PLEASE NOTE: This document applies to an unreleased version of Crossplane. It is strongly recommended that you only use official releases of Crossplane, as unreleased versions are subject to changes and incompatibilities that will not be supported in the official releases.

If you are using an official release version of Crossplane, you should refer to the documentation for your specific version.

Documentation for other releases can be found by using the version selector in the top right of any doc page.

Adding Amazon Web Services (AWS) to Crossplane

In this guide, we will walk through the steps necessary to configure your AWS account to be ready for integration with Crossplane. This will be done by adding an AWS Provider resource type, which enables Crossplane to communicate with an AWS account.


Prior to adding AWS to Crossplane, following steps need to be taken

Step 1: Configure aws CLI

Crossplane uses AWS security credentials, and stores them as a secret which is managed by an AWS Provider instance. In addition, the AWS default region is also used for targeting a specific region. Crossplane requires to have aws command line tool and configured. Once installed, the credentials and configuration will reside in ~/.aws/credentials and ~/.aws/config respectively.

Step 2: Setup aws Provider

Run script to read aws credentials and region, and create an aws provider instance in Crossplane:

./cluster/examples/aws-setup-provider/ [--profile aws_profile]

The --profile switch is optional and specifies the aws named profile that was set in Step 1. If not provided, the default profile will be selected.

Once the script is successfully executed, Crossplane will use the specified aws account and region in the given named profile to create subsequent AWS managed resources.

You can confirm the existense of the AWS Provider by running:

kubectl -n crossplane-system get provider/aws-provider

Optional: Setup AWS Provider Manually

An AWS user with Administrative privileges is needed to enable Crossplane to create the required resources. Once the user is provisioned, an Access Key needs to be created so the user can have API access.

Using the set of access key credentials for the user with the right access, we need to install aws cli, and then configure it.

When the AWS cli is configured, the credentials and configuration will be in ~/.aws/credentials and ~/.aws/config respectively. These will be consumed in the next step.

When configuring the AWS cli, the user credentials could be configured under a specific AWS named profile, or under default. Without loss of generality, in this guide let’s assume that the credentials are configured under the aws_profile profile (which could also be default). We’ll use this profile to setup cloud provider in the next section.

Crossplane uses the AWS user credentials that were configured in the previous step to create resources in AWS. These credentials will be stored as a secret in Kubernetes, and will be used by an AWS Provider instance. The default AWS region is also pulled from the cli configuration, and added to the AWS provider.

To store the credentials as a secret, run:

# retrieve profile's credentials, save it under 'default' profile, and base64 encode it
BASE64ENCODED_AWS_ACCOUNT_CREDS=$(echo -e "[default]\naws_access_key_id = $(aws configure get aws_access_key_id --profile $aws_profile)\naws_secret_access_key = $(aws configure get aws_secret_access_key --profile $aws_profile)" | base64  | tr -d "\n")
# retrieve the profile's region from config
AWS_REGION=$(aws configure get region --profile ${aws_profile})

At this point, the region and the encoded credentials are stored in respective variables. Next, we’ll need to create an instance of AWS provider:

cat > provider.yaml <<EOF
apiVersion: v1
kind: Secret
  name: aws-account-creds
  namespace: crossplane-system
type: Opaque
kind: Provider
  name: aws-provider
  region: ${AWS_REGION}
    namespace: crossplane-system
    name: aws-account-creds
    key: credentials

# apply it to the cluster:
kubectl apply -f "provider.yaml"

# delete the credentials variable

The output will look like the following:

secret/aws-user-creds created created

The aws-provider resource will be used in other resources that we will create, to provide access information to the configured AWS account.