Integrating cloud services into Tanzu Application Platform

In this Services Toolkit tutorial you learn how service operators can integrate the cloud services of their choice into Tanzu Application Platform.

There are a multitude of cloud-based services available on the market for consumers today. AWS, Azure, and GCP all provide support for a wide range of fully-managed, performant and on-demand services ranging from databases, to message queues, to storage solutions and beyond. In this tutorial you will learn how to integrate any one of these services into Tanzu Application Platform, so that you can offer it for apps teams to consume in a simple and effective way.

This tutorial is written at a slightly higher level than the other tutorials in this documentation. This is because it is not feasible to write detailed, step-by-step documentation for integrating every cloud-based service into Tanzu Application Platform. Each service brings a different set of considerations and concerns.

Instead, this tutorial guides you through the general approach to integrating cloud-based services into Tanzu Application Platform. While specific configurations change between services, the overall process remains the same through a consistent set of steps. The aim is to give you enough understanding so that you can integrate any cloud-based service you want into Tanzu Application Platform.

For a more specific and low-level procedure, see Configure dynamic provisioning of AWS RDS service instances, which provides each step in detail for AWS RDS integration. It might be useful to read through that guide even if you want to integrate with one of the other cloud providers.

About this tutorial

Target user role: Service Operator
Complexity: Advanced
Estimated time: 30 minutes
Topics covered: Dynamic Provisioning, Cloud-based Services, AWS, Azure, GCP, Crossplane
Learning outcomes: An understanding of the steps involved in integrating cloud-based services into Tanzu Application Platform


The following diagram shows, at a high-level, what is required to integrate a cloud-based service into Tanzu Application Platform.

Diagram shows a high-level overview of the steps required to integrate a cloud-based service into Tanzu Application Platform.


This tutorial provides the steps required to integrate cloud services, and includes tips and references to example configurations where appropriate.

Step 1: Install a Provider

Install a suitable Crossplane Provider for your cloud of choice. Upbound provides support for the three main cloud providers:


These cloud-based Providers often install many hundreds of additional CRDs onto the cluster, which can have a negative impact on cluster performance. For more information, see Cluster performance degradation due to large number of CRDs.

Choose the Provider you want, and then follow Upbound’s official documentation to install the Provider and to create a corresponding ProviderConfig.


The official documentation for the Provider includes a step to “Install Universal Crossplane”. You can skip this step because Crossplane is already installed as part of Tanzu Application Platform.

The documentation also assumes Crossplane is installed in the upbound-system namespace. However, when working with Crossplane on Tanzu Application Platform, it is installed to the crossplane-system namespace by default. Ensure that you use the correct namespace when you create the Secret and the ProviderConfig with credentials for the Provider.

Step 2: Create a CompositeResourceDefinition

Create a CompositeResourceDefinition, which defines the shape of a new API type which is used to create the cloud-based resources.

For help creating the CompositeResourceDefinition, see the Crossplane documentation, or see Create a CompositeResourceDefinition in Configure dynamic provisioning of AWS RDS service instances.

Step 3: Create a Composition

This step is likely to be the most time-consuming. The Composition is where you define the configuration for the resources that make up the service instances for app teams to claim. Configure the necessary resources for usable service instances that users can connect to and use over the network.

To get started with creating a Composition, first read through Configuring Composition in the Upbound documentation.

You can also see the following Composition examples:

Step 4: Create a provisioner-based ClusterInstanceClass

Create a provisioner-based ClusterInstanceClass which is configured to refer to the CompositeResourceDefinition created earlier. For example:

kind: ClusterInstanceClass
  name: cloud-service-foo
    short: FooDB by cloud provider Foo!
      compositeResourceDefinition: NAME-OF-THE-COMPOSITE-RESOURCE-DEFINITION

For a real-world example, see Make the service discoverable in Configure dynamic provisioning of AWS RDS service instances.

Step 5: Configure RBAC

Create an Role-Based Access Control (RBAC) rule using the claim verb pointing to the ClusterInstanceClass you created. For example:

kind: ClusterRole
  name: app-operator-claim-foo-db
  labels: "true"
- apiGroups:
  - ""
  - clusterinstanceclasses
  - cloud-service-foo
  - claim

For a real-world example, see Configure RBAC in Configure dynamic provisioning of AWS RDS service instances.

Step 6: Verify your integration

To test your integration, create a ClassClaim that points to the ClusterInstanceClass you created. For example:

kind: ClassClaim
  name: claim-1
    name: cloud-service-foo
    key: value

Verify that the ClassClaim eventually transitions into a READY=True state. If it doesn’t, debug the ClassClaim using kubectl. For how to do this, see Troubleshoot Services Toolkit.

check-circle-line exclamation-circle-line close-line
Scroll to top icon