diff --git a/Makefile b/Makefile
index 225d43e21..cfd17fe17 100644
--- a/Makefile
+++ b/Makefile
@@ -25,6 +25,9 @@ endif
 ifeq ($(UNAME_M),arm64)
 	VALE_ARCH := arm64
 endif
+ifeq ($(UNAME_M),aarch64)
+        VALE_ARCH := arm64
+endif
 
 VALE_BINARY := vale_$(VALE_VERSION)_$(VALE_OS)_$(VALE_ARCH).tar.gz
 VALE_INSTALL_DIR := ./bin
@@ -138,4 +141,4 @@ version: ## Show versions of tools
 		echo "Vale: $(shell $(VALE_EXEC) --version 2>/dev/null || echo 'not installed')"; \
 	else \
 		echo "Vale: not installed (run 'make install-vale')"; \
-	fi
\ No newline at end of file
+	fi
diff --git a/docs/manuals/packages/providers/authentication.md b/docs/manuals/packages/providers/authentication.md
new file mode 100644
index 000000000..4861d8d75
--- /dev/null
+++ b/docs/manuals/packages/providers/authentication.md
@@ -0,0 +1,1675 @@
+---
+title: Provider Authentication
+sidebar_position: 2
+description: Authentication options for Upbound Official Providers
+---
+
+This guide covers authentication methods for Upbound Official Providers. Each provider supports multiple authentication approaches to fit different deployment scenarios and security requirements.
+
+## Quick reference
+
+| Provider | Authentication Methods |
+|----------|----------------------|
+| AWS | [Upbound OIDC](#aws-upbound-oidc), [Access Keys](#aws-access-keys), [WebIdentity](#aws-webidentity), [IRSA](#aws-irsa) |
+| Azure | [Upbound OIDC](#azure-upbound-oidc), [Service Principal](#azure-service-principal), [Managed Identity](#azure-managed-identity) |
+| GCP | [Upbound OIDC](#gcp-upbound-oidc), [Service Account Keys](#gcp-service-account-keys), [OAuth 2.0 Token](#gcp-oauth-token), [Service Account Impersonation](#gcp-service-account-impersonation), [Workload Identity](#gcp-workload-identity) |
+| Kubernetes | [Upbound Identity](#kubernetes-upbound-identity), [Injected Identity](#kubernetes-injected-identity) |
+
+## AWS authentication
+
+The Upbound Official AWS Provider supports multiple authentication methods suitable for different environments.
+
+### AWS Upbound OIDC {#aws-upbound-oidc}
+
+:::note
+This method is only supported in control planes running on [Upbound Cloud Spaces][upbound-cloud-spaces].
+:::
+
+Upbound authentication uses OpenID Connect (OIDC) to authenticate to AWS without storing credentials in Upbound.
+
+#### Add Upbound as an OpenID Connect provider
+
+1. Open the **[AWS IAM console][aws-iam-console]**.
+2. Under AWS IAM services, select **[Identity Providers > Add Provider][identity-providers-add-provider]**.
+3. Select **OpenID Connect** and use **https://proidc.upbound.io** as the Provider URL and **sts.amazonaws.com** as the Audience.
+4. Select **Get thumbprint**.
+5. Select **Add provider**.
+
+#### Create an AWS IAM Role for Upbound
+
+1. Create an [AWS IAM Role][aws-iam-role] with a **Custom trust policy** for the OIDC connector.
+
+:::tip
+Provide your [AWS account ID][aws-account-id], Upbound organization and control plane names in the JSON Policy below.
+:::
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Federated": "arn:aws:iam::YOUR_AWS_ACCOUNT_ID:oidc-provider/proidc.upbound.io"
+      },
+      "Action": "sts:AssumeRoleWithWebIdentity",
+      "Condition": {
+        "StringEquals": {
+          "proidc.upbound.io:sub": "mcp:ORG_NAME/CONTROL_PLANE_NAME:provider:provider-aws",
+          "proidc.upbound.io:aud": "sts.amazonaws.com"
+        }
+      }
+    }
+  ]
+}
+```
+
+2. Attach the permission policies you want for the control plane assuming this role.
+3. Name and create the role.
+4. View the new role and copy the role ARN.
+
+#### Create a ProviderConfig
+
+Create a ProviderConfig to set the provider authentication method to `Upbound`.
+
+```yaml
+apiVersion: aws.upbound.io/v1beta1
+kind: ProviderConfig
+metadata:
+  name: default
+spec:
+  credentials:
+    source: Upbound
+    upbound:
+      webIdentity:
+        roleARN: <roleARN-for-provider-identity>
+```
+
+<!-- vale Google.Headings = NO -->
+### AWS Access Keys {#aws-access-keys}
+
+Using AWS access keys requires storing the AWS keys as a Kubernetes secret.
+
+Create or [download your AWS access key][download-your-aws-access-key] ID and secret access key. The format of the text file is:
+
+```ini
+[default]
+aws_access_key_id = AKIAIOSFODNN7EXAMPLE
+aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
+```
+
+<details>
+<summary>Authentication keys with SSO</summary>
+
+To generate authentication keys for SSO login, access your organization's AWS SSO portal.
+
+Select "Command line or programmatic access"
+
+![AWS SSO screen highlighting the option command line or programmatic access](/img/aws-sso-screen.png)
+
+Expand "Option 2" and copy the provided AWS credentials.
+
+![AWS screen showing Option 2 credentials](/img/aws-auth-option2.png)
+
+Use this as the contents of the `aws-credentials.txt` file.
+
+Below is an example `aws-credentials.txt` file with SSO authentication.
+
+```ini
+[123456789_AdministratorAccess]
+aws_access_key_id=ASIAZBZV2IPKEXAMPLEKEY
+aws_secret_access_key=PPF/Wu9vTja98L5t/YNycbzEMEXAMPLEKEY
+aws_session_token=ArrGMPb4X3zjshBuQHLa79fyNZ8tDHpi9ogiA8DX6HkKLJxMA6LXcUyMGN6MUe3tYuhRKwdCTkfwt6qCVMT8Ctab//3jMmrV9zXArrGMPb4X3zjshBuQHLa79fyNZ8tDHpi9ogiA8DX6HkKLJxMA6LXcUyMGN6MUe3tYuhRKwdCTkfwt6qCVMT8Ctab//3jMmrV9zXArrGMPb4X3zjshBuQHLa79fyNZ8tDHpi9ogiA8DX6HkKLJxMA6LXcUyMGN6MUe3tYuhRKwdCTkfwt6qCVMT8Ctab//3jMmrV9zXArrGMPb4X3zjshBuQHLa79fyNZ8tDHpi9ogiA8DX6HkKLJxMA6LXcUyMGN6MUe3tYuhRKwdCTkfwt6qCVMT8Ctab//3jMmrV9zXArrGMPb4X3zjshBuQHLa79fyNZ8tDHpi9ogiA8DX6HkKLJxMA6LXcUyMGN6MUe3tYuhRKwdCTkfwt6qCVMT8Ctab//3jMmrV9zXArrGMPb4X3zjshBuQHLa79fyNZ8tDHpi9ogiA8DX6HkKLJxMA6LXcUyMGN6MUe3tYuhRKwdCTkfwt6qCVMT8Ctab//3jMmrV9zXArrGMPb4X3zjshBuQHLa79fyNZ8tDHpi9ogiA8DX6HkKLJxMA6LXcUyMGN6MUe3tYuhRKwdCTkfwt6qCVMT8Ctab//3jMmrV9zX
+```
+
+:::tip
+These credentials are only valid as long as your SSO session. When the credentials expire Crossplane can't monitor or change AWS resources.
+:::
+
+</details>
+
+#### Create a Kubernetes secret
+
+Create the Kubernetes secret with `kubectl create secret generic`:
+
+```shell
+kubectl create secret generic \
+aws-secret \
+-n crossplane-system \
+--from-file=my-aws-secret=./aws-credentials.txt
+```
+
+To create a secret declaratively requires encoding the authentication keys as a base-64 string.
+
+Create a Secret object with the data containing the secret key name and the base-64 encoded keys:
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: aws-secret
+  namespace: crossplane-system
+type: Opaque
+data:
+  my-aws-secret: W2RlZmF1bHRdCmF3c19hY2Nlc3Nfa2V5X2lkID0gQUtJQUlPU0ZPRE5ON0VYQU1QTEUKYXdzX3NlY3JldF9hY2Nlc3Nfa2V5ID0gd0phbHJYVXRuRkVNSS9LN01ERU5HL2JQeFJmaUNZRVhBTVBMRUtFWQ==
+```
+
+#### Create a ProviderConfig
+
+Create a ProviderConfig to set the provider authentication method to `Secret`:
+
+```yaml
+apiVersion: aws.upbound.io/v1beta1
+kind: ProviderConfig
+metadata:
+  name: default
+spec:
+  credentials:
+    source: Secret
+    secretRef:
+      namespace: crossplane-system
+      name: aws-secret
+      key: my-aws-secret
+```
+
+:::tip
+To apply key based authentication by default name the ProviderConfig `default`.
+:::
+
+To selectively apply key based authentication, name the ProviderConfig and apply it when creating managed resources.
+
+For example, creating a ProviderConfig named `key-based-providerconfig`:
+
+```yaml
+apiVersion: aws.upbound.io/v1beta1
+kind: ProviderConfig
+metadata:
+  name: key-based-providerconfig
+spec:
+  credentials:
+    source: Secret
+    secretRef:
+      namespace: crossplane-system
+      name: aws-secret
+      key: my-aws-secret
+```
+
+Apply the ProviderConfig to a managed resource with a `providerConfigRef`:
+
+```yaml
+apiVersion: s3.aws.upbound.io/v1beta1
+kind: Bucket
+metadata:
+  name: my-s3-bucket
+spec:
+  forProvider:
+    region: us-east-2
+  providerConfigRef:
+    name: key-based-providerconfig
+```
+
+#### Role chaining
+
+To use [AWS IAM role chaining][aws-iam-role-chaining], add an `assumeRoleChain` object to the ProviderConfig.
+
+Inside the `assumeRoleChain`, list one or more roles to assume, in order:
+
+```yaml
+apiVersion: aws.upbound.io/v1beta1
+kind: ProviderConfig
+metadata:
+  name: default
+spec:
+  credentials:
+    source: Secret
+    secretRef:
+      namespace: crossplane-system
+      name: aws-secret
+      key: my-aws-secret
+  assumeRoleChain:
+    - roleARN: "arn:aws:iam::111122223333:role/my-custom-role"
+```
+
+### AWS WebIdentity {#aws-webidentity}
+
+When running in an Amazon managed Kubernetes cluster (EKS), the Provider may use [AssumeRoleWithWebIdentity][assumerolewithwebidentity] for authentication.
+
+WebIdentity uses an OpenID Connect ID token to authenticate and use a specific AWS IAM role.
+
+:::tip
+WebIdentity is only supported with Crossplane running in Amazon managed Kubernetes clusters (EKS).
+:::
+
+Configuring WebIdentity with the AWS Provider requires:
+* An AWS [IAM OIDC Provider][iam-oidc-provider]
+* An AWS IAM Role with an editable [trust policy][trust-policy]
+* A ProviderConfig to enable WebIdentity authentication
+
+#### Create an IAM OIDC provider
+
+WebIdentity relies on the EKS cluster OIDC provider.
+
+Follow the [AWS instructions][aws-instructions] to create an IAM OIDC provider with your EKS OIDC provider URL.
+
+#### Edit the IAM role
+
+Supporting WebIdentity requires matching the EKS OIDC information to the specific role through a role trust policy.
+
+:::tip
+Read the [AWS trust policies blog][aws-trust-policies-blog] for more information on trust policies.
+:::
+
+The trust policy references the OIDC provider ARN and the provider AWS service account.
+
+In the policy `Principal` enter `"Federated": "<OIDC_PROVIDER_ARN>"`.
+
+Add a `Condition` to restrict access to the role to only the Provider's service account.
+
+The `Condition` uses `StringLike` to generically match the Provider's service account.
+
+<details>
+<summary>Why use a generic match?</summary>
+
+The token used for authentication includes the full name of the AWS Provider's Kubernetes service account.
+
+The Provider's service account name ends in a hash. If the hash changes the `Condition` doesn't match.
+
+</details>
+
+Enter the string (with quotation marks) `"<OIDC_PROVIDER_ARN>:sub": "system:serviceaccount:upbound-system:provider-aws-*"`.
+
+:::tip
+Be sure to include `:sub` after the OIDC provider ARN.
+
+The `system:serviceaccount:` matches the namespace where the Provider pod runs.
+
+By default UXP uses `upbound-system` and Crossplane uses `crossplane-system`.
+:::
+
+The following is a full example trust policy:
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Federated": "arn:aws:iam::111122223333:oidc-provider/oidc.eks.us-east-2.amazonaws.com/id/5C64F628ACFB6A892CC25AF3B67124C5"
+      },
+      "Action": "sts:AssumeRoleWithWebIdentity",
+      "Condition": {
+        "StringLike": {
+          "oidc.eks.us-east-2.amazonaws.com/id/5C64F628ACFB6A892CC25AF3B67124C5:sub": "system:serviceaccount:crossplane-system:provider-aws-*"
+        }
+      }
+    }
+  ]
+}
+```
+
+#### Create a ProviderConfig
+
+Create a ProviderConfig to set the provider authentication method to `WebIdentity`:
+
+```yaml
+apiVersion: aws.upbound.io/v1beta1
+kind: ProviderConfig
+metadata:
+  name: default
+spec:
+  credentials:
+    source: WebIdentity
+    webIdentity:
+      roleARN: "arn:aws:iam::111122223333:role/my-custom-role"
+```
+
+:::tip
+To apply WebIdentity authentication by default name the ProviderConfig `default`.
+:::
+
+To selectively apply WebIdentity authentication, name the ProviderConfig and apply it when creating managed resources.
+
+For example, creating a ProviderConfig named `webid-providerconfig`:
+
+```yaml
+apiVersion: aws.upbound.io/v1beta1
+kind: ProviderConfig
+metadata:
+  name: webid-providerconfig
+spec:
+  credentials:
+    source: WebIdentity
+    webIdentity:
+      roleARN: "arn:aws:iam::111122223333:role/my-custom-role"
+```
+
+Apply the ProviderConfig to a managed resource with a `providerConfigRef`:
+
+```yaml
+apiVersion: s3.aws.upbound.io/v1beta1
+kind: Bucket
+metadata:
+  name: my-s3-bucket
+spec:
+  forProvider:
+    region: us-east-2
+  providerConfigRef:
+    name: webid-providerconfig
+```
+
+#### Role chaining
+
+To use [AWS IAM role chaining][aws-iam-role-chaining], add an `assumeRoleChain` object to the ProviderConfig.
+
+Inside the `assumeRoleChain`, list one or more roles to assume, in order:
+
+```yaml
+apiVersion: aws.upbound.io/v1beta1
+kind: ProviderConfig
+metadata:
+  name: webid-providerconfig
+spec:
+  credentials:
+    source: WebIdentity
+    webIdentity:
+      roleARN: "arn:aws:iam::111122223333:role/my-custom-role"
+  assumeRoleChain:
+    - roleARN: "arn:aws:iam::111122223333:role/my-assumed-role"
+```
+<!-- vale Microsoft.HeadingAcronyms = NO -->
+### AWS IRSA {#aws-irsa}
+<!-- vale Microsoft.HeadingAcronyms = YES -->
+
+When running in Amazon EKS, the Provider may use [IAM roles for service accounts][aws-iam-roles-for-service-accounts] (IRSA) for authentication.
+
+IRSA works by using an annotation on a Kubernetes ServiceAccount used by a Pod requesting AWS resources. The annotation matches an AWS IAM Role ARN configured with the desired permissions.
+
+Configuring IRSA with the AWS Provider requires:
+* An AWS [IAM OIDC Provider][iam-oidc-provider]
+* An AWS IAM Role with an editable [trust policy][trust-policy]
+* A DeploymentRuntimeConfig to add an annotation on the AWS Provider service account
+* A ProviderConfig to enable IRSA authentication
+
+#### Create an IAM OIDC provider
+
+IRSA relies on the EKS cluster OIDC provider.
+
+Follow the [AWS instructions][aws-instructions] to create an IAM OIDC provider with your EKS OIDC provider URL.
+
+#### Edit the IAM role
+
+Supporting IRSA requires matching the EKS OIDC information to the specific role through a role trust policy.
+
+:::tip
+Read the [AWS trust policies blog][aws-trust-policies-blog] for more information on trust policies.
+:::
+
+The trust policy references the OIDC provider ARN and the provider AWS service account.
+
+In the policy `Principal` enter `"Federated": "<OIDC_PROVIDER_ARN>"`.
+
+Add a `Condition` to restrict access to the role to only the Provider's service account.
+
+The `Condition` uses `StringLike` to generically match the Provider's service account.
+
+<details>
+<summary>Why use a generic match?</summary>
+
+The token used for authentication includes the full name of the AWS Provider's Kubernetes service account.
+
+The Provider's service account name ends in a hash. If the hash changes the `Condition` doesn't match.
+
+</details>
+
+Enter the string (with quotation marks) `"<OIDC_PROVIDER_ARN>:sub": "system:serviceaccount:upbound-system:provider-aws-*"`.
+
+:::tip
+Be sure to include `:sub` after the OIDC provider ARN.
+
+The `system:serviceaccount:` matches the namespace where the Provider pod runs.
+
+By default UXP uses `upbound-system` and Crossplane uses `crossplane-system`.
+:::
+
+The following is a full example trust policy:
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Federated": "arn:aws:iam::622346257358:oidc-provider/oidc.eks.us-east-2.amazonaws.com/id/5C64F628ACFB6A892CC25AF3B67124C5"
+      },
+      "Action": "sts:AssumeRoleWithWebIdentity",
+      "Condition": {
+        "StringLike": {
+          "oidc.eks.us-east-2.amazonaws.com/id/5C64F628ACFB6A892CC25AF3B67124C5:sub": "system:serviceaccount:crossplane-system:provider-aws-*"
+        }
+      }
+    }
+  ]
+}
+```
+
+#### Create a DeploymentRuntimeConfig
+
+IRSA relies on an annotation on the service account attached to a pod to identify the IAM role to use.
