconfig=STRINGOverride the default kubeconfig path.
-n--installation-namespace="kube-system"Kubernetes namespace for the Managed Control Plane Connector. Default is kube-system ($MCP_CONNECTOR_NAMESPACE).
--control-plane-secret=STRINGName of the secret that contains the kubeconfig for a control plane.
--set=KEY=VALUE;...Set parameters.
-f--file=FILEParameters file.
--bundle=BUNDLELocal bundle path.

Examples

  • Connect an app cluster to a managed control plane called my-control-plane and connected to a namespace my-app-ns-1 in the control plane.
up ctp connect my-control-plane my-app-ns-1
<install MCP Connector>

controlplane connector uninstall

Disconnect an Kubernetes app cluster from a managed control plane in Upbound up controlplane connector uninstall <namespace.

The command uninstalls the MCP connector helm chart and moves any claims in the app cluster into the managed control plane at the specified namespace.

Short flagLong flagDescription
--cluster-name=STRINGName of the cluster connecting to the control plane. Uses the namespace argument if a cluster-name isn’t provided.
--kubeconfig=STRINGOverride the default kubeconfig path.
-n--installation-namespace="kube-system"Kubernetes namespace for the Managed Control Plane Connector. Default is kube-system ($MCP_CONNECTOR_NAMESPACE).

Examples

  • Disconnect an app cluster from a managed control plane called my-control-plane and move the claims to the default namespace in the managed control plane.
up ctp connector uninstall default
<uninstall MCP Connector>

controlplane configuration install

Warning
Do not use this command to install a configuration on a managed control plane in Upbound. Instead, use the built-in support for Git-synced configurations.

Install a Crossplane configuration packages into a Kubernetes cluster with up controlplane configuration install <package>.

View packages installed by up controlplane configuration install with kubectl get configuration.

Short flagLong flagDescription
--name=<name>Manually define a name to apply to the configuration. By default Upbound uses the package name.
--package-pull-secrets=<secret>,<secret>...One or more Kubernetes secrets to use to download the configuration package. Comma-seperate more than one secret.
-w-w --wait=<number><unit>The amount of time to wait for a package to install and report HEALTHY. If a package isn’t healthy when the wait expires the command returns an error. Go’s ParseDuration defines valid time units.
Warning
When using --wait, packages that aren’t HEALTHY when the wait time expires aren’t removed and continue to install in the background.

Examples

up ctp configuration install xpkg.upbound.io/upbound/platform-ref-aws
upbound-platform-ref-aws installed
  • Install a package and name it my-package in Kubernetes.
up ctp configuration install xpkg.upbound.io/upbound/platform-ref-aws --name my-package
my-package installed

controlplane disconnect

Reset the current context of your kubeconfig to the previous value before connecting to a managed control plane up controlplane disconnect.

Examples

  • Disconnect from a managed control plane you connected to prior.
up ctp disconnect

controlplane provider install

Warning
Do not use this command to install a provider on a managed control plane in Upbound. Instead, use the built-in support for Git-synced configurations and declare a provider dependency in the git repo for whichever configuration is installed on your desired managed control plane.

Install a Crossplane provider packages into a Kubernetes cluster with up controlplane provider install <package>.

View packages installed by up controlplane provider install with kubectl get configurations and kubectl get providers.

Short flagLong flagDescription
--name=<name>Manually define a name to apply to the configuration. By default Upbound uses the package name.
--package-pull-secrets=<secret>,<secret>...One or more Kubernetes secrets to use to download the configuration package. Comma-seperate more than one secret.
-w-w --wait=<number><unit>The amount of time to wait for a package to install and report HEALTHY. If a package isn’t healthy when the wait expires the command returns an error. Go’s ParseDuration defines valid time units.
Warning
When using --wait, packages that aren’t HEALTHY when the wait time expires aren’t removed and continue to install in the background.

Examples

up ctp configuration install xpkg.upbound.io/upbound/provider-aws
upbound-provider-aws installed
  • Install a package and name it my-package in Kubernetes.
up ctp configuration install xpkg.upbound.io/upbound/provider-aws --name my-provider
my-provider installed

controlplane pull-secret create

Create a new Kubernetes secret object with up controlplane pull-secret create

This command creates secrets the same as described in the Kubernetes documentation on pulling images from private registries using kubectl create secret.

View secrets created by up controlplane pull-secret create with kubectl get secrets

Short flagLong flagDescription
-f--file=<path>Path to credentials file. Uses the profile credentials if not specified.
-n--namespace=<namespace>Kubernetes namespace for pull secret ($UPBOUND_NAMESPACE).

controlplane kubeconfig get

Uses a personal access token to create an entry in the default kubeconfig file for the specified managed control plane.

The --file flag uses the supplied configuration instead.

An incorrect token or control plane name produces an error and doesn’t change the current context.

up controlplane kubeconfig get --token=STRING

Short flagLong flagDescription
-f--file=STRINGFile to merge kubeconfig.
--token=STRINGRequired token to use in the generated kubeconfig to access the specified managed control plane. Upbound manages this token.
Warning
Upbound does not currently support the use of robot tokens for scoped access to control planes. A personal access token must be used.

