Authentication

Pulling private packages or pushing packages to an Upbound Marketplace private repository requires authentication to Upbound.

Installing private Kubernetes resources requires an image pull secret.

Important
Authenticating to the Upbound Marketplace for private packages requires an Upbound account.

Prerequisites

Install the Up command-line to generate Kubernetes secrets and to use Upbound Marketplace private resources.

Note
Upbound Marketplace requires Up command-line version v0.13.0 or later.

Log in with the Up command-line

Use up login to authenticate a user to the Upbound Marketplace.

up login
username: my-user
password:
my-user logged in

Configure Docker to use the up credential helper

If you use Docker or any other OCI client, you can configure it to use Upbound credentials to interact with the Marketplace. If you plan to push packages to the Upbound Marketplace, you can use the credentials acquired via up login.

Install the docker-credential-up credential helper:

curl -sL "https://cli.upbound.io" | BIN=docker-credential-up sh
Tip
Read the up CLI configuration documentation for more installation options.

In the case of Docker, add up to your Docker config.json. This allows your client to use Upbound credentials to interact with the Marketplace:

{
	"credHelpers": {
		"xpkg.upbound.io": "up"
	}
}

Kubernetes image pull secrets

Packages in private repositories require a Kubernetes image pull secret. The image pull secret authenticates Kubernetes to the Upbound Marketplace, allowing Kubernetes to download and install packages.

Generating an image pull secret requires either a user account token.

Important
A user account token uses your current up login profile. Logging out with up logout deactivates the token.

Use the command up controlplane pull-secret create to generate a token and Kubernetes Secret in the upbound-system namespace.

up ctp pull-secret create
WARNING: Using temporary user credentials that will expire within 30 days.
upbound-system/package-pull-secret created

Verify the secret with kubectl describe secret -n upbound-system package-pull-secret

kubectl describe secret -n upbound-system package-pull-secret
Name:         package-pull-secret
Namespace:    upbound-system
Labels:       <none>
Annotations:  <none>

Type:  kubernetes.io/dockerconfigjson

Data
====
.dockerconfigjson:  1201 bytes

Use an image pull secret

Use an image pull secret by providing a spec.packagePullSecrets in a Configuration or Provider manifest.

This example installs a private Configuration named secret-configuration from the Upbound image repository using image pull secret named package-pull-secret .

apiVersion: pkg.crossplane.io/v1
kind: Configuration
metadata:
  name: platform-ref-aws
spec:
  package: xpkg.upbound.io/secret-org/secret-configuration:v1.2.3
  packagePullSecrets:
    - name: package-pull-secret
Upbound
Crafted with love from our globally distributed team.
© 2025 Upbound, Inc.
Product
Upbound
Universal Crossplane
Marketplace
Request Demo
Partner Program
Learn
Documentation
FAQs
Company
About Us
Careers
Blog
Contact Us
More
Terms & Conditions
Privacy Policy