+
+Crossplane uses a DeploymentRuntimeConfig to apply settings to the provider, including the provider service account.
+
+Create a DeploymentRuntimeConfig object to apply a custom annotation to the provider service account:
+
+```yaml
+apiVersion: pkg.crossplane.io/v1beta1
+kind: DeploymentRuntimeConfig
+metadata:
+  name: irsa-runtimeconfig
+spec:
+  serviceAccountTemplate:
+    metadata:
+      annotations:
+        eks.amazonaws.com/role-arn: arn:aws:iam::622346257358:role/my-custom-role
+```
+
+#### Apply the DeploymentRuntimeConfig
+
+Install or update the provider with a `runtimeConfigRef`:
+
+```yaml
+apiVersion: pkg.crossplane.io/v1
+kind: Provider
+metadata:
+  name: provider-aws-s3
+spec:
+  package: xpkg.upbound.io/upbound/provider-aws-s3:v2.1.1
+  runtimeConfigRef:
+    name: irsa-runtimeconfig
+```
+
+After the provider finishes installing, verify Crossplane applied the annotation on the service account from the DeploymentRuntimeConfig.
+
+:::tip
+<!-- vale Google.WordList = NO -->
+Kubernetes applies a unique hash to the end of the service account name. Find the specific service account name with `kubectl get sa -n crossplane-system` for Crossplane or `kubectl get sa -n upbound-system` for UXP.
+<!-- vale Google.WordList = YES -->
+:::
+
+```shell
+kubectl describe sa -n crossplane-system provider-aws-s3-dbc7f981d81f
+Name:                provider-aws-s3-dbc7f981d81f
+Namespace:           crossplane-system
+Labels:              <none>
+Annotations:         eks.amazonaws.com/role-arn: arn:aws:iam::111122223333:role/my-custom-role
+# Removed for brevity
+```
+
+Apply the `runtimeConfig` to each family provider using the same IAM role.
+
+#### Create a ProviderConfig
+
+Create a ProviderConfig to set the provider authentication method to `IRSA`:
+
+```yaml
+apiVersion: aws.upbound.io/v1beta1
+kind: ProviderConfig
+metadata:
+  name: default
+spec:
+  credentials:
+    source: IRSA
+```
+
+:::tip
+To apply IRSA authentication by default name the ProviderConfig `default`.
+:::
+
+To selectively apply IRSA authentication, name the ProviderConfig and apply it when creating managed resources.
+
+For example, creating a ProviderConfig named `irsa-providerconfig`:
+
+```yaml
+apiVersion: aws.upbound.io/v1beta1
+kind: ProviderConfig
+metadata:
+  name: irsa-providerconfig
+spec:
+  credentials:
+    source: IRSA
+```
+
+Apply the ProviderConfig to a managed resource with a `providerConfigRef`:
+
+```yaml
+apiVersion: s3.aws.upbound.io/v1beta1
+kind: Bucket
+metadata:
+  name: my-s3-bucket
+spec:
+  forProvider:
+    region: us-east-2
+  providerConfigRef:
+    name: irsa-providerconfig
+```
+
+#### Role chaining
+
+To use [AWS IAM role chaining][aws-iam-role-chaining], add an `assumeRoleChain` object to the ProviderConfig.
+
+Inside the `assumeRoleChain`, list one or more roles to assume, in order:
+
+```yaml
+apiVersion: aws.upbound.io/v1beta1
+kind: ProviderConfig
+metadata:
+  name: irsa-providerconfig
+spec:
+  credentials:
+    source: IRSA
+  assumeRoleChain:
+    - roleARN: "arn:aws:iam::111122223333:role/my-assumed-role"
+```
+
+## Azure authentication
+
+The Upbound Official Azure Provider supports multiple authentication methods.
+
+### Azure Upbound OIDC {#azure-upbound-oidc}
+
+:::note
+This method is only supported in control planes running on [Upbound Cloud Spaces][upbound-cloud-spaces].
+:::
+
+#### Create an identity pool
+
+1. Open the **[Azure portal][azure-portal]**.
+2. Select **[Microsoft Entra ID][microsoft-entra-id]**.
+3. Select **App registrations**.
+4. Select **New registration**.
+5. Name the pool **upbound-oidc-provider**.
+6. In _Supported account types_ select **Accounts in this organizational directory only**.
+7. Leave _Redirect URI_ blank.
+8. Select **Register**.
+
+#### Create a federated credential
+
+1. Select **Certificates and secrets** in the left navigation.
+2. Select **Federated credentials** tab.
+3. Select **Add credential**.
+4. In _Federated credential scenario_ select **Other Issuer**.
+5. In _Issuer_ enter **https://proidc.upbound.io**.
+6. In _Subject identifier_ enter: `mcp:<your-org>/<your-control-plane-name>:provider:provider-azure`
+7. In _Audience_ leave **api://AzureADTokenExchange**.
+8. In _Name_ enter a name for the credential, like: `upbound-<your-org>-<your-control-plane-name>-provider-azure`
+9. In _Description_ optionally enter a description, like: `Upbound MCP <your-org>/<your-control-plane-name> Provider provider-azure`
+10. Select **Add**.
+
+#### Grant permissions to the service principal
+
+For your control plane to be able to perform actions required by this configuration, you need to grant permissions to the Application Service Principal. Assign a role to the Application Service Principal by following these instructions:
+
+1. Open the **[Azure portal][azure-portal]**
+2. Select **[Subscriptions][subscriptions]**.
+3. Select your subscription.
+4. Select **Access control (IAM)** in the left navigation.
+5. Select **Add** and select **Add role assignment**.
+6. Find and select the **Contributor** role on the **Privileged administrator roles** tab.
+7. Select **Next**.
+8. In _Assign access to_ select **User, group, or service principal**.
+9. Select **Select members**.
+10. Find your application by entering **upbound-oidc-provider** in the search field.
+11. Select **Select**.
+12. Select **Review + assign**.
+13. Make sure everything is correct and press **Review + assign** again.
+
+#### Create a ProviderConfig
+
+```yaml
+apiVersion: azure.upbound.io/v1beta1
+kind: ProviderConfig
+metadata:
+  name: default
+spec:
+  credentials:
+    source: Upbound
+  clientID: <client ID>
+  tenantID: <tenant ID>
+  subscriptionID: <subscription ID>
+```
+
+### Azure Service Principal {#azure-service-principal}
+
+A service principal passes `client_id`, `client_secret`, and `tenant_id` authentication tokens to create and manage Azure resources.
+
+#### Create a service principal using Azure CLI
+
+Find your Subscription ID:
+
+```shell
+az account list
+```
+
+Create a service principal with Owner role:
+
+```shell
+az ad sp create-for-rbac --sdk-auth --role Owner --scopes /subscriptions/<subscription_id> \
+  > azure.json
+```
+
+#### Create a Kubernetes secret
+
+```shell
+kubectl create secret generic azure-secret -n upbound-system --from-file=creds=./azure.json
+```
+
+The `azure.json` file contains the client ID, secret, and tenant ID of your subscription.
+
+#### Create a ProviderConfig
+
+```yaml
+apiVersion: azure.upbound.io/v1beta1
+metadata:
+  name: default
+kind: ProviderConfig
+spec:
+  credentials:
+    source: Secret
+    secretRef:
+      namespace: upbound-system
+      name: azure-secret
+      key: creds
+```
+
+Your credential `source` must be `Secret` and you must specify the namespace, name, and key if you used different values.
+
+#### Service principal with client certificate credentials
+
+You can create Azure service principals with a client certificate instead of a client secret as credentials. When creating the service principal, Azure CLI provides the options to generate a client certificate automatically or set your own custom certificate.
+
+##### Create a service principal with a generated client certificate
+
+The following command creates a service principal with an automatically generated certificate:
+
+```shell
+# set your subscription ID
+AZ_SUBSCRIPTION_ID="11111111-1111-1111-1111-1111111111111"
+az ad sp create-for-rbac --sdk-auth \
+                         --role Owner \
+                         --scopes /subscriptions/"${AZ_SUBSCRIPTION_ID}" \
+                         --create-cert > azure_credentials.json
+```
+
+The `azure_credentials.json` file contains:
+- The client ID
+- The path of the generated client certificate file in your local machine
+- Tenant ID of your subscription
+
+It looks like the following:
+
+```json
+{
+  "clientId": "1111111-2222-3333-4444-555555555555",
+  "clientCertificate": "/path/to/generatedcert.pem",
+  "subscriptionId": "22222222-3333-4444-5555-666666666666",
+  "tenantId": "33333333-4444-5555-6666-777777777777",
+  "activeDirectoryEndpointUrl": "https://login.microsoftonline.com",
+  "resourceManagerEndpointUrl": "https://management.azure.com/",
+  "activeDirectoryGraphResourceId": "https://graph.windows.net/",
+  "sqlManagementEndpointUrl": "https://management.core.windows.net:8443/",
+  "galleryEndpointUrl": "https://gallery.azure.com/",
+  "managementEndpointUrl": "https://management.core.windows.net/"
+}
+```
+
+The generated certificate looks like the following:
+
+```
+-----BEGIN PRIVATE KEY-----
+...
+-----END PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+...
+-----END CERTIFICATE-----
+```
+
+To use this configuration with the Upbound Azure Provider, you should replace the `clientCertificate` field with the certificate content. First convert the certificate to `PKCS12` format, then encode it with `base64`:
+
+```shell
+# extract the path of the generated PEM certificate
+AZ_CLIENT_CERT_PEM_PATH="$(jq -r '.clientCertificate' azure_credentials.json)"
+
+# convert PEM to PKCS12 using openssl tool
+openssl pkcs12 -export \
+               -out azure_sp_cert.pkcs12 \
+               -in "${AZ_CLIENT_CERT_PEM_PATH}" \
+               -inkey "${AZ_CLIENT_CERT_PEM_PATH}" \
+               -passout pass:
+
+# encode the certificate
+base64 -i azure_sp_cert.pkcs12 | tr -d '\n' > azure_sp_cert_pkcs12_base64encoded
+
+# replace clientCertificate field in azure_credentials.json with base64-encoded certificate content
+jq --rawfile certcontent azure_sp_cert_pkcs12_base64encoded \
+    '.clientCertificate=$certcontent' azure_credentials.json > azure_credentials_withcert.json
+```
+
+The preceding command snippet should generate the file `azure_credentials_withcert.json` that looks like the following:
+
+```json
+{
+  "clientId": "1111111-2222-3333-4444-555555555555",
+  "clientCertificate": "XXXXX......XXX",
+  "subscriptionId": "22222222-3333-4444-5555-666666666666",
+  "tenantId": "33333333-4444-5555-6666-777777777777",
+  "activeDirectoryEndpointUrl": "https://login.microsoftonline.com",
+  "resourceManagerEndpointUrl": "https://management.azure.com/",
+  "activeDirectoryGraphResourceId": "https://graph.windows.net/",
+  "sqlManagementEndpointUrl": "https://management.core.windows.net:8443/",
+  "galleryEndpointUrl": "https://gallery.azure.com/",
+  "managementEndpointUrl": "https://management.core.windows.net/"
+}
+```
+
+Next, use `kubectl` to associate your Azure credentials file with a generic Kubernetes secret:
+
+```shell
+kubectl create secret generic azure-secret -n upbound-system --from-file=creds=./azure_credentials_withcert.json
+```
+
+##### Create a service principal with your own client certificate
+
+Azure service principals accept custom certificates in an `ASCII` format such as `PEM`, `CER`, or `DER`. When using a certificate with `PEM` format, the certificate file should include both the certificate and private key appended. See [Microsoft Azure Service Principal Documentation][microsoft-azure-service-principal-documentation] for reference.
+
+The following command creates a service principal with your custom certificate. You can choose one of the options:
+
+```shell
+# option 1 - load cert from file
+az ad sp create-for-rbac --sdk-auth \
+                         --role Owner \
+                         --scopes /subscriptions/"${AZ_SUBSCRIPTION_ID}" \
+                         --cert @/path/to/yourcert.pem > azure_credentials.json
+
+# option 2 - set cert directly from string
+az ad sp create-for-rbac --sdk-auth \
+                         --role Owner \
+                         --scopes /subscriptions/"${AZ_SUBSCRIPTION_ID}" \
+                         --cert "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----" > azure_credentials.json
+```
+
+The preceding command generates the `azure_credentials.json` file. Since you used a custom certificate, note that `clientCertificate` is `null` in the output:
+
+```json
+{
+  "clientId": "1111111-2222-3333-4444-555555555555",
+  "clientCertificate": null,
+  "subscriptionId": "22222222-3333-4444-5555-666666666666",
+  "tenantID": "33333333-4444-5555-6666-777777777777",
+  "activeDirectoryEndpointUrl": "https://login.microsoftonline.com",
+  "resourceManagerEndpointUrl": "https://management.azure.com/",
+  "activeDirectoryGraphResourceId": "https://graph.windows.net/",
+  "sqlManagementEndpointUrl": "https://management.core.windows.net:8443/",
+  "galleryEndpointUrl": "https://gallery.azure.com/",
+  "managementEndpointUrl": "https://management.core.windows.net/"
+}
+```
+
+Upbound Azure Provider accepts certificates in base64-encoded `PKCS12` format. Convert your certificate to `PKCS12` format, then encode it with `base64`. Add the resulting string to the `clientCertificate` field of `azure_credentials.json`.
+
+In the snippet below, you can find example commands for `PEM` certificate to `PKCS12` conversion using `openssl`. If your certificate is in other formats than `PEM`, you can convert it to PEM, then use the following commands for `PKCS12` conversion. If you already have your certificate in `PKCS12` format, you can skip the conversion and move to the `base64` encode step:
+
+```shell
+# convert PEM to PKCS12 using openssl tool
+openssl pkcs12 -export \
+               -out azure_sp_cert.pkcs12 \
+               -in "/path/to/your/cert.pem" \
+               -inkey "/path/to/your/key.pem" \
+               -passout pass:
+
+# encode
+base64 -i azure_sp_cert.pkcs12 | tr -d '\n' >  azure_sp_cert_pkcs12_base64encoded
+
+# replace clientCertificate field in azure_credentials.json with base64-encoded certificate content
+jq --rawfile certcontent azure_sp_cert_pkcs12_base64encoded \
+    '.clientCertificate=$certcontent' azure_credentials.json > azure_credentials_withcert.json
+```
+
+If you have a password-protected PKCS12 certificate, you should also set the `clientCertificatePassword` field in the `azure_credentials_withcert.json`:
+
+```json
+{
+  "clientId": "1111111-2222-3333-4444-555555555555",
+  "clientCertificate": "XXXXX......XXX",
+  "clientCertificatePassword": "YourClientCertificatePassword",
+  "subscriptionId": "22222222-3333-4444-5555-666666666666",
+  "tenantId": "33333333-4444-5555-6666-777777777777",
+  "activeDirectoryEndpointUrl": "https://login.microsoftonline.com",
+  "resourceManagerEndpointUrl": "https://management.azure.com/",
+  "activeDirectoryGraphResourceId": "https://graph.windows.net/",
+  "sqlManagementEndpointUrl": "https://management.core.windows.net:8443/",
+  "galleryEndpointUrl": "https://gallery.azure.com/",
+  "managementEndpointUrl": "https://management.core.windows.net/"
+}
+```
+
+Use `kubectl` to associate your Azure credentials file with a generic Kubernetes secret:
+
+```shell
+kubectl create secret generic azure-secret -n upbound-system --from-file=creds=./azure_credentials_withcert.json
+```
+
+### Azure Managed Identity {#azure-managed-identity}
+
+The system-assigned managed identity allows you to associate the provider with your Azure Kubernetes Service (AKS) cluster automatically without manually managing credentials.
+
+#### System-assigned managed identity
+
+A system-assigned managed identity is automatically created when you create an AKS cluster. This section covers creating a new identity in a new cluster.
+
+Create a resource group:
+
+```shell
+az group create --name myResourceGroup --location westus2
+```
+
+Create an AKS cluster with the `--enable-managed-identity` flag:
+
+```shell
+az aks create -g myResourceGroup -n myManagedCluster --enable-managed-identity
+```
+
+Use the `aks get-credentials` command to generate the kubeconfig file for your AKS cluster. This file contains the authentication and connection information for your cluster:
+
+```shell
+az aks get-credentials --resource-group myResourceGroup --name myManagedCluster
+```
+
+To switch from a service principal to a system-assigned managed identity, use the `aks update` command:
+
+```shell
+az aks update -g myResourceGroup -n myManagedCluster --enable-managed-identity
+```
+
+#### Configure your provider
+
+In your provider configuration, update the `source`, `subscriptionID`, and `tenantID` in the `credentials` field:
+
+```yaml
+apiVersion: azure.upbound.io/v1beta1
+kind: ProviderConfig
+metadata:
+  name: default
+spec:
+  credentials:
+    source: SystemAssignedManagedIdentity
+  subscriptionID: <subscription_ID>
+  tenantID: <tenant_ID>
+```
+
+#### User-assigned managed identity
+
+Create user-assigned managed identities:
+
+```shell
+az identity create --name <controlplane_identity_name> --resource-group <resource_group>
+az identity create --name <kubelet_identity_name> --resource-group <resource_group>
+```
+
+Create an AKS cluster with the identities:
+
+```shell
+az aks create \
+    --resource-group <resource_group> \
+    --name <cluster_name> \
+    --enable-managed-identity \
+    --assign-identity <controlplane_identity_resource_id> \
+    --assign-kubelet-identity <kubelet_identity_resource_id>
+```
+
+Create a ProviderConfig:
+
+```yaml
+apiVersion: azure.upbound.io/v1beta1
+kind: ProviderConfig
+metadata:
+  name: default
+spec:
+  credentials:
+    source: UserAssignedManagedIdentity
+  clientID: <kubelet_identity_id>
+  subscriptionID: <subscription_ID>
+  tenantID: <tenant_ID>
+```
+
+## GCP authentication
+
+The Upbound Official GCP Provider supports multiple authentication methods.
+
+### GCP Upbound OIDC {#gcp-upbound-oidc}
+
+:::note
+This method is only supported in control planes running on [Upbound Cloud Spaces][upbound-cloud-spaces].