Examples

  • Configure your kubeconfig to connect to my-control-plane and grep APIs for Crossplane installed on it
up ctp kubeconfig get --token <my-token> -a my-org my-control-plane
Current context set to upbound-my-org-my-mcp

kubectl api-resources | grep "crossplane.io"
compositeresourcedefinitions                xrd,xrds     apiextensions.crossplane.io/v1                        false        CompositeResourceDefinition
compositionrevisions                                     apiextensions.crossplane.io/v1beta1                   false        CompositionRevision
compositions                                             apiextensions.crossplane.io/v1                        false        Composition
environmentconfigs                                       apiextensions.crossplane.io/v1alpha1                  false        EnvironmentConfig
configurationrevisions                                   pkg.crossplane.io/v1                                  false        ConfigurationRevision
configurations                                           pkg.crossplane.io/v1                                  false        Configuration
controllerconfigs                                        pkg.crossplane.io/v1alpha1                            false        ControllerConfig
locks                                                    pkg.crossplane.io/v1beta1                             false        Lock
providerrevisions                                        pkg.crossplane.io/v1                                  false        ProviderRevision
providers                                                pkg.crossplane.io/v1                                  false        Provider
storeconfigs                                             secrets.crossplane.io/v1alpha1                        false        StoreConfig

get

The up get command prints information about a given object within the current kubeconfig context.

get managed

Get all managed resources within this control plane. up get managed

get claim

Get all claims managed by this control plane. up get claim

get composite

Get all composite resources managed by this control plane. up get composite

license

The up license command prints the license of the up command-line software.

Examples

  • Print the license of the up CLI
up license
By using Up, you are accepting to comply with terms and conditions in https://licenses.upbound.io/upbound-software-license.html

login

The up login command authenticates to Upbound, generates and stores a JSON credentials file locally in ~/.up/config.json. Commands requiring authentication to Upbound services use the JSON file to authenticate (such as interacting with Upbound or the Marketplace) up login.

If run without arguments, up login asks for the username and password from the terminal. View the current authentication status with up organization list.

Short flagLong flagDescription
-u--username=STRINGThe username to authenticate. Defaults to the value of the environmental variable UP_USER
-p--password=STRINGThe password to authenticate. Defaults to the value of the environmental variable UP_PASS
-t--token=STRINGAn Upbound user token to use in place of a username and password
-a--account=STRINGAuthenticate as a member of an organization.

Examples

  • Login without arguments
up login
Username: my-name
Password:
my-name logged in
  • Login with a token
up login -t eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJqdGkiOiIyYWY2NmFjMi1iY2NhLTRkOWUtODRjNy1kZDJhOTFlNzNjODEiLCJzdWIiOiJ1c2VyfDE0NjMifQ.EEk1Ukei$fkhKKx2yQKeq0pIs3dnjkbOvvjD22_osdKXntGE39G8CsrORO0XT7w300Apw1HW8f21GyGAeO0ilxW6B8efKAqILd0V4-9eAL-VnCK6iLU6wHVt_vP6JwRLyEJrnn7ldYbaz1i4LONZhd5UfsRe4bOztnohkWNsUeIEOnRj_PBntGA5o1VQEyv4kwOS5vp5aVNF9zYWyW7RFKjpmgPdDqLQ_SSKrqmUQPXW4X886lfNWsgtdcTthoo3NEiKPDfrpSh1ZW-4jurGvrgdhfOO2kMRkk-5lZQ0usPYZ62gqTnayjxYP4TCKA7HCKhjoZlX5MS2WlObeTIgA
2af6a653-abcd-4d9e-84c7-dd3a91e73c81 logged in
  • Login to an organization
up organization list
NAME           ROLE
my_org        owner

If not logged in, the command returns an error.

up org list
up: error: permission denied: {"message":"Unauthorized"}

logout

Log out of Upbound services by invalidating the current login token.

Examples

  • Log out of Upbound
up logout
my-name logged out

organization

The up organization commands create and manage organizations on Upbound.

Tip
up org is an alias for up organization.

All up configuration commands support the following options:

Short flagLong flagDescription
-a--account=STRINGThe username or organization to use for authentication. The default uses the authenticated user from up login.
--domain=<URL>The managed control plane domain to connect to. The default is https://upbound.io
--insecure-skip-tls-verifyUnsafe - Don’t validate the SSL certificate offered by the remote server. This command isn’t recommended.
--profile=<path>Use a custom Up CLI profile at located at the provided path. The default is ~/.up/config.json

organization create

Create an organization in Upbound up organization create <name>.

Examples

  • Create an organization called my-org in Upbound
up org create my-org
my-org created
Tip
Individuals are allowed to belong to as many organizations as they wish, but they are only allowed to create 1 additional org. Attempts to create more than 1 additional org will result in an error being returned.

organization delete

Delete an organization in Upbound up organization delete <name>.

