GCP Quickstart

Connect Crossplane to GCP to create and manage cloud resources from Kubernetes with the Upbound GCP Provider.

This guide is in two parts:

  • Part 1 walks through installing Crossplane, configuring the provider to authenticate to GCP and creating a Managed Resource in GCP directly from your Kubernetes cluster. This shows Crossplane can communicate with GCP.
  • Part 2 shows how to build and access a custom API with Crossplane.


This quickstart requires:

  • a Kubernetes cluster with at least 2 GB of RAM
  • permissions to create pods and secrets in the Kubernetes cluster
  • Helm version v3.2.0 or later
  • a GCP account with permissions to create a storage bucket
  • GCP account keys
  • GCP Project ID

Install Crossplane

Crossplane installs into an existing Kubernetes cluster.

If you don’t have a Kubernetes cluster create one locally with Kind.

Install the Crossplane Helm chart

Helm enables Crossplane to install all its Kubernetes components through a Helm Chart.

Enable the Crossplane Helm Chart repository:

1helm repo add \
2crossplane-stable https://charts.crossplane.io/stable
3helm repo update

Run the Helm dry-run to see all the Crossplane components Helm installs.

1helm install crossplane \
2crossplane-stable/crossplane \
3--dry-run --debug \
5--create-namespace

1043Chart Name: crossplane
1044Chart Description: Crossplane is an open source Kubernetes add-on that enables platform teams to assemble infrastructure from multiple vendors, and expose higher level self-service APIs for application teams to consume.
1045Chart Version: 1.15.0
1046Chart Application Version: 1.15.0
Kube Version: v1.27.3

Install the Crossplane components using helm install.

1helm install crossplane \
2crossplane-stable/crossplane \
3--namespace crossplane-system \

Verify Crossplane installed with kubectl get pods.

1kubectl get pods -n crossplane-system
2NAME                                      READY   STATUS    RESTARTS   AGE
3crossplane-d4cd8d784-ldcgb                1/1     Running   0          54s
4crossplane-rbac-manager-84769b574-6mw6f   1/1     Running   0          54s

Installing Crossplane creates new Kubernetes API end-points.
Look at the new API end-points with kubectl api-resources | grep crossplane.

 1kubectl api-resources  | grep crossplane
 2compositeresourcedefinitions      xrd,xrds     apiextensions.crossplane.io/v1         false        CompositeResourceDefinition
 3compositionrevisions              comprev      apiextensions.crossplane.io/v1         false        CompositionRevision
 4compositions                      comp         apiextensions.crossplane.io/v1         false        Composition
 5environmentconfigs                envcfg       apiextensions.crossplane.io/v1alpha1   false        EnvironmentConfig
 6usages                                         apiextensions.crossplane.io/v1alpha1   false        Usage
 7configurationrevisions                         pkg.crossplane.io/v1                   false        ConfigurationRevision
 8configurations                                 pkg.crossplane.io/v1                   false        Configuration
 9controllerconfigs                              pkg.crossplane.io/v1alpha1             false        ControllerConfig
10deploymentruntimeconfigs                       pkg.crossplane.io/v1beta1              false        DeploymentRuntimeConfig
11functionrevisions                              pkg.crossplane.io/v1beta1              false        FunctionRevision
12functions                                      pkg.crossplane.io/v1beta1              false        Function
13locks                                          pkg.crossplane.io/v1beta1              false        Lock
14providerrevisions                              pkg.crossplane.io/v1                   false        ProviderRevision
15providers                                      pkg.crossplane.io/v1                   false        Provider
16storeconfigs                                   secrets.crossplane.io/v1alpha1         false        StoreConfig

Install the GCP provider

Install the provider into the Kubernetes cluster with a Kubernetes configuration file.

1cat <<EOF | kubectl apply -f -
2apiVersion: pkg.crossplane.io/v1
3kind: Provider
5  name: provider-gcp-storage
7  package: xpkg.upbound.io/upbound/provider-gcp-storage:v0.35.0

The Crossplane Provider installs the Kubernetes Custom Resource Definitions (CRDs) representing GCP storage services. These CRDs allow you to create GCP resources directly inside Kubernetes.