+:::
+
+#### Create an identity pool
+
+1. Open the **[GCP IAM Admin console][gcp-iam-admin-console]**.
+2. Select **[Workload Identity Federation][workload-identity-federation]**.
+3. Select **Create Pool**.
+4. Name the pool **upbound-oidc-pool**.
+5. **Enable** the pool.
+6. Select **Continue**.
+
+#### Add Upbound to the pool
+
+- _Provider Name_: **upbound-oidc-provider**
+- _Issuer (URL)_: **https://proidc.upbound.io**
+- _Audience 1_: **sts.googleapis.com**
+
+The provider attributes restrict which remote entities you allow access to your resources. When Upbound authenticates to GCP it provides an OIDC subject (`sub`) in the form:
+
+`mcp:<account>/<mcp-name>:provider:<provider-name>`
+
+Configure the _google.subject_ attribute as **assertion.sub**.
+
+Under _Attribute Conditions_ select **Add Condition**.
+
+To authenticate any control plane in your organization, in the _Conditional CEL_ input box enter:
+
+```console
+google.subject.contains("mcp:ORGANIZATION_NAME")
+```
+<!-- vale gitlab.Uppercase = NO -->
+:::warning
+Not providing a CEL condition allows any control plane to access your GCP account if they know the project ID and service account name.
+:::
+<!-- vale gitlab.Uppercase = YES -->
+
+Select **Save**.
+
+#### Create a GCP Service Account
+
+1. Open the **[GCP IAM Admin console][gcp-iam-admin-console]**.
+2. Select **[Service Accounts][service-accounts]**.
+3. Select **Create Service Account**.
+4. Grant appropriate roles (for example, **Cloud SQL Admin**, **Workload Identity User**).
+
+#### Add the service account to the identity pool
+
+1. Return to **[Workload Identity Federation][workload-identity-federation]**.
+2. Select **Grant Access**.
+3. Select your service account.
+4. Use **All identities in the pool**.
+
+#### Create a ProviderConfig
+
+```yaml
+apiVersion: gcp.upbound.io/v1beta1
+kind: ProviderConfig
+metadata:
+  name: default
+spec:
+  projectID: <project-id>
+  credentials:
+    source: Upbound
+    upbound:
+      federation:
+        providerID: projects/<project-id>/locations/global/workloadIdentityPools/<identity-pool>/providers/<identity-provider>
+        serviceAccount: <service-account-name>@<project-name>.iam.gserviceaccount.com
+```
+
+### GCP Service Account Keys {#gcp-service-account-keys}
+
+Using GCP service account keys requires storing the GCP account keys JSON file as a Kubernetes secret.
+
+To create the Kubernetes secret, create or [download your GCP service account key][download-your-gcp-service-account-key] JSON file.
+
+#### Create a Kubernetes secret
+
+Create the Kubernetes secret with `kubectl create secret generic`:
+
+```shell
+kubectl create secret generic \
+gcp-secret \
+-n crossplane-system \
+--from-file=my-gcp-secret=./gcp-credentials.json
+```
+
+To create a secret declaratively requires encoding the authentication keys as a base-64 string.
+
+Create a Secret object with the data containing the secret key name and the base-64 encoded keys:
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: gcp-secret
+  namespace: crossplane-system
+type: Opaque
+data:
+  my-gcp-secret: ewogICJ0eXBlIjogInNlcnZpY2VfYWNjb3VudCIsCiAgInByb2plY3RfaWQiOiAiZG9jcyIsCiAgInByaXZhdGVfa2V5X2lkIjogIjEyMzRhYmNkIiwKICAicHJpdmF0ZV9rZXkiOiAiLS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tXG5cbi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS1cbiIsCiAgImNsaWVudF9lbWFpbCI6ICJkb2NzQHVwYm91bmQuaWFtLmdzZXJ2aWNlYWNjb3VudC5jb20iLAogICJjbGllbnRfaWQiOiAiMTIzNDUiLAogICJhdXRoX3VyaSI6ICJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20vby9vYXV0aDIvYXV0aCIsCiAgInRva2VuX3VyaSI6ICJodHRwczovL29hdXRoMi5nb29nbGVhcGlzLmNvbS90b2tlbiIsCiAgImF1dGhfcHJvdmlkZXJfeDUwOV9jZXJ0X3VybCI6ICJodHRwczovL3d3dy5nb29nbGVhcGlzLmNvbS9vYXV0aDIvdjEvY2VydHMiLAogICJjbGllbnRfeDUwOV9jZXJ0X3VybCI6ICJodHRwczovL3d3dy5nb29nbGVhcGlzLmNvbS9yb2JvdC92MS9tZXRhZGF0YS94NTA5L2RvY3MuaWFtLmdzZXJ2aWNlYWNjb3VudC5jb20iLAogICJ1bml2ZXJzZV9kb21haW4iOiAiZ29vZ2xlYXBpcy5jb20iCn0=
+```
+
+#### Create a ProviderConfig
+
+Create a ProviderConfig to set the provider authentication method to `Secret`:
+
+```yaml
+apiVersion: gcp.upbound.io/v1beta1
+kind: ProviderConfig
+metadata:
+  name: default
+spec:
+  projectID: <project-id>
+  credentials:
+    source: Secret
+    secretRef:
+      namespace: crossplane-system
+      name: gcp-secret
+      key: my-gcp-secret
+```
+
+:::tip
+To apply key based authentication by default name the ProviderConfig `default`.
+:::
+
+To selectively apply key based authentication, name the ProviderConfig and apply it when creating managed resources.
+
+For example, creating a ProviderConfig named `key-based-providerconfig`:
+
+```yaml
+apiVersion: gcp.upbound.io/v1beta1
+kind: ProviderConfig
+metadata:
+  name: key-based-providerconfig
+spec:
+  projectID: <project-id>
+  credentials:
+    source: Secret
+    secretRef:
+      namespace: crossplane-system
+      name: gcp-secret
+      key: my-gcp-secret
+```
+
+Apply the ProviderConfig to a managed resource with a `providerConfigRef`:
+
+```yaml
+apiVersion: storage.gcp.upbound.io/v1beta1
+kind: Bucket
+metadata:
+  name: my-gcp-bucket
+spec:
+  forProvider:
+    location: US
+  providerConfigRef:
+    name: key-based-providerconfig
+```
+
+### GCP OAuth 2.0 Access Token {#gcp-oauth-token}
+
+Using GCP access tokens requires storing the GCP account keys JSON file as a Kubernetes secret.
+
+Create a GCP access [token for a service account][token-for-a-service-account] or with the [`gcloud` CLI][gcloud-cli].
+
+:::warning
+GCP access tokens are valid for 1 hour by default. When the token expires Crossplane can't create or delete resources.
+
+The [provider-gcp GitHub repository][provider-gcp-github-repository] contains an example `cron` job that automatically refreshes access tokens.
+:::
+
+#### Create a Kubernetes secret
+
+Create the Kubernetes secret with `kubectl create secret generic`:
+
+```shell
+kubectl create secret generic \
+gcp-secret \
+-n crossplane-system \
+--from-file=my-gcp-secret=./gcp-token.json
+```
+
+To create a secret declaratively requires encoding the access token as a base-64 string.
+
+Create a Secret object with the data containing the secret key name and the base-64 encoded token:
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: gcp-secret
+  namespace: crossplane-system
+type: Opaque
+data:
+  my-gcp-secret: eWEyOS5hMEFmQl9ieURVVEpSSWt3RDk1c1cxTGE0d3dlLS0xTHpOZkxJeFFYbnIza25VVG9jYV9xY2xsSG1ZUzVycjJwYmNzZnVuR3M5blR6SnVIb2lYb3VmRnBEbGZicGV5bTBJU1lfUmdxWGNCMTdDY3RXZWZOd2hJcVVUblJ2UVdmcHpsODVvbklzUXZaN0F5MEJjUy1ZMGxXYXJXODVJQ2Z5R0RhZEtvYUNnWUtBWXdTQVJFU0ZRSHN2WWxzUnU1Q0w4UVY0OThRc1pvbmxGVXJXQTAxNzE=
+```
+
+#### Create a ProviderConfig
+
+Create a ProviderConfig to set the provider authentication method to `AccessToken`:
+
+```yaml
+apiVersion: gcp.upbound.io/v1beta1
+kind: ProviderConfig
+metadata:
+  name: default
+spec:
+  projectID: <project-id>
+  credentials:
+    source: AccessToken
+    secretRef:
+      namespace: crossplane-system
+      name: gcp-secret
+      key: my-gcp-secret
+```
+
+To selectively apply token based authentication, name the ProviderConfig and apply it when creating managed resources.
+
+For example, creating a ProviderConfig named `token-based-providerconfig`:
+
+```yaml
+apiVersion: gcp.upbound.io/v1beta1
+kind: ProviderConfig
+metadata:
+  name: token-based-providerconfig
+spec:
+  projectID: <project-id>
+  credentials:
+    source: AccessToken
+    secretRef:
+      namespace: crossplane-system
+      name: gcp-secret
+      key: my-gcp-secret
+```
+
+Apply the ProviderConfig to a managed resource with a `providerConfigRef`:
+
+```yaml
+apiVersion: storage.gcp.upbound.io/v1beta1
+kind: Bucket
+metadata:
+  name: my-gcp-bucket
+spec:
+  forProvider:
+    location: US
+  providerConfigRef:
+    name: token-based-providerconfig
+```
+
+### GCP Service Account Impersonation {#gcp-service-account-impersonation}
+
+When running the GCP Provider in Google managed Kubernetes cluster (GKE), the Provider may use [service account impersonation][service-account-impersonation] for authentication.
+
+Account impersonation allows the Provider to authenticate to GCP APIs using one service account and request escalated privileges through a second account.
+
+:::important
+Service account impersonation is only supported with Crossplane running in Google managed Kubernetes clusters (GKE).
+:::
+
+Configuring service account impersonation with the GCP Provider requires:
+* A lower privileged [GCP service account][gcp-service-account]
+* An elevated privileged [GCP service account][gcp-service-account]
+* A DeploymentRuntimeConfig to reference the lower-privileged GCP service account
+* A ProviderConfig to reference the elevated privileged GCP service account
+
+#### Configure the GCP service accounts
+
+You may use existing service accounts or follow the [GCP documentation to create new service accounts][gcp-documentation-to-create-a-new-service-account].
+
+The lower privilege role requires a [GCP IAM policy binding][gcp-iam-policy-binding] role for the project which includes `iam.serviceAccountTokenCreator`:
+
+```shell
+gcloud projects add-iam-policy-binding <Project_Name> \
+    --member "serviceAccount:<Lower_Privilege_Service_Account>@<Project_Name>.iam.gserviceaccount.com" \
+    --role  roles/iam.serviceAccountTokenCreator \
+    --project <Project_Name>
+```
+
+For example, to create a role-binding for project `upbound` and account `docs-unprivileged`:
+
+```shell
+gcloud projects add-iam-policy-binding upbound \
+    --member "serviceAccount:docs-unprivileged@upbound.iam.gserviceaccount.com" \
+    --role  roles/iam.serviceAccountTokenCreator \
+    --project upbound
+```
+
+The lower privileged service account requires a [GCP IAM service account policy binding][gcp-iam-service-account-policy-binding] between the unprivileged account and the Kubernetes provider service account:
+
+```shell
+gcloud iam service-accounts add-iam-policy-binding <Lower_Privilege_Service_Account>@<Project_Name>.iam.gserviceaccount.com \
+    --role roles/iam.workloadIdentityUser \
+    --member "serviceAccount:<Project_Name>.svc.id.goog[<Crossplane_Namespace>/<Kubernetes_Service_Account_Name>]"
+```
+
+For example, to create a policy binding for project `upbound`, account `docs-unprivileged`, namespace `crossplane-system`, and Provider service account name `gcp-provider-sa`:
+
+```shell
+gcloud iam service-accounts add-iam-policy-binding docs-unprivileged@upbound.iam.gserviceaccount.com \
+    --role roles/iam.workloadIdentityUser \
+    --member "serviceAccount:upbound.svc.id.goog[crossplane-system/gcp-provider-sa]"
+```
+
+:::tip
+For more information on the account requirements for account impersonation, read the [GCP service account impersonation documentation][gcp-service-account-impersonation-documentation].
+:::
+
+#### Create a DeploymentRuntimeConfig
+
+The DeploymentRuntimeConfig creates a custom Provider service account and applies an annotation to the Provider's pod.
+
+Create a DeploymentRuntimeConfig object. Add an annotation mapping the key `iam.gke.io/gcp-service-account` to the email address of the lower-privileged GCP IAM service account.
+
+Add a `serviceAccountName` to the spec to create the Provider's service account. This must match the name used in the GCP IAM binding:
+
+```yaml
+apiVersion: pkg.crossplane.io/v1beta1
+kind: DeploymentRuntimeConfig
+metadata:
+  name: impersonation-runtimeconfig
+spec:
+  serviceAccountTemplate:
+    metadata:
+      annotations:
+        iam.gke.io/gcp-service-account: <Lower_Privilege_Service_Account>@<Project_Name>.iam.gserviceaccount.com
+      name: <Kubernetes_service_account_name>
+```
+
+For example, to use a GCP service account named `docs-unprivileged` and a service account name `gcp-provider-sa`:
+
+:::important
+The `serviceAccountName` must match the service account referenced in the GCP IAM policy binding.
+:::
+
+```yaml
+apiVersion: pkg.crossplane.io/v1beta1
+kind: DeploymentRuntimeConfig
+metadata:
+  name: impersonation-runtimeconfig
+spec:
+  serviceAccountTemplate:
+    metadata:
+      annotations:
+        iam.gke.io/gcp-service-account: docs-unprivileged@upbound.iam.gserviceaccount.com
+      name: gcp-provider-sa
+```
+
+#### Apply the DeploymentRuntimeConfig
+
+Install or update the provider with a `runtimeConfigRef`:
+
+```yaml
+apiVersion: pkg.crossplane.io/v1
+kind: Provider
+metadata:
+  name: provider-gcp-storage
+spec:
+  package: xpkg.upbound.io/upbound/provider-gcp-storage:v2.1.0
+  runtimeConfigRef:
+    name: impersonation-runtimeconfig
+```
+
+#### Create a ProviderConfig
+
+Create a ProviderConfig to set the provider authentication method to `ImpersonateServiceAccount`. Add the `impersonateServiceAccount` object and provide the name of the _privileged_ account to impersonate. Include the `projectID` to use:
+
+```yaml
+apiVersion: gcp.upbound.io/v1beta1
+kind: ProviderConfig
+metadata:
+  name: default
+spec:
+  projectID: <Project_Name>
+  credentials:
+    source: ImpersonateServiceAccount
+    impersonateServiceAccount:
+      name: <Privileged_Service_Account>@<Project_Name>.iam.gserviceaccount.com
+```
+
+For example, to create a ProviderConfig with service account named `docs-privileged` and project named `upbound`:
+
+```yaml
+apiVersion: gcp.upbound.io/v1beta1
+kind: ProviderConfig
+metadata:
+  name: default
+spec:
+  projectID: upbound
+  credentials:
+    source: ImpersonateServiceAccount
+    impersonateServiceAccount:
+      name: docs-privileged@upbound.iam.gserviceaccount.com
+```
+
+To selectively apply impersonation based authentication, name the ProviderConfig and apply it when creating managed resources.
+
+For example, creating a ProviderConfig named `impersonation-providerconfig`:
+
+```yaml
+apiVersion: gcp.upbound.io/v1beta1
+kind: ProviderConfig
+metadata:
+  name: impersonation-providerconfig
+spec:
+  projectID: <Project_Name>
+  credentials:
+    source: ImpersonateServiceAccount
+    impersonateServiceAccount:
+      name: <Privileged_Service_Account>@<Project_Name>.iam.gserviceaccount.com
+```
+
+Apply the ProviderConfig to a managed resource with a `providerConfigRef`:
+
+```yaml
+apiVersion: storage.gcp.upbound.io/v1beta1
+kind: Bucket
+metadata:
+  name: my-gcp-bucket
+spec:
+  forProvider:
+    location: US
+  providerConfigRef:
+    name: impersonation-providerconfig
+```
+
+### GCP Workload Identity {#gcp-workload-identity}
+
+When running in Google Kubernetes Engine (GKE), the Provider may use [workload identity][workload-identity] for authentication.
+
+:::tip
+Workload identity is only supported with Crossplane running in GKE.
+:::
+
+#### Configure the GCP service account
+
+Enable workload identity and link the GCP IAM service account:
+
+```shell
+gcloud iam service-accounts add-iam-policy-binding \
+  <Service_Account_Email_Address> \
+--role  roles/iam.workloadIdentityUser    \
+--member "serviceAccount:<Project_Name>.svc.id.goog[crossplane-system/<Kubernetes_Service_Account>]" \
+--project <Project_Name>
+```
+
+#### Create a DeploymentRuntimeConfig
+
+```yaml
+apiVersion: pkg.crossplane.io/v1beta1
+kind: DeploymentRuntimeConfig
+metadata:
+  name: workload-identity-runtimeconfig
+spec:
+  serviceAccountTemplate:
+    metadata:
+      annotations:
+        iam.gke.io/gcp-service-account: <GCP_IAM_service_account_email>
+      name: <Kubernetes_service_account_name>
+```
+
+#### Apply the DeploymentRuntimeConfig
+
+```yaml
+apiVersion: pkg.crossplane.io/v1
+kind: Provider
+metadata:
+  name: provider-gcp-storage
+spec:
+  package: xpkg.upbound.io/upbound/provider-gcp-storage:v2.1.0
+  runtimeConfigRef:
+    name: workload-identity-runtimeconfig
+```
+
+#### Create a ProviderConfig
+
+```yaml
+apiVersion: gcp.upbound.io/v1beta1
+kind: ProviderConfig
+metadata:
+  name: default
+spec:
+  projectID: <Project_Name>
+  credentials:
+    source: InjectedIdentity
+```
+
+## Kubernetes authentication
+
+The Upbound Official Kubernetes Provider supports multiple authentication methods.
+
+### Kubernetes Upbound Identity {#kubernetes-upbound-identity}
+
+:::note
+This method is only supported in control planes running on [Upbound Cloud Spaces][upbound-cloud-spaces].