Short flagLong flagDescription
--forceForce deletion of the organization.
Warning
Deleting an organization removes all users from the organization, deletes all robots, robot tokens, teams, and repositories. This can not be undone.

Examples

  • Delete an organization called my-org in Upbound
up org delete my-org
Are you sure you want to delete this organization? [y/n]: y
Deleting organization my-org. This cannot be undone.
my-org deleted

organization list

List the organizations belonged to by the account currently logged in up organization list.

Examples

  • List all organizations belonged to by the user
up org list
ID    NAME      ROLE
433   my-org    owner

organization get

Get an organization in Upbound up organization get <name>.

Examples

  • Get an organization called my-org
up org get my-org
ID    NAME      ROLE
433   my-org    owner

organization user

The up organization user commands create and manage users in an organization on Upbound.

All up organization user commands support the following options:

Short flagLong flagDescription
-a--account=STRINGThe username or organization to use for authentication. The default uses the authenticated user from up login.
--domain=<URL>The managed control plane domain to connect to. The default is https://upbound.io
--insecure-skip-tls-verifyUnsafe - Don’t validate the SSL certificate offered by the remote server. This command isn’t recommended.
--profile=<path>Use a custom Up CLI profile at located at the provided path. The default is ~/.up/config.json

organization user invite

Invite a user to an organization on Upbound up organization user invite <org-name> <email>.

Short flagLong flagDescription
-p--permission="member"Role of the user to invite (owner or member).

Examples

  • Invite a user into AcmeCo org on Upbound
up org user invite acmeco idontexist@acmeco.org
idontexist@acmeco.org invited

organization user delete-invite

Delete an invite for a user to an organization on Upbound up organization user delete-invite <org-name> <email>.

Short flagLong flagDescription
--forceForce deletion of the invite.

Examples

  • Delete an invite for a user to the AcmeCo org on Upbound
up org user delete-invite acmeco idontexist@acmeco.org
Are you sure you want to delete this invite? [y/n]: y
Deleting invite idontexist@acmeco.org. This cannot be undone.
Invitation 517 deleted

organization user list-invite

List the pending invites for an organization on Upbound up organization user list-invites <org-name>.

Examples

  • List the invites for AcmeCo org on Upbound
up org user list-invites acmeco
ID    EMAIL                   PERMISSION
517   idontexist@acmeco.org

organization user list-members

List the members of an organization on Upbound up organization user list-members <org-name>.

Examples

  • List the members of AcmeCo org on Upbound
up org user list-members acmeco
ID     NAME              PERMISSION
517    Test User         owner
518    Test User2        member

organization user remove-members

Remove a members from an organization on Upbound up organization user remove-member <org-name> <user-id>.

Short flagLong flagDescription
--forceForce deletion of the invite.

Examples

  • Remove a user from an org in Upbound
up org user remove-user acmeco 517
Are you sure you want to remove this member? [y/n]: y
Removing member 517. This cannot be undone.
User 517 removed from acmeco

profile

The up profile command lets you view and manage up command-line profiles with up profile commands.

All up profile commands support the following options:

Short flagLong flagDescription
-a--account=STRINGThe username or organization to use for authentication. The default uses the authenticated user from up login.
--domain=<URL>The managed control plane domain to connect to. The default is https://upbound.io
--kubeconfig=<path>Use a custom kubeconfig file located at the given path. The default uses the active kubeconfig.
--insecure-skip-tls-verifyUnsafe - Don’t validate the SSL certificate offered by the remote server. This command isn’t recommended.
--profile=<path>Use a custom Up CLI profile at located at the provided path. The default is ~/.up/config.json

profile current

Get the current Upbound profile up profile current.

Examples

  • Print the current Upbound profile
up profile current
{
    "default": {
        "id": "my-name",
        "type": "user",
        "session": "REDACTED",
        "account": "my-org",
        "base": {
            "color": "blue"
        }
    }
}

profile list

List all configured profiles. up profile list.

Examples

  • Print the available profiles
up profile list
CURRENT   NAME      TYPE   ACCOUNT
*         default   user   my-org

profile use

Select a profile to use for all commands in up up profile use.

Examples

  • use an Upbound profile called test
up profile use test

profile view

Prints all configured profiles for up. up profile view.

Examples

  • view all profiles for up
up profile view
{
    "default": {
        "id": "my-name",
        "type": "user",
        "session": "REDACTED",
        "account": "my-org",
        "base": {
            "color": "blue"
        }
    }
}

profile config

Settings apply to the current profile in use. Supply a JSON file of settings for bulk changes. up profile config.

Short flagLong flagDescription
-f--file = <profile JSON file>a JSON file of key-value pairs

Examples

  • set a key-value pair
up profile config set color blue
  • unset a key-value pair
up profile config unset color

query

The up query command lets you view list of objects of any kind within all the control planes in your space. Supports filtering.