Verify the provider installed with kubectl get providers.

1kubectl get providers
2NAME                          INSTALLED   HEALTHY   PACKAGE                                                AGE
3provider-gcp-storage          True        True      xpkg.upbound.io/upbound/provider-gcp-storage:v0.35.0   14m
4upbound-provider-family-gcp   True        True      xpkg.upbound.io/upbound/provider-family-gcp:v0.35.0    14m

The Storage Provider installs a second Provider, the upbound-provider-family-gcp provider.
The family provider manages authentication to GCP across all GCP family Providers.

You can view the new CRDs with kubectl get crds.
Every CRD maps to a unique GCP service Crossplane can provision and manage.

See details about all the supported CRDs in the Upbound Marketplace.

Create a Kubernetes secret for GCP

The provider requires credentials to create and manage GCP resources. Providers use a Kubernetes Secret to connect the credentials to the provider.

First generate a Kubernetes Secret from a Google Cloud service account JSON file and then configure the Provider to use it.

Generate a GCP service account JSON file

For basic user authentication, use a Google Cloud service account JSON file.

The GCP documentation provides information on how to generate a service account JSON file.

Save this JSON file as gcp-credentials.json

Create a Kubernetes secret with the GCP credentials

A Kubernetes generic secret has a name and contents. Use kubectl create secret to generate the secret object named gcp-secret in the crossplane-system namespace.
Use the --from-file= argument to set the value to the contents of the gcp-credentials.json file.

1kubectl create secret \
2generic gcp-secret \
3-n crossplane-system \

View the secret with kubectl describe secret

The file size may be a different depending on the contents.
 1kubectl describe secret gcp-secret -n crossplane-system
 2Name:         gcp-secret
 3Namespace:    crossplane-system
 4Labels:       <none>
 5Annotations:  <none>
 7Type:  Opaque
11creds:  2330 bytes

Create a ProviderConfig

A ProviderConfig customizes the settings of the GCP Provider.

Include your GCP project ID in the ProviderConfig settings.

Find your GCP project ID from the project_id field of the gcp-credentials.json file.

Apply the ProviderConfig with the command:

 1cat <<EOF | kubectl apply -f -
 2apiVersion: gcp.upbound.io/v1beta1
 3kind: ProviderConfig
 5  name: default
 7  projectID: 
 8  credentials:
 9    source: Secret
10    secretRef:
11      namespace: crossplane-system
12      name: gcp-secret
13      key: creds

This attaches the GCP credentials, saved as a Kubernetes secret, as a secretRef.

The spec.credentials.secretRef.name value is the name of the Kubernetes secret containing the GCP credentials in the spec.credentials.secretRef.namespace.

Create a managed resource

A managed resource is anything Crossplane creates and manages outside of the Kubernetes cluster. This example creates a GCP storage bucket with Crossplane.
The storage bucket is a managed resource.

To generate a unique name use generateName instead of name.

Create the Bucket with the following command:

 1cat <<EOF | kubectl create -f -
 2apiVersion: storage.gcp.upbound.io/v1beta1
 3kind: Bucket
 5  generateName: crossplane-bucket-
 6  labels:
 7    docs.crossplane.io/example: provider-gcp
 9  forProvider:
10    location: US
11  providerConfigRef:
12    name: default

The apiVersion and kind are from the provider’s CRDs.

The spec.forProvider.location tells GCP which GCP region to use when deploying resources.
For a bucket the region can be any GCP multi-region location

Use kubectl get bucket to verify Crossplane created the bucket.

Crossplane created the bucket when the values READY and SYNCED are True.
This may take up to 5 minutes.
1kubectl get bucket
2NAME                      READY   SYNCED   EXTERNAL-NAME             AGE
3crossplane-bucket-8b7gw   True    True     crossplane-bucket-8b7gw   2m2s

Delete the managed resource

Before shutting down your Kubernetes cluster, delete the GCP bucket just created.

Use kubectl delete bucket to remove the bucket.

Use the --selector flag to delete by label instead of by name.
1kubectl delete bucket --selector docs.crossplane.io/example=provider-gcp
2bucket.storage.gcp.upbound.io "crossplane-bucket-8b7gw" deleted

Next steps