+:::
+
+Use this method to interact with [Upbound APIs][upbound-apis] using
+provider-kubernetes. Upbound Identity supports the following authentication
+methods with Upbound:
+
+- A user's personal access token (PAT)
+- A token generated from a robot
+
+#### Create an access token
+
+<Tabs>
+<TabItem value="robot" label="Robot">
+
+This method creates a Robot, the Upbound-equivalent of a service account, and uses its identity to authenticate and perform actions.
+
+1. Login to Upbound:
+
+```shell
+up login
+```
+
+2. Create a robot:
+
+```shell
+up robot create "provider-kubernetes" --description="Robot used for authenticating to Upbound by provider-kubernetes"
+```
+
+3. Create and store an access token for this robot as an environment variable:
+
+```shell
+export UPBOUND_TOKEN=$(up robot token create "provider-kubernetes" "provider-kubernetes-token" --file - | jq -r '.token')
+```
+
+:::note
+Follow the [`jq` installation guide][jq-install] if your machine doesn't include it by default.
+:::
+
+4. Assign the robot [to a team][to-a-team] and use Upbound RBAC to [grant the team a role][grant-the-team-a-role] for permissions.
+
+</TabItem>
+
+<TabItem value="pat" label="Personal Access Token">
+
+Create a personal access token and store it as an environment variable:
+
+```shell
+export UPBOUND_TOKEN="YOUR_API_TOKEN"
+```
+
+</TabItem>
+</Tabs>
+
+#### Generate a kubeconfig for Upbound APIs
+
+Upbound APIs are Kubernetes-compatible. Generate a kubeconfig for the context you want to interact with:
+
+- [Generate a kubeconfig for a Space][generate-a-kubeconfig-for-a-space]
+- [Generate a kubeconfig for a control plane in a Space][generate-a-kubeconfig-for-a-control-plane-in-a-space]
+
+Set the desired context path below depending on your use case. Generate a kubeconfig according to the token method you followed in the prior section.
+
+<Tabs>
+<TabItem value="robot" label="Robot">
+
+1. Login to Upbound with the robot access token:
+
+```shell
+up login -t $UPBOUND_TOKEN
+```
+
+2. Set your Upbound context:
+
+```shell
+up ctx org/space/group/control-plane
+up ctx . -f - > upbound-context.yaml
+```
+
+</TabItem>
+
+<TabItem value="user" label="User account">
+
+1. Login to Upbound:
+
+```shell
+up login
+```
+
+2. Set your Upbound context:
+
+```shell
+up ctx org/space/group/control-plane
+up ctx . -f - > upbound-context.yaml
+```
+
+</TabItem>
+</Tabs>
+
+Store the generated context as an environment variable:
+
+```shell
+export CONTROLPLANE_CONFIG=upbound-context.yaml
+```
+
+#### Create secrets
+
+In the control plane where you've installed provider-kubernetes, store the tokens created in the earlier step as secrets:
+
+```shell
+kubectl -n crossplane-system create secret generic cluster-config --from-file=kubeconfig=$CONTROLPLANE_CONFIG
+kubectl -n crossplane-system create secret generic upbound-credentials --from-literal=token=$UPBOUND_TOKEN
+```
+
+#### Create a ProviderConfig
+
+```yaml
+apiVersion: kubernetes.crossplane.io/v1alpha1
+kind: ProviderConfig
+metadata:
+  name: default
+spec:
+  credentials:
+    secretRef:
+      key: kubeconfig
+      name: cluster-config
+      namespace: crossplane-system
+    source: Secret
+  identity:
+    secretRef:
+      key: token
+      name: upbound-credentials
+      namespace: crossplane-system
+    source: Secret
+    type: UpboundTokens
+```
+
+### Kubernetes Injected Identity {#kubernetes-injected-identity}
+
+Use this method for a control plane to manage resources in itself using a `cluster-admin` role.
+
+#### Create a ProviderConfig
+
+<!-- vale Google.Headings = YES -->
+```yaml
+apiVersion: kubernetes.crossplane.io/v1alpha1
+kind: ProviderConfig
+metadata:
+  name: default
+spec:
+  credentials:
+    source: InjectedIdentity
+```
+
+#### Create a DeploymentRuntimeConfig
+
+```yaml
+apiVersion: pkg.crossplane.io/v1beta1
+kind: DeploymentRuntimeConfig
+metadata:
+  name: provider-kubernetes
+spec:
+  serviceAccountTemplate:
+    metadata:
+      name: provider-kubernetes
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: provider-kubernetes-cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: provider-kubernetes
+    namespace: crossplane-system
+roleRef:
+  kind: ClusterRole
+  name: cluster-admin
+  apiGroup: rbac.authorization.k8s.io
+```
+
+Reference this DeploymentRuntimeConfig in the Provider:
+
+```yaml
+apiVersion: pkg.crossplane.io/v1
+kind: Provider
+metadata:
+  name: provider-kubernetes
+spec:
+  package: xpkg.upbound.io/upbound/provider-kubernetes:v0.16.0
+  runtimeConfigRef:
+    apiVersion: pkg.crossplane.io/v1beta1
+    kind: DeploymentRuntimeConfig
+    name: provider-kubernetes
+```
+
+[upbound-cloud-spaces]: /manuals/spaces/overview
+[aws-iam-console]: https://console.aws.amazon.com/iam
+[identity-providers-add-provider]: https://console.aws.amazon.com/iamv2/home#/identity_providers/create
+[aws-iam-role]: https://console.aws.amazon.com/iamv2/home#/roles
+[aws-account-id]: https://docs.aws.amazon.com/signin/latest/userguide/console_account-alias.html
+[download-your-aws-access-key]: https://aws.github.io/aws-sdk-go-v2/docs/getting-started/#get-your-aws-access-keys
+[aws-iam-role-chaining]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-role-chaining
+[assumerolewithwebidentity]: https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html
+[iam-oidc-provider]: https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html
+[trust-policy]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#term_trust-policy
+[aws-instructions]: https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html
+[aws-trust-policies-blog]: https://aws.amazon.com/blogs/security/how-to-use-trust-policies-with-iam-roles/
+[aws-iam-roles-for-service-accounts]: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html
+[azure-portal]: https://portal.azure.com/
+[microsoft-entra-id]: https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview
+[subscriptions]: https://portal.azure.com/#view/Microsoft_Azure_Billing/SubscriptionsBlade
+[microsoft-azure-service-principal-documentation]: https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal
+[gcp-iam-admin-console]: https://console.cloud.google.com/iam-admin/iam
+[workload-identity-federation]: https://console.cloud.google.com/iam-admin/workload-identity-pools
+[service-accounts]: https://console.cloud.google.com/iam-admin/serviceaccounts
+[download-your-gcp-service-account-key]: https://cloud.google.com/iam/docs/keys-create-delete#creating
+[token-for-a-service-account]: https://cloud.google.com/iam/docs/create-short-lived-credentials-direct#sa-credentials-oauth
+[gcloud-cli]: https://cloud.google.com/sdk/gcloud/reference/auth/print-access-token
+[provider-gcp-github-repository]: https://github.com/crossplane-contrib/provider-upjet-gcp/tree/main/examples/providerconfig
+[service-account-impersonation]: https://cloud.google.com/iam/docs/service-account-overview#impersonation
+[gcp-service-account]: https://cloud.google.com/iam/docs/service-account-overview
+[gcp-documentation-to-create-a-new-service-account]: https://cloud.google.com/iam/docs/service-accounts-create
+[gcp-iam-policy-binding]: https://cloud.google.com/sdk/gcloud/reference/projects/add-iam-policy-binding
+[gcp-iam-service-account-policy-binding]: https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/add-iam-policy-binding
+[gcp-service-account-impersonation-documentation]: https://cloud.google.com/iam/docs/service-account-impersonation
+[workload-identity]: https://cloud.google.com/kubernetes-engine/docs/concepts/workload-identity
+[upbound-apis]: /manuals/spaces/howtos/self-hosted/gitops/#gitops-for-upbound-resources
+[jq-install]: https://jqlang.github.io/jq/download/
+[to-a-team]: /manuals/platform/concepts/identity-management/robots/#assign-a-robot-to-a-team
+[grant-the-team-a-role]: /manuals/platform/concepts/identity-management/teams/
+[generate-a-kubeconfig-for-a-space]: /manuals/spaces/howtos/self-hosted/gitops/#generate-a-kubeconfig-for-a-space
+[generate-a-kubeconfig-for-a-control-plane-in-a-space]: /manuals/spaces/howtos/self-hosted/gitops/#generate-a-kubeconfig-for-a-control-plane-in-a-space
diff --git a/docs/manuals/packages/providers/index.md b/docs/manuals/packages/providers/index.md
index 8360106bb..d44d86c3a 100644
--- a/docs/manuals/packages/providers/index.md
+++ b/docs/manuals/packages/providers/index.md
@@ -28,11 +28,44 @@ Upbound's Official Providers integrate with the Upbound platform to provide the
 Upbound is continually adding new providers to the ever growing list of Official Providers. For a complete list of available Official providers, use [this query][this-query] in the Marketplace.
 <!-- vale Microsoft.Adverbs = YES -->
 
+### Major cloud providers
+
+| Provider | Marketplace Link | Description |
+|----------|------------------|-------------|
+| AWS | [marketplace.upbound.io/providers/upbound/provider-family-aws][marketplace-aws] | Official provider for Amazon Web Services with 1000+ managed resources across 60+ family providers |
+| Azure | [marketplace.upbound.io/providers/upbound/provider-family-azure][marketplace-azure] | Official provider for Microsoft Azure with 900+ managed resources across 40+ family providers |
+| GCP | [marketplace.upbound.io/providers/upbound/provider-family-gcp][marketplace-gcp] | Official provider for Google Cloud Platform with 500+ managed resources across 30+ family providers |
+
+### Platform providers
+
+| Provider | Marketplace Link | Description |
+|----------|------------------|-------------|
+| Kubernetes | [marketplace.upbound.io/providers/upbound/provider-kubernetes][marketplace-k8s] | Manage Kubernetes resources from Crossplane |
+| Helm | [marketplace.upbound.io/providers/upbound/provider-helm][marketplace-helm] | Deploy and manage Helm charts from Crossplane |
+| Terraform | [marketplace.upbound.io/providers/upbound/provider-terraform][marketplace-terraform] | Execute Terraform modules from Crossplane. See [migration guides][migration-guides-tf] for details. |
+
+## Release notes
+
+Release notes for all Official Providers are published on their respective [Upbound Marketplace][upbound-marketplace] listings. Each provider listing includes:
+
+- Current and historical release notes
+- Version-specific changelogs
+- Installation instructions
+- API documentation
+
+## Authentication
+
+All Official Providers support multiple authentication methods to accommodate different deployment scenarios and security requirements.
+
+For detailed authentication configuration for each provider, see the [Provider
+Authentication guide][authentication-guide].
+
 ## Access
 
 The latest versions of the Upbound Official Providers are available for use by anyone in the Crossplane community. For full access and use details, read the [policies page][policies-page] on access, support and more.
 
-
+[migration-guides-tf]: /manuals/packages/providers/provider-terraform/migrate-provider-tf/
+[authentication-guide]: /manuals/packages/providers/authentication/
 [kcl]: /manuals/cli/howtos/compositions/kcl/
 [python]: /manuals/cli/howtos/compositions/python/
 [go]: /manuals/cli/howtos/compositions/go/
@@ -40,9 +73,13 @@ The latest versions of the Upbound Official Providers are available for use by a
 [signed-by-upbound]: /manuals/packages/providers/signature-verification
 [pull-an-official-provider]: /manuals/packages/policies
 [policies-page]: /manuals/packages/policies
-
-
 [upbound-marketplace]: https://marketplace.upbound.io/providers?tier=official
 [provider-family-aws]: https://github.com/crossplane-contrib/provider-upjet-aws
 [account-on-upbound]: https://www.upbound.io/register/?utm_source=docs&utm_medium=cta&utm_campaign=docs_providers
 [this-query]: https://marketplace.upbound.io/providers?tier=official
+[marketplace-aws]: https://marketplace.upbound.io/providers/upbound/provider-family-aws/latest
+[marketplace-azure]: https://marketplace.upbound.io/providers/upbound/provider-family-azure/latest
+[marketplace-gcp]: https://marketplace.upbound.io/providers/upbound/provider-family-gcp/latest
+[marketplace-k8s]: https://marketplace.upbound.io/providers/upbound/provider-kubernetes/latest
+[marketplace-helm]: https://marketplace.upbound.io/providers/upbound/provider-helm/latest
+[marketplace-terraform]: https://marketplace.upbound.io/providers/upbound/provider-terraform/latest
diff --git a/docs/manuals/packages/providers/provider-aws/authentication.md b/docs/manuals/packages/providers/provider-aws/authentication.md
deleted file mode 100644
index dbec30a55..000000000
--- a/docs/manuals/packages/providers/provider-aws/authentication.md
+++ /dev/null
@@ -1,766 +0,0 @@
----
-title: Authentication
-sidebar_position: 1
-description: Authentication options with the Upbound AWS official provider
----
-
-The Upbound Official AWS Provider supports multiple authentication methods.
-
-* [Upbound auth (OIDC)][upbound-auth-oidc]
-* [AWS Access keys][aws-access-keys]
-* [Assume role with web identity][assume-role-with-web-identity]
-* [IAM roles for service accounts][iam-roles-for-service-accounts] with AWS managed Kubernetes.
-
-## Upbound auth (OIDC)
-:::note
-This method of authentication is only supported in control planes running on [Upbound Cloud Spaces][upbound-cloud-spaces]
-:::
-
-When your control plane runs in an Upbound Cloud Space, you can use this authentication method. Upbound authentication uses OpenID Connect (OIDC) to authenticate to AWS without requiring you to store credentials in Upbound.
-
-### Add Upbound as an OpenID Connect provider
-
-1. Open the **[AWS IAM console][aws-iam-console]**.
-2. Under the AWS IAM services, select **[Identity Providers > Add Provider][identity-providers-add-provider]**.
-3. Select **OpenID Connect** and use
- **https://proidc.upbound.io** as the Provider URL and
- **sts.amazonaws.com** as the Audience.
-  Select **Get thumbprint**.
-  Select **Add provider**.
-
-<!-- vale Google.Headings = NO -->
-### Create an AWS IAM Role for Upbound
-<!-- vale Google.Headings = YES -->
-
-1. Create an [AWS IAM Role][aws-iam-role] with a **Custom trust policy** for the OIDC connector.
-:::tip
-Provide your [AWS account ID][aws-account-id], Upbound organization and control plane names in the JSON Policy below.
-
-You can find your AWS account ID by selecting the account dropdown in the upper right corner of the AWS console.
-:::
-```json
-{
-	"Version": "2012-10-17",
-	"Statement": [
-		{
-			"Effect": "Allow",
-			"Principal": {
-				"Federated": "arn:aws:iam::YOUR_AWS_ACCOUNT_ID:oidc-provider/proidc.upbound.io"
-			},
-			"Action": "sts:AssumeRoleWithWebIdentity",
-			"Condition": {
-				"StringEquals": {
-					"proidc.upbound.io:sub": "mcp:ORG_NAME/CONTROL_PLANE_NAME:provider:provider-aws",
-					"proidc.upbound.io:aud": "sts.amazonaws.com"
-				}
-			}
-		}
-	]
-}
-```
-1. Attach the permission policies you want for the control plane assuming this role.
-2. Name and create the role.
-3. View the new role and copy the role ARN.
-
-### Create a ProviderConfig
-
-Create a
-<Hover label="pc-upbound-auth" line="2">ProviderConfig</Hover> to set the
-provider authentication method to
-<Hover label="pc-upbound-auth" line="7">Upbound</Hover>.
-
-Supply the <Hover label="pc-upbound-auth" line="10">role ARN</Hover> created in the previous section.
-:::tip
-To apply Upbound based authentication by default name the ProviderConfig
-<Hover label="pc-upbound-auth" line="4">default</Hover>.
-:::
-
-<div id="pc-upbound-auth">
-```yaml
-apiVersion: aws.upbound.io/v1beta1
-kind: ProviderConfig
-metadata:
-  name: default
-spec:
-  credentials:
-    source: Upbound
-    upbound:
-      webIdentity:
-        roleARN: <roleARN-for-provider-identity>
-```
-</div>
-
-<!-- vale Google.Headings = NO -->
-## AWS authentication keys
-<!-- vale Google.Headings = YES -->
-
-Using AWS access keys, or long-term IAM credentials, requires storing the AWS
-keys as a Kubernetes secret.
-
-To create the Kubernetes secret create or
-[download your AWS access key][download-your-aws-access-key]
-ID and secret access key.
-
-The format of the text file is
-```ini
-[default]
-aws_access_key_id = AKIAIOSFODNN7EXAMPLE
-aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
-```
-
-<details>
-
-<summary>Authentication keys with SSO</summary>
-
-
-To generate authentication keys for SSO login, access your
-organization's AWS SSO portal.
-
-Select "Command line or programmatic access"
-
-![AWS SSO screen highlighting the option command line or programmatic access](/img/aws-sso-screen.png)
-
-Expand "Option 2" and copy the provided AWS credentials.
-
-![AWS screen showing Option 2 credentials](/img/aws-auth-option2.png)
-
-Use this as the contents of the `aws-credentials.txt` file.
-
-Below is an example `aws-credentials.txt` file with SSO authentication.