To query across all control plane groups within a space.

up query -A

query managed

Get the managed resources within all control plane groups. up query managed -A

query claim

Get the claims within all control plane groups. up query claim -A

query composite

Get the composite resources within all control plane groups. up query managed -A

repository

The up repository command provides management operations for Upbound repository accounts.

Tip
up repo is an alias for up repository.

All up repository commands support the following options:

Short flagLong flagDescription
-a--account=STRINGThe username or organization to use for authentication. The default uses the authenticated user from up login.
--domain=<URL>The managed control plane domain to connect to. The default is https://upbound.io
--insecure-skip-tls-verifyUnsafe - Don’t validate the SSL certificate offered by the remote server. This command isn’t recommended.
--profile=<path>Use a custom Up CLI profile at located at the provided path. The default is ~/.up/config.json

repository create

Create a repository with the given name up repository create <name>.

Examples

  • Create a repository called my-repo
up repo create my-repo
acmeco/my-repo created

repository delete

Delete a repository with the given name up repository delete <name>.

Short flagLong flagDescription
--forceForce deletion of repository.
Warning
Deleting a repository removes all packages from the repository and impacts all users in an organization. Deleting a public repository will also impact any users that attempt to pull any packages in that repository or have it declared as a dependency in their cluster. This can not be undone.

Examples

  • Delete a repository called my-repo
up repo delete my-repo
Are you sure you want to delete this repository? [y/n]: y
Deleting repository acmeco/my-repo. This cannot be undone.
acmeco/my-repo deleted

repository list

List the repositories belonging to this account up repository list.

Examples

  • List the repositories in Upbound belonging to this account
up repo list
NAME                                   TYPE            PUBLIC   UPDATED
c934895d-7271-422b-9f50-0c7553962891   configuration   false    7d6h
375e8c55-7684-4a4d-9fc4-886ca2d0630a   configuration   false    6d7h
c7fcd651-d370-4773-b688-da128338b599   configuration   false    4d21h

repository get

Get a repository in this account up repository get.

Examples

  • Get a repository called my-repo
up repo get my-repo
NAME      TYPE      PUBLIC   UPDATED
my-repo   unknown   true     n/a

robot

The up robot command provides management operations for robots in Upbound. Robots are identities used for authentication that are independent from a single user and aren’t tied to specific usernames or passwords. Robots have their own authentication credentials and configurable permissions.

All up robot commands support the following options:

Short flagLong flagDescription
-a--account=STRINGThe username or organization to use for authentication. The default uses the authenticated user from up login.
--domain=<URL>The managed control plane domain to connect to. The default is https://upbound.io
--insecure-skip-tls-verifyUnsafe - Don’t validate the SSL certificate offered by the remote server. This command isn’t recommended.
--profile=<path>Use a custom Up CLI profile at located at the provided path. The default is ~/.up/config.json

robot create

Create a robot in your account’s organization up robot create <name>.

Short flagLong flagDescription
--description=STRINGDescription of robot.

Examples

  • Create a robot called my-robot
up robot create my-robot
my-org/my-robot created

robot delete

Delete a robot from your account’s organization up robot delete <name>.

Examples

  • Delete a robot called my-robot
up robot delete my-robot
Are you sure you want to delete this robot? [y/n]: y
Deleting robot my-org/my-robot. This cannot be undone.
my-org/my-robot deleted

robot list

List the robots in your account’s organization up robot delete <name>.

Examples

  • List all robots in this account’s organization
up robot list
NAME              ID                                     DESCRIPTION   CREATED
my-robot          3f76eec5-b7e0-4f6e-aeec-8adbec2c44a6                 28m

robot get

Get a robot from your account’s organization up robot get <name>.

Examples

  • Get a robot called my-robot
up robot get
NAME              ID                                     DESCRIPTION   CREATED
my-robot          3f76eec5-b7e0-4f6e-aeec-8adbec2c44a6                 28m

robot token

Manage robot authentication tokens for existing robot accounts with up robot token.

robot token create

Create a robot authentication tokens for an robot accounts with up robot token create --output=STRING <robot-name> <token-name>.

Examples

  • Create a robot token
up robot token create my-robot my-token --output=~/my-robot-token.json
my-org/my-robot/my-token created
cat ~/my-robot-token.json
{"accessId":"a857e667-526a-8424-8dff-d29d3204adae","token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJqdGkiOiJhODU3ZTY2Ny01MjZhLTQwNDItOGRlMy1kMjlkMzIwNGFkYWUiLCJzdWIiOiJyb2JvdHwzZjc2ZWVjNS1iN2UwLTRmNmUtYWVlYy04YWRiZWMyYzQ0YTYifQ.F00nFGsINl3wrRvI6YQd4AlwevdiZZZeiJFZXi7QxZ3pYEhDjeL0pLw-ln-qyFLQXNX42jw-n0sAlmV6T1IVU9fLjQOaPIiFbhovlf4uNlPL51ih3qwswMC7kgdzCpg3e4l3HngEsHsIhnv_5ipliJXx7Pk7eRfybDQyGM7nodbd5Zk-bOI9MMRJPrwxanlRoPnt3oiUhSBcmHaJh7GbSs_8bCKq1hSK1HK6nj8nHgS2zOI3oe1Xrk1SKnNw2wC_MpPDxpoW9xitMapjzhKdzdl5T3peIrsEW9z2i-Sm1yKFpe80a6wRKNgiK1caxj7gjPVuvEoVop-uKayN9DMViQ"}

robot token delete

Delete a robot authentication tokens from a robot account with up robot token delete <robot-name> <token-name>.

