Crossplane ProviderConfig "cannot get credentials" in CI
A ProviderConfig tells a provider how to authenticate to a cloud. "cannot get credentials" means the provider could not load the referenced secret, or the InjectedIdentity (IRSA/OIDC) path is not wired up, so no managed resource can reconcile.
What this error means
Managed resources stay SYNCED False and their events show "cannot get credentials" or "cannot get referenced secret" tied to the ProviderConfig.
cannot get referenced ProviderConfig: cannot get credentials:
cannot get credentials secret: Secret "aws-creds" not found in namespace
"crossplane-system"Common causes
The referenced credentials secret is missing
The ProviderConfig source: Secret references a secret name/namespace/key that does not exist in the cluster.
InjectedIdentity (IRSA/OIDC) is not configured
The ProviderConfig uses source: InjectedIdentity, but the provider service account has no IRSA/OIDC role annotation to assume.
How to fix it
Create the secret the ProviderConfig references
- Create the credentials secret in the namespace and key the ProviderConfig expects.
- Confirm the ProviderConfig
secretRefmatches name, namespace, and key. - Reconcile the resources again.
kubectl -n crossplane-system create secret generic aws-creds \
--from-file=creds=./aws-credentials.txtWire up InjectedIdentity for IRSA/OIDC
For keyless auth, annotate the provider service account with the role to assume and set the ProviderConfig source to InjectedIdentity.
apiVersion: aws.upbound.io/v1beta1
kind: ProviderConfig
metadata:
name: default
spec:
credentials:
source: InjectedIdentityHow to prevent it
- Create credential secrets before applying ProviderConfigs.
- Prefer IRSA/OIDC over long-lived secrets where the platform allows it.
- Keep the ProviderConfig secretRef name/namespace/key in sync with the secret.