-```ini
-[123456789_AdministratorAccess]
-aws_access_key_id=ASIAZBZV2IPKEXAMPLEKEY
-aws_secret_access_key=PPF/Wu9vTja98L5t/YNycbzEMEXAMPLEKEY
-aws_session_token=ArrGMPb4X3zjshBuQHLa79fyNZ8tDHpi9ogiA8DX6HkKLJxMA6LXcUyMGN6MUe3tYuhRKwdCTkfwt6qCVMT8Ctab//3jMmrV9zXArrGMPb4X3zjshBuQHLa79fyNZ8tDHpi9ogiA8DX6HkKLJxMA6LXcUyMGN6MUe3tYuhRKwdCTkfwt6qCVMT8Ctab//3jMmrV9zXArrGMPb4X3zjshBuQHLa79fyNZ8tDHpi9ogiA8DX6HkKLJxMA6LXcUyMGN6MUe3tYuhRKwdCTkfwt6qCVMT8Ctab//3jMmrV9zXArrGMPb4X3zjshBuQHLa79fyNZ8tDHpi9ogiA8DX6HkKLJxMA6LXcUyMGN6MUe3tYuhRKwdCTkfwt6qCVMT8Ctab//3jMmrV9zXArrGMPb4X3zjshBuQHLa79fyNZ8tDHpi9ogiA8DX6HkKLJxMA6LXcUyMGN6MUe3tYuhRKwdCTkfwt6qCVMT8Ctab//3jMmrV9zXArrGMPb4X3zjshBuQHLa79fyNZ8tDHpi9ogiA8DX6HkKLJxMA6LXcUyMGN6MUe3tYuhRKwdCTkfwt6qCVMT8Ctab//3jMmrV9zXArrGMPb4X3zjshBuQHLa79fyNZ8tDHpi9ogiA8DX6HkKLJxMA6LXcUyMGN6MUe3tYuhRKwdCTkfwt6qCVMT8Ctab//3jMmrV9zXArrGMPb4X3zjshBuQHLa79fyNZ8tDHpi9ogiA8DX6HkKLJxMA6LXcUyMGN6MUe3tYuhRKwdCTkfwt6qCVMT8Ctab//3jMmrV9zXArrGMPb4X3zjshBuQHLa79fyNZ8tDHpi9ogiA8DX6HkKLJxMA6LXcUyMGN6MUe3tYuhRKwdCTkfwt6qCVMT8Ctab//3jMmrV9zX
-```
-
-
-:::tip
-These credentials are only valid as long as your SSO session. When the
-credentials expire Crossplane can't monitor or change AWS resources.
-:::
-
-</details>
-
-### Create a Kubernetes secret
-
-Create the Kubernetes secret with
-<Hover label="kubesecret" line="1">kubectl create secret generic</Hover>.
-
-<!-- vale Google.FirstPerson = NO -->
-For example, name the secret
-<Hover label="kubesecret" line="2">aws-secret</Hover> in the
-<Hover label="kubesecret" line="3">crossplane-system</Hover> namespace
-and import the text file with the credentials
-<Hover label="kubesecret" line="4">aws-credentials.txt</Hover> and
-assign them to the secret key
-<Hover label="kubesecret" line="4">my-aws-secret</Hover>.
-<!-- vale Google.FirstPerson = YES -->
-
-<div id="kubesecret">
-```shell
-kubectl create secret generic \
-aws-secret \
--n crossplane-system \
---from-file=my-aws-secret=./aws-credentials.txt
-```
-</div>
-
-To create a secret declaratively requires encoding the authentication keys as a
-base-64 string.
-
-<!-- vale Google.FirstPerson = NO -->
-Create a <Hover label="decSec" line="2">Secret</Hover> object with
-the <Hover label="decSec" line="7">data</Hover> containing the secret
-key name, <Hover label="decSec" line="8">my-aws-secret</Hover> and the
-base-64 encoded keys.
-<!-- vale Google.FirstPerson = YES -->
-
-<div id="decSec">
-```yaml
-apiVersion: v1
-kind: Secret
-metadata:
-  name: aws-secret
-  namespace: crossplane-system
-type: Opaque
-data:
-  my-aws-secret: W2RlZmF1bHRdCmF3c19hY2Nlc3Nfa2V5X2lkID0gQUtJQUlPU0ZPRE5ON0VYQU1QTEUKYXdzX3NlY3JldF9hY2Nlc3Nfa2V5ID0gd0phbHJYVXRuRkVNSS9LN01ERU5HL2JQeFJmaUNZRVhBTVBMRUtFWQ==
-```
-</div>
-
-
-### Create a ProviderConfig
-
-Create a
-<Hover label="pc-keys" line="2">ProviderConfig</Hover> to set the
-provider authentication method to
-<Hover label="pc-keys" line="7">Secret</Hover>.
-
-Create a <Hover label="pc-keys" line="8">secretRef</Hover> with the
-<Hover label="pc-keys" line="9">namespace</Hover>,
-<Hover label="pc-keys" line="10">name</Hover> and
-<Hover label="pc-keys" line="11">key</Hover> of the secret.
-
-:::tip
-To apply key based authentication by default name the ProviderConfig
-<Hover label="pc-keys" line="4">default</Hover>.
-:::
-
-<div id="pc-keys">
-```yaml
-apiVersion: aws.upbound.io/v1beta1
-kind: ProviderConfig
-metadata:
-  name: default
-spec:
-  credentials:
-    source: Secret
-    secretRef:
-      namespace: crossplane-system
-      name: aws-secret
-      key: my-aws-secret
-```
-</div>
-
-To selectively apply key based authentication name the ProviderConfig and apply
-it when creating managed resources.
-
-For example, creating an ProviderConfig named
-<Hover label="pc-keys2" line="4">key-based-providerconfig</Hover>.
-
-<div id="pc-keys2">
-```yaml
-apiVersion: aws.upbound.io/v1beta1
-kind: ProviderConfig
-metadata:
-  name: key-based-providerconfig
-spec:
-  credentials:
-    source: Secret
-    secretRef:
-      namespace: crossplane-system
-      name: aws-secret
-      key: my-aws-secret
-```
-</div>
-
-Apply the ProviderConfig to a
-managed resource with a
-<Hover label="mr-keys" line="8">providerConfigRef</Hover>.
-
-<div id="mr-keys">
-```yaml
-apiVersion: s3.aws.upbound.io/v1beta1
-kind: Bucket
-metadata:
-  name: my-s3-bucket
-spec:
-  forProvider:
-    region: us-east-2
-  providerConfigRef:
-    name: key-based-providerconfig
-```
-</div>
-
-### Role chaining
-
-To use
-[AWS IAM role chaining][aws-iam-role-chaining]
-add a
-<Hover label="keychains" line="12">assumeRoleChain</Hover> object to the
-<Hover label="keychains" line="2">ProviderConfig</Hover>.
-
-Inside the <Hover label="keychains" line="12">assumeRoleChain</Hover>
-list one or more roles to assume, in order.
-
-<div id="keychains">
-```yaml
-apiVersion: aws.upbound.io/v1beta1
-kind: ProviderConfig
-metadata:
-  name: default
-spec:
-  credentials:
-    source: Secret
-    secretRef:
-      namespace: crossplane-system
-      name: aws-secret
-      key: my-aws-secret
-  assumeRoleChain:
-    - roleARN: "arn:aws:iam::111122223333:role/my-custom-role"
-```
-</div>
-
-<!-- vale off -->
-## WebIdentity
-<!-- vale on -->
-When running the AWS Provider in an Amazon managed Kubernetes cluster (`EKS`)
-the Provider may use
-[AssumeRoleWithWebIdentity][assumerolewithwebidentity]
-for authentication.
-
-WebIdentity uses an OpenID Connect ID token to authenticate and use a specific
-AWS IAM role.
-
-:::tip
-WebIdentity is only supported with Crossplane running in Amazon managed
-Kubernetes clusters (`EKS`).
-:::
-
-Configuring WebIdentity with the AWS Provider requires:
-* an AWS
-[IAM OIDC Provider][iam-oidc-provider]
-* an AWS IAM Role with an editable [trust policy][trust-policy]
-* a ProviderConfig to enable WebIdentity authentication
-
-### Create an IAM OIDC provider
-
-WebIdentity relies on the EKS cluster OIDC provider.
-
-Follow the [AWS instructions][aws-instructions]
-to create an _IAM OIDC provider_ with your _EKS OIDC provider URL_.
-
-### Edit the IAM role
-
-Supporting WebIdentity requires matching the EKS OIDC information to the
-specific role through a role trust policy.
-
-:::tip
-Read the [AWS trust policies blog][aws-trust-policies-blog]
-for more information on trust policies.
-:::
-
-The trust policy references the OIDC provider ARN and the provider AWS service
-account.
-
-In the policy <Hover label="trust" line="6">Principal</Hover> enter
-<Hover label="trust" line="7">"Federated": "&lt;OIDC_PROVIDER_ARN&gt;"</Hover>.
-
-Add a <Hover label="trust" line="10">Condition</Hover> to restrict
-access to the role to only the Provider's service account.
-
-The <Hover label="trust" line="10">Condition</Hover> uses
-<Hover label="trust" line="11">StringLike</Hover> to generically match
-the Provider's service account.
-
-
-<details>
-
-<summary>Why use a generic match?</summary>
-
-The token used for authentication includes the full name of the AWS Provider's
-Kubernetes service account.
-
-The Provider's service account name ends in a hash. If the hash changes the
-<Hover label="trust" line="10">Condition</Hover> doesn't match.
-
-</details>
-
-Enter the string (with quotation marks)
-<Hover label="trust" line="11">""&lt;OIDC_PROVIDER_ARN&gt;:sub": "system:serviceaccount:upbound-system:provider-aws-*"</Hover>.
-
-:::tip
-Be sure to include `:sub` after the OIDC provider ARN.
-
-The `system:serviceaccount:` matches the namespace where the Provider pod runs.
-
-By default UXP uses `upbound-system` and Crossplane uses `crossplane-system`.
-:::
-
-The following is a full example trust policy.
-<div id="trust">
-```json
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Principal": {
-                "Federated": "arn:aws:iam::111122223333:oidc-provider/oidc.eks.us-east-2.amazonaws.com/id/5C64F628ACFB6A892CC25AF3B67124C5"
-            },
-            "Action": "sts:AssumeRoleWithWebIdentity",
-            "Condition": {
-                "StringLike": {
-                    "oidc.eks.us-east-2.amazonaws.com/id/5C64F628ACFB6A892CC25AF3B67124C5:sub": "system:serviceaccount:crossplane-system:provider-aws-*"
-                }
-            }
-        }
-    ]
-}
-```
-</div>
-
-### Create a ProviderConfig
-
-Create a
-<Hover label="web" line="2">ProviderConfig</Hover> to set the
-provider authentication method to
-<Hover label="web" line="7">WebIdentity</Hover>.
-
-:::tip
-To apply WebIdentity authentication by default name the ProviderConfig
-<Hover label="web" line="4">default</Hover>.
-:::
-
-Apply the ARN of the role with the OIDC trust relationship as the
-<Hover label="web" line="9">roleARN</Hover> field.
-
-<div id="web">
-```yaml
-apiVersion: aws.upbound.io/v1beta1
-kind: ProviderConfig
-metadata:
-  name: default
-spec:
-  credentials:
-    source: WebIdentity
-    webIdentity:
-      roleARN: "arn:aws:iam::111122223333:role/my-custom-role"
-```
-</div>
-
-To selectively apply WebIdentity authentication name the ProviderConfig and
-apply it when creating managed resources.
-
-For example, creating an ProviderConfig named
-<Hover label="pc2" line="4">webid-providerconfig</Hover>.
-
-<div id="pc2">
-```yaml
-apiVersion: aws.upbound.io/v1beta1
-kind: ProviderConfig
-metadata:
-  name: webid-providerconfig
-spec:
-  credentials:
-    source: WebIdentity
-    webIdentity:
-      roleARN: "arn:aws:iam::111122223333:role/my-custom-role"
-```
-</div>
-
-Apply the ProviderConfig to a
-managed resource with a
-<Hover label="mr" line="8">providerConfigRef</Hover>.
-
-<div id="mr">
-```yaml
-apiVersion: s3.aws.upbound.io/v1beta1
-kind: Bucket
-metadata:
-  name: my-s3-bucket
-spec:
-  forProvider:
-    region: us-east-2
-  providerConfigRef:
-    name: webid-providerconfig
-```
-</div>
-
-### Role chaining
-
-To use
-[AWS IAM role chaining][aws-iam-role-chaining-1]
-add a
-<Hover label="idchains" line="10">assumeRoleChain</Hover> object to the
-<Hover label="idchains" line="2">ProviderConfig</Hover>.
-
-Inside the <Hover label="idchains" line="11">assumeRoleChain</Hover>
-list one or more roles to assume, in order.
-
-<div id="idchains">
-```yaml
-apiVersion: aws.upbound.io/v1beta1
-kind: ProviderConfig
-metadata:
-  name: webid-providerconfig
-spec:
-  credentials:
-    source: WebIdentity
-    webIdentity:
-      roleARN: "arn:aws:iam::111122223333:role/my-custom-role"
-  assumeRoleChain:
-    - roleARN: "arn:aws:iam::111122223333:role/my-assumed-role"
-```
-</div>
-
-## IAM roles for service accounts
-
-When running the AWS Provider in an Amazon managed Kubernetes cluster (`EKS`)
-the Provider may use
-[AWS IAM roles for service accounts][aws-iam-roles-for-service-accounts]
-(`IRSA`) for authentication.
-
-IRSA works by using an annotation on a Kubernetes ServiceAccount used by a Pod
-requesting AWS resources. The annotation matches an AWS IAM Role ARN configured
-with the desired permissions.
-
-Configuring IRSA with the AWS Provider requires:
-* an AWS
-[IAM OIDC Provider][iam-oidc-provider-2]
-* an AWS IAM Role with an editable [trust policy][trust-policy-3]
-* a DeploymentRuntimeConfig to add an annotation on the AWS Provider service account
-* a ProviderConfig to enable IRSA authentication
-
-### Create an IAM OIDC provider
-
-IRSA relies on the EKS cluster OIDC provider.
-
-Follow the [AWS instructions][aws-instructions-4]
-to create an _IAM OIDC provider_ with your _EKS OIDC provider URL_.
-
-### Edit the IAM role
-
-Supporting IRSA requires matching the EKS OIDC information to the specific role
-through a role trust policy.
-
-:::tip
-Read the [AWS trust policies blog][aws-trust-policies-blog-5]
-for more information on trust policies.
-:::
-
-The trust policy references the OIDC provider ARN and the provider AWS service
-account.
-
-In the policy <Hover label="trust" line="6">Principal</Hover> enter
-<Hover label="trust" line="7">"Federated": "&lt;OIDC_PROVIDER_ARN&gt;"</Hover>.
-
-Add a <Hover label="trust" line="10">Condition</Hover> to restrict
-access to the role to only the Provider's service account.
-
-The <Hover label="trust" line="10">Condition</Hover> uses
-<Hover label="trust" line="11">StringLike</Hover> to generically match
-the Provider's service account.
-
-<details>
-
-<summary>Why use a generic match?</summary>
-
-The token used for authentication includes the full name of the AWS Provider's
-Kubernetes service account.
-
-The Provider's service account name ends in a hash. If the hash changes the
-<Hover label="trust" line="10">Condition</Hover> doesn't match.
-
-</details>
-
-Enter the string (with quotation marks)
-<Hover label="trust" line="11">""&lt;OIDC_PROVIDER_ARN&gt;:sub": "system:serviceaccount:upbound-system:provider-aws-*"</Hover>.
-
-:::tip
-Be sure to include `:sub` after the OIDC provider ARN.
-
-The `system:serviceaccount:` matches the namespace where the Provider pod runs.
-
-By default UXP uses `upbound-system` and Crossplane uses `crossplane-system`.
-:::
-
-The following is a full example trust policy.
-<div id="trust">
-```json
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Principal": {
-                "Federated": "arn:aws:iam::622346257358:oidc-provider/oidc.eks.us-east-2.amazonaws.com/id/5C64F628ACFB6A892CC25AF3B67124C5"
-            },
-            "Action": "sts:AssumeRoleWithWebIdentity",
-            "Condition": {
-                "StringLike": {
-                    "oidc.eks.us-east-2.amazonaws.com/id/5C64F628ACFB6A892CC25AF3B67124C5:sub": "system:serviceaccount:crossplane-system:provider-aws-*"
-                }
-            }
-        }
-    ]
-}
-```
-</div>
-
-### Create a DeploymentRuntimeConfig
-
-IRSA relies on an annotation on the service account attached to a pod to
-identify the IAM role to use.
-
-Crossplane uses a DeploymentRuntimeConfig to apply settings to the provider, including
-the provider service account.
-
-Create a <Hover label="cc" line="2">DeploymentRuntimeConfig</Hover> object to
-apply a custom annotation to the provider service account.
-
-In the <Hover label="cc" line="3">metadata</Hover> create an
-<Hover label="cc" line="5">annotation</Hover> with the key
-<Hover label="cc" line="6">eks.amazonaws.com/role-arn</Hover> and the
-value of the ARN of the AWS IAM role.
-
-The <Hover label="cc" line="7">spec</Hover> is empty.
-
-<div id="cc">
-```yaml
-apiVersion: pkg.crossplane.io/v1beta1
-kind: DeploymentRuntimeConfig
-metadata:
-  name: irsa-runtimeconfig
-spec:
-  serviceAccountTemplate:
-    metadata:
-      annotations:
-        eks.amazonaws.com/role-arn: arn:aws:iam::622346257358:role/my-custom-role
-```
-</div>
-
-### Apply the DeploymentRuntimeConfig
-
-Install or update the provider with a
-<Hover label="provider" line="7">runtimeConfigRef</Hover> with the
-<Hover label="provider" line="8">name</Hover> of the
-<Hover label="cc" line="4">DeploymentRuntimeConfig</Hover>.
-
-<div id="provider">
-```yaml
-apiVersion: pkg.crossplane.io/v1
-kind: Provider
-metadata:
-  name: provider-aws-s3
-spec:
-  package: xpkg.upbound.io/upbound/provider-aws-s3:v0.37.0
-  runtimeConfigRef:
-    name: irsa-runtimeconfig
-```
-</div>
-
-After the provider finishes installing verify Crossplane applied the
-<Hover label="sa" line="5">annotation</Hover>
-on the service account from the DeploymentRuntimeConfig.
-
-:::tip
-<!-- vale Google.WordList = NO -->
-Kubernetes applies a unique hash to the end of the service account name.
-Find the specific service account name with
-`kubectl get sa -n crossplane-system`  for Crossplane or
-`kubectl get sa -n upbound-system` for UXP.
-<!-- vale Google.WordList = YES -->
-:::
-
-```yaml {label="sa",copy-lines="1"}
-kubectl describe sa -n crossplane-system provider-aws-s3-dbc7f981d81f
-Name:                provider-aws-s3-dbc7f981d81f
-Namespace:           crossplane-system
-Labels:              <none>
-Annotations:         eks.amazonaws.com/role-arn: arn:aws:iam::111122223333:role/my-custom-role
-# Removed for brevity
-```
-
-Apply the `runtimeConfig` to each family provider using the same IAM role.