Short flagLong flagDescription
--forceForce deletion of repository.

Examples

  • Delete a token called my-token from a robot called my-robot
up robot token delete my-robot my-token
Are you sure you want to delete this robot token? [y/n]: y
Deleting robot token my-org/my-robot/my-token. This cannot be undone.
my-org/my-robot/my-token deleted

robot token list

List the authentication tokens of a robot account with up robot token list <robot-name>.

Examples

  • List the tokens for a robot called my-robot
up robot token list my-robot
NAME       ID                                     CREATED
my-token   1987b8c2-b364-4787-9ce2-39493f3db6ad   3m40s

robot token get

Get an authentication tokens of a robot account with up robot token get <robot-name> <token-name>.

Examples

  • Get a token called my-token from a robot called my-robot
up robot token get my-robot my-token
NAME       ID                                     CREATED
my-token   1987b8c2-b364-4787-9ce2-39493f3db6ad   5m20s

space

The up space commands allow you to install and manage an Upbound Space on a Kubernetes cluster.

All up space commands support the following options:

Short flagLong flagDescription
-a--account=STRINGThe username or organization to use for authentication. The default uses the authenticated user from up login.
--domain=<URL>The managed control plane domain to connect to. The default is https://upbound.io
--insecure-skip-tls-verifyUnsafe - Don’t validate the SSL certificate offered by the remote server. This command isn’t recommended.
--profile=<path>Use a custom Up CLI profile at located at the provided path. The default is ~/.up/config.json

space init

Initialize an Upbound Spaces deployment up space init [<version>] --token-file=TOKEN-FILE.

You must provide the desired version of Spaces to install. You can find a list of available versions in Product Lifecycle. You must provide a token (given to you by Upbound) for the install to proceed.

Short flagLong flagDescription
--token-file=TOKEN-FILEFile containing authentication token.
--yesAnswer yes to all questions during the install process.
--public-ingressFor AKS, EKS, and GKE, expose ingress publicly
--kubeconfig=STRINGOverride default kubeconfig path.
--set=KEY=VALUE;...Set parameters.
-f--file=FILEParameters file.
--bundle=BUNDLELocal bundle path.

Examples

  • Install v1.0.1 of Spaces
up space init "v1.0.1"
  • Install v1.0.1 of Spaces and expose public ingress
up space init "v1.0.1" --public-ingress=true

space destroy

Remove the Upbound Spaces deployment up space destroy.

Short flagLong flagDescription
--kubeconfig=STRINGOverride default kubeconfig path.
--set=KEY=VALUE;...Set parameters.
-f--file=FILEParameters file.
--bundle=BUNDLELocal bundle path.

Examples

  • Remove an installation of an Upbound Space in a Kubernetes cluster
up space destroy
Tip
This command operates based on the current context in your kubeconfig. Make sure your kubeconfig is pointed at the desired Kubernetes cluster.

space upgrade

Upgrade an Upbound Spaces deployment up space upgrade [<version>] --token-file=TOKEN-FILE.

You must provide the desired version of Spaces to upgrade to. You can find a list of available versions in Product Lifecycle. You must provide a token (given to you by Upbound) for the install to proceed.

Short flagLong flagDescription
--token-file=TOKEN-FILEFile containing authentication token.
--rollbackRollback to the previous installed version on failed upgrade.
--kubeconfig=STRINGOverride default kubeconfig path.
--set=KEY=VALUE;...Set parameters.
-f--file=FILEParameters file.
--bundle=BUNDLELocal bundle path.

Examples

  • Upgrade from a release candidate to v1.0.1
up space upgrade v1.0.1 --token-file=./token.json

space billing

The up space billing commands manages configuration and fetching of billing data in an Upbound Space.

All up space billing commands support the following options:

Short flagLong flagDescription
-a--account=STRINGThe username or organization to use for authentication. The default uses the authenticated user from up login.
--domain=<URL>The managed control plane domain to connect to. The default is https://upbound.io
--insecure-skip-tls-verifyUnsafe - Don’t validate the SSL certificate offered by the remote server. This command isn’t recommended.
--profile=<path>Use a custom Up CLI profile at located at the provided path. The default is ~/.up/config.json

space billing get

Get a billing report for submission to Upbound up space billing get --provider=PROVIDER --bucket=STRING --account=STRING --billing-month=TIME.

