Adding Amazon Web Services (AWS) to Crossplane

This document is for an older version of Crossplane.

This document applies to Crossplane version v1.10 and not to the latest release v1.11.

In this guide, we will walk through the steps necessary to configure your AWS account to be ready for integration with Crossplane. This will be done by adding an AWS ProviderConfig resource type, which enables Crossplane to communicate with an AWS account.


Prior to adding AWS to Crossplane, following steps need to be taken

  • Crossplane is installed in a k8s cluster
  • provider-aws is installed in the same cluster
  • kubectl is configured to communicate with the same cluster

Step 1: Configure aws CLI

Crossplane uses AWS security credentials, and stores them as a secret which is managed by an AWS ProviderConfig instance. In addition, the AWS default region is also used for targeting a specific region. Crossplane requires to have aws command line tool installed and configured. Once installed, the credentials and configuration will reside in ~/.aws/credentials and ~/.aws/config respectively.

Step 2: Setup aws ProviderConfig

Run to read aws credentials and region, and create an aws provider instance in Crossplane:

1curl -O
2curl -O
3chmod +x
4./ [--profile aws_profile]

The --profile switch is optional and specifies the aws named profile that was set in Step 1. If not provided, the default profile will be selected.

Once the script is successfully executed, Crossplane will use the specified aws account and region in the given named profile to create subsequent AWS managed resources.

You can confirm the existence of the AWS ProviderConfig by running:

1kubectl get providerconfig default

Optional: Setup AWS Provider Manually

An AWS user with Administrative privileges is needed to enable Crossplane to create the required resources. Once the user is provisioned, an Access Key needs to be created so the user can have API access.

Using the set of access key credentials for the user with the right access, we need to install aws cli, and then configure it.

When the AWS cli is configured, the credentials and configuration will be in ~/.aws/credentials and ~/.aws/config respectively. These will be consumed in the next step.

When configuring the AWS cli, the user credentials could be configured under a specific AWS named profile, or under default. Without loss of generality, in this guide let’s assume that the credentials are configured under the aws_profile profile (which could also be default). We’ll use this profile to setup cloud provider in the next section.

Crossplane uses the AWS user credentials that were configured in the previous step to create resources in AWS. These credentials will be stored as a secret in Kubernetes, and will be used by an AWS ProviderConfig instance. The default AWS region is also pulled from the cli configuration, and added to the AWS provider.

To store the credentials as a secret, run:

1# retrieve profile's credentials, save it under 'default' profile, and base64 encode it
2BASE64ENCODED_AWS_ACCOUNT_CREDS=$(echo -e "[default]\naws_access_key_id = $(aws configure get aws_access_key_id --profile $aws_profile)\naws_secret_access_key = $(aws configure get aws_secret_access_key --profile $aws_profile)" | base64  | tr -d "\n")

Next, we’ll need to create an AWS provider configuration:

 1cat > provider.yaml <<EOF
 3apiVersion: v1
 4kind: Secret
 6  name: aws-account-creds
 7  namespace: crossplane-system
 8type: Opaque
13kind: ProviderConfig
15  name: default
17  credentials:
18    source: Secret
19    secretRef:
20      namespace: crossplane-system
21      name: aws-account-creds
22      key: creds
25# apply it to the cluster:
26kubectl apply -f "provider.yaml"
28# delete the credentials variable

The output will look like the following:

1secret/aws-user-creds created created

Crossplane resources use the ProviderConfig named default if no specific ProviderConfig is specified, so this ProviderConfig will be the default for all AWS resources.