-
-### Create a ProviderConfig
-
-Create a
-<Hover label="pc" line="2">ProviderConfig</Hover> to set the
-provider authentication method to
-<Hover label="pc" line="7">IRSA</Hover>.
-
-:::tip
-To apply IRSA authentication by default name the ProviderConfig
-<Hover label="pc" line="4">default</Hover>.
-:::
-
-<div id="pc">
-```yaml
-apiVersion: aws.upbound.io/v1beta1
-kind: ProviderConfig
-metadata:
-  name: default
-spec:
-  credentials:
-    source: IRSA
-```
-</div>
-To selectively apply IRSA authentication name the ProviderConfig and apply it
-when creating managed resources.
-
-For example, creating an ProviderConfig named
-<Hover label="pc2" line="4">irsa-providerconfig</Hover>.
-
-<div id="pc2">
-```yaml
-apiVersion: aws.upbound.io/v1beta1
-kind: ProviderConfig
-metadata:
-  name: irsa-providerconfig
-spec:
-  credentials:
-    source: IRSA
-```
-</div>
-
-Apply the ProviderConfig to a
-managed resource with a
-<Hover label="mr" line="8">providerConfigRef</Hover>.
-
-<div id="mr">
-```yaml
-apiVersion: s3.aws.upbound.io/v1beta1
-kind: Bucket
-metadata:
-  name: my-s3-bucket
-spec:
-  forProvider:
-    region: us-east-2
-  providerConfigRef:
-    name: irsa-providerconfig
-```
-</div>
-
-### Role chaining
-
-To use
-[AWS IAM role chaining][aws-iam-role-chaining-6]
-add a
-<Hover label="irsachains" line="8">assumeRoleChain</Hover> object to the
-<Hover label="irsachains" line="2">ProviderConfig</Hover>.
-
-Inside the <Hover label="irsachains" line="9">assumeRoleChain</Hover>
-list one or more roles to assume, in order.
-
-<div id="irsachains">
-```yaml
-apiVersion: aws.upbound.io/v1beta1
-kind: ProviderConfig
-metadata:
-  name: irsa-providerconfig
-spec:
-  credentials:
-    source: IRSA
-  assumeRoleChain:
-    - roleARN: "arn:aws:iam::111122223333:role/my-assumed-role"
-```
-</div>
-
-[upbound-auth-oidc]: /manuals/platform/howtos/oidc
-[upbound-cloud-spaces]: /manuals/spaces/overview
-
-
-[aws-access-keys]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html
-[assume-role-with-web-identity]: https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html
-[iam-roles-for-service-accounts]: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html
-[aws-iam-console]: https://console.aws.amazon.com/iam
-[identity-providers-add-provider]: https://console.aws.amazon.com/iamv2/home#/identity_providers/create
-[aws-iam-role]: https://console.aws.amazon.com/iamv2/home#/roles
-[aws-account-id]: https://docs.aws.amazon.com/signin/latest/userguide/console_account-alias.html
-[download-your-aws-access-key]: https://aws.github.io/aws-sdk-go-v2/docs/getting-started/#get-your-aws-access-keys
-[aws-iam-role-chaining]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-role-chaining
-[assumerolewithwebidentity]: https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html
-[iam-oidc-provider]: https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html
-[trust-policy]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#term_trust-policy
-[aws-instructions]: https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html
-[aws-trust-policies-blog]: https://aws.amazon.com/blogs/security/how-to-use-trust-policies-with-iam-roles/
-[aws-iam-role-chaining-1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-role-chaining
-[aws-iam-roles-for-service-accounts]: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html
-[iam-oidc-provider-2]: https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html
-[trust-policy-3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#term_trust-policy
-[aws-instructions-4]: https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html
-[aws-trust-policies-blog-5]: https://aws.amazon.com/blogs/security/how-to-use-trust-policies-with-iam-roles/
-[aws-iam-role-chaining-6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-role-chaining
diff --git a/docs/manuals/packages/providers/provider-aws/index.md b/docs/manuals/packages/providers/provider-aws/index.md
deleted file mode 100644
index 2ec487b18..000000000
--- a/docs/manuals/packages/providers/provider-aws/index.md
+++ /dev/null
@@ -1,675 +0,0 @@
----
-title: Provider AWS
-sidebar_position: 1
-description: Release notes for the AWS official provider
----
-
-The below release notes are for the Upbound AWS official provider. These notes
-only contain noteworthy changes and you should refer to each release's GitHub
-release notes for full details.
-
-For more information on the release cadence and support protocol refer to the
-provider [support and maintenance][support-and-maintenance] page.
-
-<!-- vale Google.Headings = NO -->
-
-:::important
- Beginning with `v1.21.0` and later, you need at least a `Team` subscription to pull a given Official Provider version. All prior versions are pullable without a subscription. 
- If you're not subscribed to Upbound or have an `Individual` tier subscription, you can still always pull **the most recent provider version** using the `v1` tag.
- :::
-
-## v1.17.0
-
-_Released 2024-11-07_
-
-* Support for new resources: `JobQueue.batch.aws.upbound.io/v1beta1`
-and `ComputeEnvironment.batch.aws.upbound.io/v1beta1`
-* Upgraded the underlying Terraform provider version from `v5.68.0` to `5.73.0`
-* This release also introduces new resources, bug fixes, enhancements, and dependency updates.
-
-_Refer to the [v1.17.0 release notes][v1-17-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace]
-
-## v1.16.0
-
-_Released 2024-10-23_
-
-* This release introduces important bug fixes and dependency updates.
-
-_Refer to the [v1.16.0 release notes][v1-16-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-1]
-
-## v1.15.0
-
-_Released 2024-10-11_
-
-* Support for new resources: `Pipeline.osis.aws.upbound.io/v1beta1`
-and `Agent.bedrockagent.aws.upbound.io/v1beta1`
-* Upgraded the underlying Terraform provider version from `v5.58.0` to `v5.68.0`
-* This release also introduces new family providers, new resources, bug fixes, and dependency updates.
-
-_Refer to the [v1.15.0 release notes][v1-15-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-2]
-
-## v1.14.0
-
-_Released 2024-09-20_
-
-* Support for new resources: `Region.account.aws.upbound.io/v1beta1`
-and `GlobalReplicationGroup.elasticache.aws.upbound.io/v1beta1`
-* This release introduces new resources, enhancements, and dependency updates.
-
-_Refer to the [v1.14.0 release notes][v1-14-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-3]
-
-## v1.13.1
-
-_Released 2024-09-16_
-
-* This release fixes the issue of hiding error messages.
-
-_Refer to the [v1.13.1 release notes][v1-13-1-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-4]
-
-## v1.13.0
-
-_Released 2024-08-29_
-
-* Support for new resources: `DirectoryBucket.s3.aws.upbound.io/v1beta1`
-and `LBTrustStore.elbv2.aws.upbound.io/v1beta1`
-* This release includes new resources and a bug fix.
-
-_Refer to the [v1.13.0 release notes][v1-13-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-5]
-
-## v1.12.0
-
-_Released 2024-08-23_
-
-* This release includes support for pod-identity, fixing pod crashes caused
-by panic, some other bug fixes, enhancements, and dependency updates.
-
-_Refer to the [v1.12.0 release notes][v1-12-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-6]
-
-## v1.11.0
-
-_Released 2024-08-08_
-
-* Support for new resources: `AccessEntry.eks.aws.upbound.io/v1beta1`,
-`AccessPolicyAssociation.eks.aws.upbound.io/v1beta1`, `ServerlessCache.elasticache.aws.upbound.io/v1beta1`
-and `Fleet.ec2.aws.upbound.io/v1beta1` 
-* This release includes new resources, enhancements, and dependency updates.
-
-_Refer to the [v1.11.0 release notes][v1-11-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-7]
-
-## v1.10.0
-
-_Released 2024-07-29_
-
-* Update the AWS Terraform provider version to `v5.58.0`
-* Support for a new resource: `Pipe.pipes.aws.upbound.io/v1beta1`
-* This release includes a new resource, enhancements, and dependency updates.
-
-_Refer to the [v1.10.0 release notes][v1-10-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-8]
-
-## v1.9.1
-
-_Released 2024-07-26_
-
-* This release includes a bug fix.
-
-_Refer to the [v1.9.1 release notes][v1-9-1-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-9]
-
-
-## v1.9.0
-
-_Released 2024-07-11_
-
-* Support for new resources: `Environment.mwaa.aws.upbound.io/v1beta1` and
-`ResourcePolicy.dynamodb.aws.upbound.io/v1beta1`
-* This release includes a new family provider `provider-aws-mwaa`, new resources,
-enhancements, and dependency updates.
-
-
-_Refer to the [v1.9.0 release notes][v1-9-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-10]
-
-## v1.8.0
-
-_Released 2024-06-27_
-
-* Support for new resources: `Domain.codeartifact.aws.upbound.io/v1beta1`,
-`DomainPermissionsPolicy.codeartifact.aws.upbound.io/v1beta1`, `Repository.codeartifact.aws.upbound.io/v1beta1`
-and `RepositoryPermissionsPolicy.codeartifact.aws.upbound.io/v1beta1`
-* This release includes a new family provider `provider-aws-codeartifact`, new
-resources, bug fixes, and dependency updates.
-
-_Refer to the [v1.8.0 release notes][v1-8-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-11]
-
-## v1.7.0
-
-_Released 2024-06-13_
-
-* This release includes converting singleton lists in the MR APIs to embedded objects, bug fixes, and dependency updates.
-
-_Refer to the [v1.7.0 release notes][v1-7-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-12]
-
-## v1.6.1
-
-_Released 2024-06-13_
-
-* This release includes an important bug fix, please select the release notes for more details.
-
-_Refer to the [v1.6.1 release notes][v1-6-1-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-13]
-
-
-## v1.6.0
-
-_Released 2024-06-07_
-
-* Support for new resources: `Connector.v1beta1.transfer.aws.upbound.io`,
-`ProfilingGroup.v1beta1.codeguruprofiler.aws.upbound.io` and `EndpointAccess.v1beta1.redshift.aws.upbound.io`
-* This release includes a new family provider `provider-aws-codeguruprofiler`, new
-resources, bug fixes, enhancements, and dependency updates.
-
-_Refer to the [v1.6.0 release notes][v1-6-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-14]
-
-## v1.5.0
-
-_Released 2024-05-24_
-
-* Update the AWS Terraform provider version to `v5.50.0`
-* Support for new resource: `User.v1alpha1.mq.aws.upbound.io`
-* This release includes a new resource, bug fixes, enhancements, and dependency updates.
-
-_Refer to the [v1.5.0 release notes][v1-5-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-15]
-
-## v1.4.0
-
-_Released 2024-04-25_
-
-* This release includes a new set of managed resource (MR) metrics, bug fixes, enhancements, and dependency updates.
-
-_Refer to the [v1.4.0 release notes][v1-4-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-16]
-
-## v1.3.1
-
-_Released 2024-04-04_
-
-* This release includes an important bug fix, please select the release notes for more details.
-
-_Refer to the [v1.3.1 release notes][v1-3-1-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-17]
-
-## v1.3.0
-
-_Released 2024-03-28_
-
-* The release introduces a new family provider `provider-aws-kafkaconnect`, new resources, bug fixes, and dependency updates.
-* This release also introduces a credential cache for IRSA authentication, which reduces the number of AWS `STS` calls
-the provider makes.
-* Support for New Resources: `User.memorydb.aws.upbound.io/v1beta1`, `Connector.kafkaconnect.aws.upbound.io/v1beta1`,
-`CustomPlugin.kafkaconnect.aws.upbound.io/v1beta1` and `WorkerConfiguration.kafkaconnect.aws.upbound.io/v1beta1`
-
-_Refer to the [v1.3.0 release notes][v1-3-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-18]
-
-## v1.2.1
-
-_Released 2024-03-18_
-
-* This release includes an important bug fix, please select the release notes for more details.
-
-_Refer to the [v1.2.1 release notes][v1-2-1-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-19]
-
-## v1.2.0
-
-_Released 2024-03-14_
-
-* Sets a default `io.Discard` logger for the controller-runtime if debug logging isn't enabled.
-* Refactors AWS client configuration logic with a single path.
-* This release includes some important bug fixes, and updates of dependencies, please select the release notes for more details.
-
-_Refer to the [v1.2.0 release notes][v1-2-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-20]
-
-## v0.47.4
-
-_Released 2024-03-14_
-
-* This release sets a default `io.Discard` logger for the controller-runtime if debug logging isn't enabled.
-
-_Refer to the [v0.47.4 release notes][v0-47-4-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-21]
-
-## v1.1.1
-
-_Released 2024-03-07_
-
-* This release includes two important bug fixes, please select the release notes for more details.
-
-_Refer to the [v1.1.1 release notes][v1-1-1-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-22]
-
-## v0.47.3
-
-_Released 2024-03-07_
-
-* This release includes two important bug fixes, please select the release notes for more details.
-
-_Refer to the [v0.47.3 release notes][v0-47-3-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-23]
-
-## v0.47.2
-
-_Released 2024-02-16_
-
-* This release includes some important bug fixes and dependency bumps, please select the release notes for more details.
-
-_Refer to the [v0.47.2 release notes][v0-47-2-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-24]
-
-## v1.1.0
-
-_Released 2024-02-15_
-
-* Support for new family provider: `provider-aws-opensearchserverless`
-* Support for new resources: `StackSetInstance.cloudformation.aws.upbound.io/v1beta1`, `AccessPolicy.opensearchserverless.aws.upbound.io/v1beta1`,
-`Collection.opensearchserverless.aws.upbound.io/v1beta1`, `LifecyclePolicy.opensearchserverless.aws.upbound.io/v1beta1`,
-`SecurityConfig.opensearchserverless.aws.upbound.io/v1beta1`, `SecurityPolicy.opensearchserverless.aws.upbound.io/v1beta1`,
-`VPCEndpoint.opensearchserverless.aws.upbound.io/v1beta1`
-* The release introduces a new family provider, new resources, important bug fixes, dependency updates, and a new ProviderConfig API
-for WebIdentity authentication.
-
-_Refer to the [v1.1.0 release notes][v1-1-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-25]
-
-
-## v1.0.0
-
-_Released 2024-02-01_
-
-* Update the AWS Terraform provider version to v5.31.0
-* Support for new resource: `PodIdentityAssociation.eks.aws.upbound.io/v1beta1`
-* This release brings support for generating multi-version Custom Resource Definitions (CRDs) and CRD conversion webhooks.
-* The release contains some important bug fixes, support `v1beta2` for some resources, adding a new resource, and updates of dependencies.
-
-_Refer to the [v1.0.0 release notes][v1-0-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-26]
-
-## v0.47.1
-
-_Released 2024-01-03_
-
-* This release changes `assume_role_with_web_identity` provider configuration value from a map to a list as expected by the
-corresponding Terraform provider schema and fixes some issues related to the `UserPoolClient.cognitoidp` resource.
-
-_Refer to the [v0.47.1 release notes][v0-47-1-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-27]
-
-## v0.46.2
-
-_Released 2024-01-03_
-
-* This release changes `assume_role_with_web_identity` provider configuration value from a map to a list as expected by the
-corresponding Terraform provider schema and fixes some issues related to the `UserPoolClient.cognitoidp` resource.
-
-_Refer to the [v0.46.2 release notes][v0-46-2-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-28]
-
-## v0.47.0
-
-_Released 2023-12-28_
-
-* Support for new resource: `TopicRuleDestination.iot` and `Endpoint.sagemaker`
-* The release contains some important bug fixes, adding new resources, and updates of dependencies.
-
-_Refer to the [v0.47.0 release notes][v0-47-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-29]
-
-## v0.46.1
-
-_Released 2023-12-18_
-
-* The release contains two important bug fixes, for more details please select the release notes.
-
-_Refer to the [v0.46.1 release notes][v0-46-1-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-30]
-
-## v0.46.0
-
-_Released 2023-12-08_
-
-* Support for new family provider: `provider-aws-identitystore`
-* Support for new resources: `Group.identitystore`, `GroupMembership.identitystore`, `User.identitystore`,
-`CustomerManagedPolicyAttachment.ssoadmin`, `InstanceAccessControlAttributes.ssoadmin` and `PermissionsBoundaryAttachment.ssoadmin`
-* The release contains some bug fixes adding a new family provider, adding new resources, and updates of dependencies.
-
-_Refer to the [v0.46.0 release notes][v0-46-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-31]
-
-## v0.45.0
-
-_Released 2023-11-30_
-
-* Support for new resource: `LBListenerCertificate.elbv2`
-* The release contains some bug fixes and updates of dependencies.
-
-_Refer to the [v0.45.0 release notes][v0-45-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-32]
-
-## v0.42.1
-
-_Released 2023-12-30_
-
-* This release backports the [PR][pr] addressing the [regression][regression]
-related to IAM roles and role policy attachments introduced in version `0.40.0`
-
-_Refer to the [v0.42.1 release notes][v0-42-1-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-33]
-
-## v0.41.1
-
-_Released 2023-12-30_
-
-* This release backports the [PR][pr-34] addressing the [regression][regression-35]
-related to IAM roles and role policy attachments introduced in version `0.40.0`
-
-_Refer to the [v0.41.1 release notes][v0-41-1-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-36]
-
-## v0.40.1
-
-_Released 2023-12-30_
-
-* This release backports the [PR][pr-37] addressing the [regression][regression-38]
-related to IAM roles and role policy attachments introduced in version `0.40.0`
-
-_Refer to the [v0.40.1 release notes][v0-40-1-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-39]
-
-## v0.44.0
-
-_Released 2023-11-16_
-
-* In v0.44.0, the Upjet version upgraded to v1.0.0. This upgrade, brings a change with how interact with the underlying Terraform AWS provider.
-Instead of interfacing with TF CLI, the new implementation consumes the Terraform provider's Go provider schema and invokes the CRUD functions registered
-in that schema.
-* The release contains some bug fixes and updates of dependencies.