Supply the storage location for the billing data used to create the report using the optional --provider, --bucket, and --endpoint flags. If these flags are missing, it retrieves values from the Spaces cluster from your kubeconfig. Set --endpoint="" to use the storage provider’s default endpoint without checking your Spaces cluster for a custom endpoint.

Supply the credentials other storage provider configuration according to the instructions for each provider below.

AWS S3

Supply configuration by setting these environment variables: AWS_REGION, AWS_ACCESS_KEY_ID, and AWS_SECRET_ACCESS_KEY. For more options, see the documentation at https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html.

GCP Cloud Storage

Supply credentials by setting the environment variable GOOGLE_APPLICATION_CREDENTIALS with the location of a credential JSON file. For more options, see the documentation at https://cloud.google.com/docs/authentication/application-default-credentials.

Azure Blob Storage

Supply configuration by setting these environment variables: AZURE_TENANT_ID, AZURE_CLIENT_ID, and AZURE_CLIENT_SECRET. For more options, see the documentation at https://learn.microsoft.com/en-us/azure/developer/go/azure-sdk-authentication.

Short flagLong flagDescription
--provider=PROVIDERStorage provider. Must be one of: aws, gcp, azure ($UP_BILLING_PROVIDER).
--bucket=STRINGStorage bucket ($UP_BILLING_BUCKET).
--endpoint=STRINGCustom storage endpoint ($UP_BILLING_ENDPOINT).
--account=STRINGName of the Upbound account whose billing report is collected ($UP_BILLING_ACCOUNT).
--azure-storage-account=STRINGName of the Azure storage account. Required for –provider=azure ($UP_AZURE_STORAGE_ACCOUNT).
--billing-month=TIMEGet a report for a billing period of one calendar month. Format: 2006-01 ($UP_BILLING_MONTH).
--billing-custom=BILLING-CUSTOMGet a report for a custom billing period. Date range is inclusive. Format: 2006-01-02/2006-01-02 ($UP_BILLING_CUSTOM).
--force-incompleteGet a report for an incomplete billing period ($UP_BILLING_FORCE_INCOMPLETE).
-o--out="upbound_billing_report.tgz"Name of the output file ($UP_BILLING_OUT).
--token-file=TOKEN-FILEFile containing authentication token.
--rollbackRollback to the previous installed version on failed upgrade.
--kubeconfig=STRINGOverride default kubeconfig path.
--set=KEY=VALUE;...Set parameters.
-f--file=FILEParameters file.
--bundle=BUNDLELocal bundle path.

Examples

  • Get the billing data from an AWS bucket for 09/2023.
up space billing get --provider=aws --bucket=my-bucket --account=acmeco --billing-month=2023-09

uxp

The up uxp commands allow you to install and manage Upbound Universal Crossplane (UXP) on a Kubernetes cluster.

All up uxp commands support the following options:

Short flagLong flagDescription
-a--account=STRINGThe username or organization to use for authentication. The default uses the authenticated user from up login.
--domain=<URL>The managed control plane domain to connect to. The default is https://upbound.io
--insecure-skip-tls-verifyUnsafe - Don’t validate the SSL certificate offered by the remote server. This command isn’t recommended.
--profile=<path>Use a custom Up CLI profile at located at the provided path. The default is ~/.up/config.json

uxp install

Install UXP into a target Kubernetes app cluster up uxp install.

UXP installs the latest stable release by default. The list of available UXP versions is in the charts.upbound.io/stable listing.

The UXP install guide lists all install-time settings.

Short flagLong flagDescription
--kubeconfig=STRINGOverride default kubeconfig path.
-n--namespace="upbound-system"Kubernetes namespace for UXP ($UXP_NAMESPACE).
--unstableAllow installing unstable versions.
--set=KEY=VALUE;...Set parameters.
-f--file=FILEParameters file.
--bundle=BUNDLELocal bundle path.

Examples

  • Install the latest version of UXP
up uxp install
  • Install the latest version of UXP and set the image pull policy
up uxp install --set image.pullPolicy=IfNotPresent

uxp uninstall

Uninstall UXP from a Kubernetes app cluster up uxp uninstall.

Short flagLong flagDescription
--kubeconfig=STRINGOverride default kubeconfig path.
-n--namespace="upbound-system"Kubernetes namespace for UXP ($UXP_NAMESPACE).

Examples

  • Uninstall UXP
up uxp uninstall

uxp upgrade

UXP upgrades can be from one UXP version to another or from open source Crossplane to a compatible UXP version up uxp upgrade [<version>].

Short flagLong flagDescription
--kubeconfig=STRINGOverride default kubeconfig path.
-n--namespace="upbound-system"Kubernetes namespace for UXP ($UXP_NAMESPACE).
--rollbackRollback to the last installed version on a failed upgrade.
--forceForce upgrade even if versions are incompatible.
--set=KEY=VALUE;...Set parameters.
-f--file=FILEParameters file.
--bundle=BUNDLELocal bundle path.