-
-_Refer to the [v0.44.0 release notes][v0-44-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-40]
-
-## v0.43.1
-
-_Released 2023-11-02_
-
-* This release updates Crossplane Runtime to v1.14.1 which includes a fix in the retry mechanism while persisting the critical annotations.
-
-_Refer to the [v0.43.1 release notes][v0-43-1-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-41]
-
-## v0.43.0
-
-_Released 2023-10-26_
-
-* Support for new resource: `ServerlessCluster.kafka`
-* The release contains some bug fixes and updates of dependencies.
-
-_Refer to the [v0.43.0 release notes][v0-43-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-42]
-
-## v0.42.0
-
-_Released 2023-10-12_
-
-* Support for new resources: `SecurityGroupEgressRule.ec2`, `SecurityGroupIngressRule.ec2`
-* The release contains some bug fixes, updates of dependencies, and promoting granular management policies to Beta.
-
-_Refer to the [v0.42.0 release notes][v0-42-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-43]
-
-## v0.41.0
-
-_Released 2023-09-29_
-
-* Support for new family provider: `provider-aws-redshiftserverless`
-* Support for new resources: `ScramSecretAssociation.kafka`, `JobDefinition.batch`, `EndpointAccess.redshiftserverless`
-`RedshiftServerlessNamespace.redshiftserverless`, `ResourcePolicy.redshiftserverless`,
-`Snapshot.redshiftserverless`, `UsageLimit.redshiftserverless` and `Workgroup.redshiftserverless`
-* The release contains some bug fixes and configuring the default poll jitter for the controllers.
-
-_Refer to the [v0.41.0 release notes][v0-41-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-44]
-
-## v0.40.0
-
-_Released 2023-08-31_
-
-* Support for new resource: `RolePolicy.iam`
-* The release contains the ability to define roles with `inline policy` 
-and `managed policy arn` in the Role.iam resource and some bug fixes.
-
-_Refer to the [v0.40.0 release notes][v0-40-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-45]
-
-## v0.39.0
-
-_Released 2023-08-23_
-
-* Support for new resources: `PrincipalAssociation.ram` and `ResourceShareAccepter.ram`
-* The release contains some important bug fixes to the granular
-management policies and a fix in the reconciliation logic of the Upjet runtime.
-* Updated Terraform CLI to 1.5.5 to address CVEs in previous Terraform versions.
-
-_Refer to the [v0.39.0 release notes][v0-39-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-46]
-
-## v0.38.0
-
-_Released 2023-08-01_
-
-* This release adds support for the `spec.initProvider` API and for the granular management
-policies alpha feature.
-* Bug fixes and enhancements.
-
-_Refer to the [v0.38.0 release notes][v0-38-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-47]
-
-## v0.37.0
-
-_Released 2023-06-27_
-
-* ⚠️ The family providers now require Crossplane version v1.12.1 or later.
-* Support for new resources: `datasync` and `route53_zone_association`.
-* Bug fixes and enhancements
-
-_Refer to the [v0.37.0 release notes][v0-37-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-48]
-
-## v0.36.0
-
-_Released 2023-06-13_
-
-* This release introduces the new [provider families architecture][provider-families-architecture] for
-the Upbound official AWS provider.
-* Bug fixes and enhancements.
-
-_Refer to the [v0.36.0 release notes][v0-36-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-49]
-
-## v0.35.0
-
-_Released 2023-05-15_
-
-* Update the AWS Terraform provider version to v4.66.0
-* Adds [LocalStack][localstack] support for testing.
-* Various bug fixes and enhancements.
-
-_Refer to the [v0.35.0 release notes][v0-35-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-50]
-
-<!-- vale Google.Headings = YES -->
-
-
-[support-and-maintenance]: /reference/usage/support
-[provider-families-architecture]: /manuals/packages/providers/provider-families
-[v1-17-0-release-notes]: https://github.com/crossplane-contrib/provider-upjet-aws/releases/tag/v1.17.0
-[upbound-marketplace]: https://marketplace.upbound.io/providers/upbound/provider-family-aws/v1.17.0
-[v1-16-0-release-notes]: https://github.com/crossplane-contrib/provider-upjet-aws/releases/tag/v1.16.0
-[upbound-marketplace-1]: https://marketplace.upbound.io/providers/upbound/provider-family-aws/v1.16.0
-[v1-15-0-release-notes]: https://github.com/crossplane-contrib/provider-upjet-aws/releases/tag/v1.15.0
-[upbound-marketplace-2]: https://marketplace.upbound.io/providers/upbound/provider-family-aws/v1.15.0
-[v1-14-0-release-notes]: https://github.com/crossplane-contrib/provider-upjet-aws/releases/tag/v1.14.0
-[upbound-marketplace-3]: https://marketplace.upbound.io/providers/upbound/provider-family-aws/v1.14.0
-[v1-13-1-release-notes]: https://github.com/crossplane-contrib/provider-upjet-aws/releases/tag/v1.13.1
-[upbound-marketplace-4]: https://marketplace.upbound.io/providers/upbound/provider-family-aws/v1.13.1
-[v1-13-0-release-notes]: https://github.com/crossplane-contrib/provider-upjet-aws/releases/tag/v1.13.0
-[upbound-marketplace-5]: https://marketplace.upbound.io/providers/upbound/provider-family-aws/v1.13.0
-[v1-12-0-release-notes]: https://github.com/crossplane-contrib/provider-upjet-aws/releases/tag/v1.12.0
-[upbound-marketplace-6]: https://marketplace.upbound.io/providers/upbound/provider-family-aws/v1.12.0
-[v1-11-0-release-notes]: https://github.com/crossplane-contrib/provider-upjet-aws/releases/tag/v1.11.0
-[upbound-marketplace-7]: https://marketplace.upbound.io/providers/upbound/provider-family-aws/v1.11.0
-[v1-10-0-release-notes]: https://github.com/crossplane-contrib/provider-upjet-aws/releases/tag/v1.10.0
-[upbound-marketplace-8]: https://marketplace.upbound.io/providers/upbound/provider-family-aws/v1.10.0
-[v1-9-1-release-notes]: https://github.com/crossplane-contrib/provider-upjet-aws/releases/tag/v1.9.1
-[upbound-marketplace-9]: https://marketplace.upbound.io/providers/upbound/provider-family-aws/v1.9.1
-[v1-9-0-release-notes]: https://github.com/crossplane-contrib/provider-upjet-aws/releases/tag/v1.9.0
-[upbound-marketplace-10]: https://marketplace.upbound.io/providers/upbound/provider-family-aws/v1.9.0
-[v1-8-0-release-notes]: https://github.com/crossplane-contrib/provider-upjet-aws/releases/tag/v1.8.0
-[upbound-marketplace-11]: https://marketplace.upbound.io/providers/upbound/provider-family-aws/v1.8.0
-[v1-7-0-release-notes]: https://github.com/crossplane-contrib/provider-upjet-aws/releases/tag/v1.7.0
-[upbound-marketplace-12]: https://marketplace.upbound.io/providers/upbound/provider-family-aws/v1.7.0
-[v1-6-1-release-notes]: https://github.com/crossplane-contrib/provider-upjet-aws/releases/tag/v1.6.1
-[upbound-marketplace-13]: https://marketplace.upbound.io/providers/upbound/provider-family-aws/v1.6.1
-[v1-6-0-release-notes]: https://github.com/crossplane-contrib/provider-upjet-aws/releases/tag/v1.6.0
-[upbound-marketplace-14]: https://marketplace.upbound.io/providers/upbound/provider-family-aws/v1.6.0
-[v1-5-0-release-notes]: https://github.com/crossplane-contrib/provider-upjet-aws/releases/tag/v1.5.0
-[upbound-marketplace-15]: https://marketplace.upbound.io/providers/upbound/provider-family-aws/v1.5.0
-[v1-4-0-release-notes]: https://github.com/crossplane-contrib/provider-upjet-aws/releases/tag/v1.4.0
-[upbound-marketplace-16]: https://marketplace.upbound.io/providers/upbound/provider-family-aws/v1.4.0
-[v1-3-1-release-notes]: https://github.com/crossplane-contrib/provider-upjet-aws/releases/tag/v1.3.1
-[upbound-marketplace-17]: https://marketplace.upbound.io/providers/upbound/provider-family-aws/v1.3.1
-[v1-3-0-release-notes]: https://github.com/crossplane-contrib/provider-upjet-aws/releases/tag/v1.3.0
-[upbound-marketplace-18]: https://marketplace.upbound.io/providers/upbound/provider-family-aws/v1.3.0
-[v1-2-1-release-notes]: https://github.com/crossplane-contrib/provider-upjet-aws/releases/tag/v1.2.1
-[upbound-marketplace-19]: https://marketplace.upbound.io/providers/upbound/provider-family-aws/v1.2.1
-[v1-2-0-release-notes]: https://github.com/crossplane-contrib/provider-upjet-aws/releases/tag/v1.2.0
-[upbound-marketplace-20]: https://marketplace.upbound.io/providers/upbound/provider-family-aws/v1.2.0
-[v0-47-4-release-notes]: https://github.com/crossplane-contrib/provider-upjet-aws/releases/tag/v0.47.4
-[upbound-marketplace-21]: https://marketplace.upbound.io/providers/upbound/provider-family-aws/v0.47.4
-[v1-1-1-release-notes]: https://github.com/crossplane-contrib/provider-upjet-aws/releases/tag/v1.1.1
-[upbound-marketplace-22]: https://marketplace.upbound.io/providers/upbound/provider-family-aws/v1.1.1
-[v0-47-3-release-notes]: https://github.com/crossplane-contrib/provider-upjet-aws/releases/tag/v0.47.3
-[upbound-marketplace-23]: https://marketplace.upbound.io/providers/upbound/provider-family-aws/v0.47.3
-[v0-47-2-release-notes]: https://github.com/upbound/provider-aws/releases/tag/v0.47.2
-[upbound-marketplace-24]: https://marketplace.upbound.io/providers/upbound/provider-family-aws/v0.47.2
-[v1-1-0-release-notes]: https://github.com/upbound/provider-aws/releases/tag/v1.1.0
-[upbound-marketplace-25]: https://marketplace.upbound.io/providers/upbound/provider-family-aws/v1.1.0
-[v1-0-0-release-notes]: https://github.com/upbound/provider-aws/releases/tag/v1.0.0
-[upbound-marketplace-26]: https://marketplace.upbound.io/providers/upbound/provider-family-aws/v1.0.0
-[v0-47-1-release-notes]: https://github.com/upbound/provider-aws/releases/tag/v0.47.1
-[upbound-marketplace-27]: https://marketplace.upbound.io/providers/upbound/provider-family-aws/v0.47.1
-[v0-46-2-release-notes]: https://github.com/upbound/provider-aws/releases/tag/v0.46.2
-[upbound-marketplace-28]: https://marketplace.upbound.io/providers/upbound/provider-family-aws/v0.46.2
-[v0-47-0-release-notes]: https://github.com/upbound/provider-aws/releases/tag/v0.47.0
-[upbound-marketplace-29]: https://marketplace.upbound.io/providers/upbound/provider-family-aws/v0.47.0
-[v0-46-1-release-notes]: https://github.com/upbound/provider-aws/releases/tag/v0.46.1
-[upbound-marketplace-30]: https://marketplace.upbound.io/providers/upbound/provider-family-aws/v0.46.1
-[v0-46-0-release-notes]: https://github.com/upbound/provider-aws/releases/tag/v0.46.0
-[upbound-marketplace-31]: https://marketplace.upbound.io/providers/upbound/provider-family-aws/v0.46.0
-[v0-45-0-release-notes]: https://github.com/upbound/provider-aws/releases/tag/v0.45.0
-[upbound-marketplace-32]: https://marketplace.upbound.io/providers/upbound/provider-family-aws/v0.45.0
-[pr]: https://github.com/upbound/provider-aws/pull/933
-[regression]: https://github.com/upbound/provider-aws/issues/929
-[v0-42-1-release-notes]: https://github.com/upbound/provider-aws/releases/tag/v0.42.1
-[upbound-marketplace-33]: https://marketplace.upbound.io/providers/upbound/provider-family-aws/v0.42.1
-[pr-34]: https://github.com/upbound/provider-aws/pull/933
-[regression-35]: https://github.com/upbound/provider-aws/issues/929
-[v0-41-1-release-notes]: https://github.com/upbound/provider-aws/releases/tag/v0.41.1
-[upbound-marketplace-36]: https://marketplace.upbound.io/providers/upbound/provider-family-aws/v0.41.1
-[pr-37]: https://github.com/upbound/provider-aws/pull/933
-[regression-38]: https://github.com/upbound/provider-aws/issues/929
-[v0-40-1-release-notes]: https://github.com/upbound/provider-aws/releases/tag/v0.40.1
-[upbound-marketplace-39]: https://marketplace.upbound.io/providers/upbound/provider-family-aws/v0.40.1
-[v0-44-0-release-notes]: https://github.com/upbound/provider-aws/releases/tag/v0.44.0
-[upbound-marketplace-40]: https://marketplace.upbound.io/providers/upbound/provider-family-aws/v0.44.0
-[v0-43-1-release-notes]: https://github.com/upbound/provider-aws/releases/tag/v0.43.1
-[upbound-marketplace-41]: https://marketplace.upbound.io/providers/upbound/provider-family-aws/v0.43.1
-[v0-43-0-release-notes]: https://github.com/upbound/provider-aws/releases/tag/v0.43.0
-[upbound-marketplace-42]: https://marketplace.upbound.io/providers/upbound/provider-family-aws/v0.43.0
-[v0-42-0-release-notes]: https://github.com/upbound/provider-aws/releases/tag/v0.42.0
-[upbound-marketplace-43]: https://marketplace.upbound.io/providers/upbound/provider-family-aws/v0.42.0
-[v0-41-0-release-notes]: https://github.com/upbound/provider-aws/releases/tag/v0.41.0
-[upbound-marketplace-44]: https://marketplace.upbound.io/providers/upbound/provider-family-aws/v0.41.0
-[v0-40-0-release-notes]: https://github.com/upbound/provider-aws/releases/tag/v0.40.0
-[upbound-marketplace-45]: https://marketplace.upbound.io/providers/upbound/provider-family-aws/v0.40.0
-[v0-39-0-release-notes]: https://github.com/upbound/provider-aws/releases/tag/v0.39.0
-[upbound-marketplace-46]: https://marketplace.upbound.io/providers/upbound/provider-family-aws/v0.39.0
-[v0-38-0-release-notes]: https://github.com/upbound/provider-aws/releases/tag/v0.38.0
-[upbound-marketplace-47]: https://marketplace.upbound.io/providers/upbound/provider-family-aws/v0.38.0
-[v0-37-0-release-notes]: https://github.com/upbound/provider-aws/releases/tag/v0.37.0
-[upbound-marketplace-48]: https://marketplace.upbound.io/providers/upbound/provider-family-aws/v0.37.0
-[v0-36-0-release-notes]: https://github.com/upbound/provider-aws/releases/tag/v0.36.0
-[upbound-marketplace-49]: https://marketplace.upbound.io/providers/upbound/provider-family-aws/v0.36.0
-[localstack]: https://localstack.cloud/
-[v0-35-0-release-notes]: https://github.com/upbound/provider-aws/releases/tag/v0.35.0
-[upbound-marketplace-50]: https://marketplace.upbound.io/providers/upbound/provider-family-aws/v0.35.0
diff --git a/docs/manuals/packages/providers/provider-azure/authentication.md b/docs/manuals/packages/providers/provider-azure/authentication.md
deleted file mode 100644
index d4d57761c..000000000
--- a/docs/manuals/packages/providers/provider-azure/authentication.md
+++ /dev/null
@@ -1,504 +0,0 @@
----
-title: Authentication
-sidebar_position: 1
-description: Authentication options with the Upbound Azure official provider
----
-
-The Upbound Official Azure Provider supports multiple authentication methods.
-
-* [Upbound auth (OIDC)][upbound-auth-oidc]
-* [Service principal with Kubernetes secret][service-principal-with-kubernetes-secret]
-* [System-assigned managed identity][system-assigned-managed-identity]
-* [User-assigned managed identity][user-assigned-managed-identity]
-
-## Upbound auth (OIDC)
-
-:::note
-This method of authentication is only supported in control planes running on [Upbound Cloud Spaces][upbound-cloud-spaces]
-:::
-
-When your control plane runs in an Upbound Cloud Space, you can use this authentication method. Upbound authentication uses OpenID Connect (OIDC) to authenticate to Azure without requiring you to store credentials in Upbound.
-
-### Create an identity pool
-1. Open the **[Azure portal][azure-portal]**.
-2. Select **[Microsoft Entra ID][microsoft-entra-id]**.
-3. If this is your first time registering Upbound as an identity provider in Microsoft Entra ID, select **App registrations**
-4. At the top of the page, select **New registration**.
-5. Name the pool, like **upbound-oidc-provider**.
-6. In the _Supported account types_ section select **Accounts in this organizational directory only**.
-7. In the _Redirect URI_ section select **Web** and leave the URL field blank.
-8. Select **Register**.
-
-### Create a federated credential
-
-To allow the `upbound-oidc-provider` registration created in the previous step to trust your control plane in Upbound, do the following in the resource view.
-
-1. Select **Certificates and secrets** in the left navigation.
-2. Select **Federated credentials** tab.
-3. Select **Add credential**.
-4. In _Federated credential scenario_ select **Other Issuer**.
-5. In _Issuer_ enter **https://proidc.upbound.io**.
-6. In _Subject identifier_ enter:
-
-```yaml
-mcp:<your-org>/<your-control-plane-name>:provider:provider-azure
-```
-
-7. In _Credential details name_ enter:
-
-```yaml
-upbound-<your-org>-<your-control-plane-name>-provider-azure
-```
-
-8. In _Credential details description_ enter:
-
-```yaml
-upbound MCP <your-org>/<your-control-plane-name> Provider provider-azure
-```
-
-9. Leave _Audience_ unmodified with **api://AzureADTokenExchange**.
-10. Select **Add**.
-
-### Grant permissions to the service principal
-
-For your control plane to be able to perform actions required by this configuration, you need to grant permissions to the Application Service Principal. Assign a role to the Application Service Principal by following instructions at Assign a role to the application.