Examples

  • Upgrade to UXP version v1.7.0-up.1
up uxp upgrade v1.7.0-up.1
  • Upgrade Crossplane to UXP
up uxp upgrade v1.7.0-up.1 -n crossplane-system

xpkg

The up xpkg commands create and interact with Crossplane Packages. Packages are a set of YAML configuration files packaged as a single OCI container image. Read the Creating and Pushing Packages section for information on building and pushing packages to the Upbound Marketplace.

All up xpkg commands support the following options:

Short flagLong flagDescription
-a--account=STRINGThe username or organization to use for authentication. The default uses the authenticated user from up login.
--domain=<URL>The managed control plane domain to connect to. The default is https://upbound.io
--insecure-skip-tls-verifyUnsafe - Don’t validate the SSL certificate offered by the remote server. This command isn’t recommended.
--profile=<path>Use a custom Up CLI profile at located at the provided path. The default is ~/.up/config.json

xpkg build

Build an OCI-compliant image of a set of configuration files. Use this image to create a specific Crossplane control-plane or Provider. up xpkg build.

The up xpkg build command supports two different image types:

  • Configuration - Configuration images consist of Custom Resource Definitions, Compositions and package metadata which define a custom control-plane.
  • Provider - An image consisting of a provider controller and all related Custom Resource Definitions. The Crossplane crossplane-contrib repository contains the packages used for open source Crossplane Providers. For example, the image contents for provider-aws.
Short flagLong flagDescription
--name=STRING[DEPRECATED: use –output] Name of the package to build. Uses name in crossplane.yaml if not specified. Doesn’t correspond to package tag.
-o--output=STRINGPath for package output.
--controller=STRINGController image used as base for package.
-f--package-root="."Path to package directory.
-e--examples-root="./examples"Path to package examples directory.
-a--auth-ext="auth.yaml"Path to an authentication extension file.
-f--ignore=IGNORE,...Paths, specified relative to –package-root, to exclude from the package.

Examples

  • Create a Crossplane configuration package
up xpkg build -o my_control_plane.xpkg
xpkg saved to my_control_plane.xpkg
  • Create a Crossplane provider package
up xpkg build \
--controller my_controller-amd64 \
--package-root ./package \
--examples-root ./examples \
--output ./my_provider.xpkg
xpkg saved to my_provider.xpkg

xpkg init

Use a wizard to generate a crossplane.yaml file for a configuration or provider with up xpkg init.

Short flagLong flagDescription
-p--package-root="."Path to directory to write new package.
-t--type="configuration"Package type to initialize.

Examples

  • Generate a configuration package file
up xpkg init
Package name: my_configuration
What version contraints of Crossplane will this package be compatible with? [e.g. v1.0.0, >=v1.0.0-0, etc.]: >=v1.8.0-0
Add dependencies? [y/n]: y
Provider URI [e.g. crossplane/provider-aws]: xpkg.upbound.io/crossplane/provider-aws
Version constraints [e.g. 1.0.0, >=1.0.0-0, etc.]: >=v0.24.1
Done? [y/n]: y
xpkg initialized at /home/user/crossplane.yaml

# Looking at contents
cat crossplane.yaml
apiVersion: meta.pkg.crossplane.io/v1
kind: Configuration
metadata:
  name: my_configuration
spec:
  crossplane:
    version: '>=v1.8.0-0'
  dependsOn:
  - provider: xpkg.upbound.io/crossplane/provider-aws
    version: '>=v0.24.1'
  • Generate a provider package file
up xpkg init -t provider -p provider-init/
Package name: my-provider
What version contraints of Crossplane will this package be compatible with? [e.g. v1.0.0, >=v1.0.0-0, etc.]: >=1.9.0-0
Controller image: my-controller
xpkg initialized at /home/user/provider-init/crossplane.yaml

# Looking at contents
cat /home/vagrant/provider-init/crossplane.yaml
apiVersion: meta.pkg.crossplane.io/v1
kind: Provider
metadata:
  name: my-provider
spec:
  controller:
    image: my-controller
  crossplane:
    version: '>=1.9.0-0'

xpkg dep

Download the dependencies of a package for the Crossplane Language Server with up xpkg dep [<package>].

Tip
This cache is only for the Crossplane Language Server. This doesn’t cache files for Crossplane images.
Short flagLong flagDescription
-d--cache-dirThe location of the cache directory. Defaults to ~/.up/cache/
-c--clean-cacheRemoves all files in the cache directory.

Examples

  • Download and cache the dependency files for an example Configuration package.
up xpkg dep
Dependencies added to xpkg cache:
- crossplane/provider-aws (v0.32.0)

xpkg push

Publish images created by up xpkg build to the Upbound Marketplace with up xpkg push <tag>.

Short flagLong flagDescription
-f--package=PACKAGE,...Path to packages. Uses the current directory if not specified.
--createCreate repository on push if it doesn’t exist.

Example

  • Push a package called getting-started.xpkg to the test repository inside the upbound-docs organization. Mark it as version v0.2.
up xpkg push upbound-docs/test:v0.2 -f getting-started.xpkg
xpkg pushed to upbound-docs/test:v0.2

To push to other repositories, besides the Upbound marketplace, like Docker Hub, provide the full URL of the image registry.

For example, to push a package to index.docker.io:

up xpkg push index.docker.io/dockeruser/test:v0.2 -f getting-started.xpkg
xpkg pushed to index.docker.io/dockeruser/test:v0.2
<!-- vale Upbound.Spelling = NO -->
<!-- ignore xpls -->
## xpls


The `up xpls` starts the xpls language server.

<!-- vale Upbound.Spelling = NO -->
<!-- ignore xpls -->
### xpls serve
<!-- vale Upbound.Spelling = YES -->

run a server for Crossplane definitions using the Language Server Protocol with
`up xpls serve`.






Short flag Long flag Description
--cache="~/.up/cache" Directory path for dependency schema cache.
**Examples** <!-- vale Upbound.Spelling = NO --> <!-- ignore xpls --> * Start xpls <!-- vale Upbound.Spelling = YES --> ```shell {copy-lines="1"} up xpls serve

install-completions

Install shell completions with up install-completions. You can uninstall shell completions via up install-completions --uninstall.

alpha

Options under the up alpha command are “alpha” features and may change in the future.

Upbound uses up alpha to try out new features or test new platform behaviors.

alpha xpkg xp-extract

Extract package contents into a Crossplane cache compatible format. Fetches from a remote registry by default up alpha xpkg xp-extract

Short flagLong flagDescription
--from-daemonFetch the image from the Docker daemon.
--from-xpkgFetch the image from a local xpkg. If package isn’t specified the command uses the current directory.
-o--output="out.gz"Package output path. Extension must be .gz.

alpha xpkg migration

Migrate a control plane to an Upbound Managed Control Plane. Use the ‘migration’ command to migrate control planes seamlessly from Crossplane or Universal Crossplane (XP/UXP) environments to Upbound’s Managed Control Planes.

alpha xpkg migration export

Export the current state of a Crossplane or Universal Crossplane control plane into an archive, preparing it for migration to Upbound Managed Control Planes with up alpha migration export.

The ’export’ command exports the current state of a Crossplane or Universal Crossplane (xp/uxp) control plane into an archive file. You can then use this file for migration to Upbound Managed Control Planes.

Short flagLong flagDescription
--kubeconfig=<path>Use a custom kubeconfig file located at the given path. The default uses the active kubeconfig.
--yesWhen set to true, automatically accepts any confirmation prompts that may appear during the export process.
-o--outputSpecify the path for the exported archive. The default is ‘xp-state.tar.gz’.
--include-extra-resourcesA list of extra resource types to include in the export in “resource.group” format, along with all Crossplane resources. By default, it includes namespaces, configmaps, secrets.
--exclude-resourcesA list of resource types to exclude from the export in ‘resource.group’ format. No resources excluded by default.
--include-namespacesA list of specific namespaces to include in the export. If not specified, all namespaces included by default.
--exclude-namespacesA list of specific namespaces to exclude from the export. Defaults to ‘kube-system’, ‘kube-public’, ‘kube-node-lease’, and ’local-path-storage’.
--pause-before-exportWhen set to true, pauses all managed resources before starting the export process. This can help ensure a consistent state for the export. Defaults to ‘false’.

Examples

  • Export the control plane state to a specified file ‘xp-export.tar.gz’.

    up alpha migration export --output="xp-export.tar.gz"
    
  • Pause all managed resources first and export the control plane state.

    up migration export --pause-before-export
    
  • Export the control plane state with the extra resource specified and only using provided namespaces.

    up migration export --include-extra-resources="customresource.group" --include-namespaces="crossplane-system,team-a,team-b"
    

alpha xpkg migration import

Import an exported control plane state into an Upbound managed control plane, completing the migration process.

The ‘import’ command imports a control plane state from an archive file into an Upbound managed control plane.

By default, the command pauses all managed resources during the import process for possible manual inspection/validation. You can use the --unpause-after-import flag to configure resuming all managed resources automatically after the import process completes.

Short flagLong flagDescription
--kubeconfig=<path>Use a custom kubeconfig file located at the given path. The default uses the active kubeconfig.
--yesWhen set to true, automatically accepts any confirmation prompts that may appear during the import process.
-i--inputSpecifies the path of the archive to import. The default path is ‘xp-state.tar.gz’.
--unpause-after-importWhen set to true, automatically resumes all managed resources paused during the import process. This helps in resuming normal operations post-import. Defaults to false, requiring manually resuming of resources if needed.

alpha ctx

Select an Upbound kubeconfig context.

Short flagLong flagDescription
--context="upbound"Kubernetes context to operate on ($UP_CONTEXT).
-f--kubeconfig=<path>Kubeconfig to change when saving a new context.