-
-1. Open the **[Azure portal][azure-portal-1]**
-2. Select **[Subscriptions][subscriptions]**.
-3. Select your subscription.
-4. Select **Access control (IAM)** in the left navigation.
-5. Select **Add** and select **Add role assignment**.
-6. Find and select the **Contributor** role on the **Privileged administrator roles** tab.
-7. Select **Next**.
-8. In _Assign access to_ select **User, group, or service principal**.
-9. Select **Select members**.
-10. Find your application by entering **upbound-oidc-provider** in the search field.
-11. Select **Select**.
-12. Select **Review + assign**.
-13. Make sure everything is correct and press **Review + assign** again.
-
-### Create a ProviderConfig
-
-Create a <Hover label="pc-upbound-auth" line="2">ProviderConfig</Hover> to set
-the provider authentication method to <Hover label="pc-upbound-auth"
-line="9">Upbound</Hover>.
-
-
-Supply the <Hover label="pc-upbound-auth" line="8">Application (client) ID</Hover>, <Hover label="pc-upbound-auth" line="9">Directory (tenant) ID</Hover>, and <Hover label="pc-upbound-auth" line="10">Subscription ID</Hover> found in the previous section.
-
-:::tip
-To apply Upbound based authentication by default name the ProviderConfig
-<Hover label="pc-upbound-auth" line="4">default</Hover>.
-:::
-
-<div id="pc-upbound-auth">
-```yaml 
-apiVersion: azure.upbound.io/v1beta1
-kind: ProviderConfig
-metadata:
-  name: default
-spec:
-  credentials:
-    source: Upbound
-  clientID: <client ID>
-  tenantID: <tenant ID>
-  subscriptionID: <subscription ID>
-```
-</div>
-## Service principal with Kubernetes secret
-
-A service principal is an application within the Azure Active Directory that
-passes `client_id`, `client_secret`, and `tenant_id` authentication
-tokens to create and manage Azure resources. As an alternative, it can also authenticate
-with a `client_certificate` instead of a `client_secret`
-
-### Create a service principal with client secret credentials using the Azure CLI tool
-
-:::tip
-If you don't have the Azure CLI, use the [install guide][install-guide]
-:::
-
-First, find the Subscription ID for your Azure account.
-
-```shell
-az account list
-```
-
-Note the value of the `id` in the return output.
-
-Next, create a service principle `Owner` role. Update the `<subscription_id>`
-with the `id` from the previous command.
-
-```shell
-az ad sp create-for-rbac --sdk-auth --role Owner --scopes /subscriptions/<subscription_id> \
-  > azure.json
-```
-
-The `azure.json` file in the preceding command contains the client ID, secret, and
-tenant ID of your subscription.
-
-
-Next, use `kubectl` to associate your Azure credentials file with a generic
-Kubernetes secret.
-
-```shell
-kubectl create secret generic azure-secret -n upbound-system --from-file=creds=./azure.json
-```
-
-### Create a service principal with client certificate credentials using the Azure CLI tool
-You can create Azure service principals with a client certificate instead of a client secret as credentials.
-When creating the service principal, Azure CLI provides the options to generate client certificate
-automatically or set your own custom certificate.
-
-#### Create a service principal with a generated client certificate:
-The following command creates a service principal with your custom certificate
-```shell
-# set your subscription ID
-AZ_SUBSCRIPTION_ID="11111111-1111-1111-1111-1111111111111"
-az ad sp create-for-rbac --sdk-auth \
-                         --role Owner \
-                         --scopes /subscriptions/"${AZ_SUBSCRIPTION_ID}" \
-                         --create-cert > azure_credentials.json
-```
-The `azure_credentials.json` file in the preceding command contains:
-- the client ID,
-- the path of the generated client certificate file in your local machine
-- tenant ID of your subscription
-
-It looks like the following:
-```json
-{
-  "clientId": "1111111-2222-3333-4444-555555555555",
-  "clientCertificate": "/path/to/generatedcert.pem",
-  "subscriptionId": "22222222-3333-4444-5555-666666666666",
-  "tenantId": "33333333-4444-5555-6666-777777777777",
-  "activeDirectoryEndpointUrl": "https://login.microsoftonline.com",
-  "resourceManagerEndpointUrl": "https://management.azure.com/",
-  "activeDirectoryGraphResourceId": "https://graph.windows.net/",
-  "sqlManagementEndpointUrl": "https://management.core.windows.net:8443/",
-  "galleryEndpointUrl": "https://gallery.azure.com/",
-  "managementEndpointUrl": "https://management.core.windows.net/"
-}
-```
-The generated certificate looks like the following:
-```
------BEGIN PRIVATE KEY-----
-...
------END PRIVATE KEY-----
------BEGIN CERTIFICATE-----
-...
------END CERTIFICATE-----
-```
-
-To use this configuration with the Upbound Azure Provider, you should replace `clientCertificate`
-field with the certificate content. You should first convert the certificate to `PKCS12` format,
-then encode it with `base64`.
-
-```shell
-# extract the path of the generated PEM certificate
-AZ_CLIENT_CERT_PEM_PATH="$(jq -r '.clientCertificate' azure_credentials.json)"
-
-# convert PEM to PKCS12 using openssl tool
-openssl pkcs12 -export \
-               -out azure_sp_cert.pkcs12 \
-               -in "${AZ_CLIENT_CERT_PEM_PATH}" \
-               -inkey "${AZ_CLIENT_CERT_PEM_PATH}" \
-               -passout pass:
-
-# encode the certificate
-base64 -i azure_sp_cert.pkcs12 | tr -d '\n' > azure_sp_cert_pkcs12_base64encoded
-
-# replace clientCertificate field in azure_credentials.json with base64-encoded certificate content
-jq --rawfile certcontent azure_sp_cert_pkcs12_base64encoded \
-    '.clientCertificate=$certcontent' azure_credentials.json > azure_credentials_withcert.json
-```
-The preceding command snippet should generate the file `azure_credentials_withcert.json` that looks like following:
-```json
-{
-  "clientId": "1111111-2222-3333-4444-555555555555",
-  "clientCertificate": "XXXXX......XXX",
-  "subscriptionId": "22222222-3333-4444-5555-666666666666",
-  "tenantId": "33333333-4444-5555-6666-777777777777",
-  "activeDirectoryEndpointUrl": "https://login.microsoftonline.com",
-  "resourceManagerEndpointUrl": "https://management.azure.com/",
-  "activeDirectoryGraphResourceId": "https://graph.windows.net/",
-  "sqlManagementEndpointUrl": "https://management.core.windows.net:8443/",
-  "galleryEndpointUrl": "https://gallery.azure.com/",
-  "managementEndpointUrl": "https://management.core.windows.net/"
-}
-```
-Next, use `kubectl` to associate your Azure credentials file with a generic
-Kubernetes secret.
-
-```shell
-kubectl create secret generic azure-secret -n upbound-system --from-file=creds=./azure_credentials_withcert.json
-```
-
-
-#### Create a service principal with your own client certificate:
-Azure service principals accept custom certificates in an `ASCII` format such as `PEM`, `CER`, or `DER`.
-When using a certificate with `PEM` format, the certificate file should include both the certificate and private key appended.
-See [Microsoft Azure Service Principal Documentation][microsoft-azure-service-principal-documentation]
-for reference
-
-The following command creates a service principal with your custom certificate. You can choose one of the options.
-First option lets you specify cert from a file, the second option lets you directly specify the cert content as a string.
-
-```shell
-# option 1 - load cert from file
-az ad sp create-for-rbac --sdk-auth \
-                         --role Owner \
-                         --scopes /subscriptions/"${AZ_SUBSCRIPTION_ID}" \
-                         --cert @/path/to/yourcert.pem > azure_credentials.json
-
-# option 2 - set cert directly from string
-az ad sp create-for-rbac --sdk-auth \
-                         --role Owner \
-                         --scopes /subscriptions/"${AZ_SUBSCRIPTION_ID}" \
-                         --cert "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----" > azure_credentials.json
-```
-
-The preceding command generates the `azure_credentials.json` file, which has the following content.
-Since you used a custom certificate, note that `clientCertificate` is `null` in the output.
-
-```json
-{
-  "clientId": "1111111-2222-3333-4444-555555555555",
-  "clientCertificate": null,
-  "subscriptionId": "22222222-3333-4444-5555-666666666666",
-  "tenantId": "33333333-4444-5555-6666-777777777777",
-  "activeDirectoryEndpointUrl": "https://login.microsoftonline.com",
-  "resourceManagerEndpointUrl": "https://management.azure.com/",
-  "activeDirectoryGraphResourceId": "https://graph.windows.net/",
-  "sqlManagementEndpointUrl": "https://management.core.windows.net:8443/",
-  "galleryEndpointUrl": "https://gallery.azure.com/",
-  "managementEndpointUrl": "https://management.core.windows.net/"
-}
-```
-Upbound Azure Provider accepts certificates in base64-encoded `PKCS12` format.
-Convert your certificate to `PKCS12` format, then encode it with `base64` for provider usage.
-Add the resulting string to the `clientCertificate` field of `azure_credentials.json`
-
-In the snippet below, you can find example commands for `PEM` certificate to `PKCS12` conversion using `openssl`.
-If your certificate is in other formats than `PEM`, you can convert it to PEM, then use
-following commands for `PKCS12` conversion.
-Other alternative conversions are out-of-scope for this document and left to the user.
-If you already have your certificate in `PKCS12` format, you can skip the conversion and move to `base64` encode step.
-```shell
-# convert PEM to PKCS12 using openssl tool
-openssl pkcs12 -export \
-               -out azure_sp_cert.pkcs12 \
-               -in "/path/to/your/cert.pem" \
-               -inkey "/path/to/your/key.pem" \
-               -passout pass:
-
-# encode
-base64 -i azure_sp_cert.pkcs12 | tr -d '\n' >  azure_sp_cert_pkcs12_base64encoded
-
-# replace clientCertificate field in azure_credentials.json with base64-encoded certificate content
-jq --rawfile certcontent azure_sp_cert_pkcs12_base64encoded \
-    '.clientCertificate=$certcontent' azure_credentials.json > azure_credentials_withcert.json
-```
-
-The preceding command snippet should generate the file `azure_credentials_withcert.json`
-that looks like the following:
-
-If you have a password-protected PKCS12 certificate, you should also set `clientCertificatePassword`
-field in the `azure_credentials_withcert.json`, if not you can omit.
-```json
-{
-  "clientId": "1111111-2222-3333-4444-555555555555",
-  "clientCertificate": "XXXXX......XXX",
-  "clientCertificatePassword": "YourClientCertificatePassword",
-  "subscriptionId": "22222222-3333-4444-5555-666666666666",
-  "tenantId": "33333333-4444-5555-6666-777777777777",
-  "activeDirectoryEndpointUrl": "https://login.microsoftonline.com",
-  "resourceManagerEndpointUrl": "https://management.azure.com/",
-  "activeDirectoryGraphResourceId": "https://graph.windows.net/",
-  "sqlManagementEndpointUrl": "https://management.core.windows.net:8443/",
-  "galleryEndpointUrl": "https://gallery.azure.com/",
-  "managementEndpointUrl": "https://management.core.windows.net/"
-}
-```
-
-Use `kubectl` to associate your Azure credentials file with a generic
-Kubernetes secret.
-
-```shell
-kubectl create secret generic azure-secret -n upbound-system --from-file=creds=./azure_credentials_withcert.json
-```
-
-## Configure your provider
-
-Apply these changes to your `ProviderConfig` file.
-
-```yaml {label="secretPC", copy-lines="5-11"}
-apiVersion: azure.upbound.io/v1beta1
-metadata:
-  name: default
-kind: ProviderConfig
-spec:
-  credentials:
-    source: Secret
-    secretRef:
-      namespace: upbound-system
-      name: azure-secret
-      key: creds
-```
-
-Your credential `source` must be `Secret` and you must specify the namespace,
-name, and key if you used different values.
-
-Apply your configuration.
-
-## System-assigned managed identity
-
-The system-assigned managed identity allows you to associate the provider with
-your
-Azure Kubernetes Service (`AKS`) cluster automatically without manually
-managing credentials.
-
-### Create a system-assigned managed identity
-
-A system-assigned managed identity is automatically created when you create
-an AKS cluster. This section covers creating a new identity in a new cluster.
-
-Create a resource group.
-
-```shell
-az group create --name myResourceGroup --location westus2
-```
-
-Create an AKS cluster with the `--enable-managed-identity` flag.
-
-```shell
-az aks create -g myResourceGroup -n myManagedCluster --enable-managed-identity
-```
-
-Use the `aks get-credentials` command to generate the kubeconfig file
-for your AKS cluster. This file contains the authentication and connection
-information for your cluster.
-
-```shell
-az aks get-credentials --resource-group myResourceGroup --name myManagedCluster
-```
-
-To switch from a service principal to a system-assigned managed identity,
-use the `aks update` command.
-
-```shell
-az aks update -g myResourceGroup -n myManagedCluster --enable-managed-identity
-```
-
-### Configure your provider
-
-In your provider configuration, update the `source`, `subscriptionID`, and
-`tenantID` in the `credentials` field.
-
-```yaml {label="sysPC", copy-lines="7-9"}
-apiVersion: azure.upbound.io/v1beta1
-kind: ProviderConfig
-metadata:
-  name: default
-spec:
-  credentials:
-    source: SystemAssignedManagedIdentity
-  subscriptionID: <subscription_ID>
-  tenantID: <tenant_ID>
-```
-
-## User-assigned managed identity
-
-User-assigned managed identities exist independent of any other Azure
-resource, unlike system-assigned managed identities. If your organization
-needs to use a single identity across multiple resources, this option allows you to create one authentication identity with fixed permissions.
-
-:::note
-
-You must use the user-assigned managed identity as the `kubelet` identity of your
-AKS cluster.
-:::
-
-First, create a new control plane identity with the Azure CLI. Update
-`<controlplane_identity_name>` with a name for your new managed identity.
-
-```shell
-az identity create --name <controlplane_identity_name> --resource-group <resource_group>
-```
-
-Your output should return the following fields:
-
-```json
-{
-  "clientId": "<client_id>",
-  "clientSecretUrl": "<clientSecretUrl>",
-  "id": "/subscriptions/<subscriptionid>/resourcegroups/<resource_group/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<controlplane_identity_name>",
-  "location": "<location>",
-  "name": "<identity_name>",
-  "principalId": "<principal_id>",
-  "resourceGroup": "<resource_group>",
-  "tags": {},
-  "tenantId": "<tenant_id>",
-  "type": "Microsoft.ManagedIdentity/userAssignedIdentities"
-}
-```
-
-Capture the `id` field output as your control plane identity.
-
-Next, create a `kubelet` managed identity.
-
-```shell
-az identity create --name <kubelet_identity_name> --resource-group <resource_group>
-```
-
-Capture the `id` field output as your `kubelet` identity.
-
-Next, create an AKS cluster with the identities you created in the preceding
-command.
-
-```shell
-az aks create \
-    --resource-group <resource_group> \
-    --name <cluster_name> \
-    --network-plugin azure \
-    --vnet-subnet-id <subnet_id> \
-    --docker-bridge-address <docker_bridge_address> \
-    --dns-service-ip <dns_ip> \
-    --service-cidr <service_cidr> \
-    --enable-managed-identity \
-    --assign-identity <controlplane_identity_resource_id> \
-    --assign-kubelet-identity <kubelet_identity_resource_id>
-```
-
-### Configure your provider
-
-In your provider configuration, update the `source`, `subscriptionID`, and
-`tenantID` in the `credentials` field. Update the `clientID` field with the
-user-assigned managed identity you used as the `kubelet` identity.
-
-```yaml {label="userPC", copy-lines="7-10"}
-apiVersion: azure.upbound.io/v1beta1
-kind: ProviderConfig
-metadata:
-  name: default
-spec:
-  credentials:
-    source: UserAssignedManagedIdentity
-  clientID: <kubelet_identity_id>
-  subscriptionID: <subscription_ID>
-  tenantID: <tenant_ID>
-```
-
-[upbound-auth-oidc]: /manuals/platform/howtos/oidc
-[upbound-cloud-spaces]: /manuals/spaces/overview
-
-
-[service-principal-with-kubernetes-secret]: https://learn.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals?tabs=browser#service-principal-object
-[system-assigned-managed-identity]: https://learn.microsoft.com/en-us/azure/aks/use-managed-identity#enable-managed-identities-on-an-existing-aks-cluster
-[user-assigned-managed-identity]: https://learn.microsoft.com/en-us/azure/aks/use-managed-identity#bring-your-own-managed-identity
-[azure-portal]: https://portal.azure.com/
-[microsoft-entra-id]: https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview
-[azure-portal-1]: https://portal.azure.com/
-[subscriptions]: https://portal.azure.com/#view/Microsoft_Azure_Billing/SubscriptionsBlade
-[install-guide]: https://learn.microsoft.com/en-us/cli/azure/install-azure-cli
-[microsoft-azure-service-principal-documentation]: https://learn.microsoft.com/en-us/cli/azure/azure-cli-sp-tutorial-3#create-a-service-principal-using-an-existing-certificate
diff --git a/docs/manuals/packages/providers/provider-azure/index.md b/docs/manuals/packages/providers/provider-azure/index.md
deleted file mode 100644
index 1e20999af..000000000
--- a/docs/manuals/packages/providers/provider-azure/index.md
+++ /dev/null
@@ -1,419 +0,0 @@
----
-title: Provider Azure
-sidebar_position: 1
-description: Release notes for the Azure official provider
----
-
-The below release notes are for the Upbound Azure official provider. These notes
-only contain noteworthy changes and you should refer to each release's GitHub
-release notes for full details.
-
-For more information on the release cadence and support protocol refer to the
-provider [support and maintenance][support-and-maintenance] page.
-
-:::important
-Beginning with `v1.21.0` and later, you need at least a `Team` subscription to pull a given Official Provider version. All prior versions are pullable without a subscription. 
-If you're not subscribed to Upbound or have an `Individual` tier subscription, you can still always pull **the most recent provider version** using the `v1` tag.
-:::
-
-<!-- vale Google.Headings = NO -->
-
-## v1.9.0
-
-_Released 2024-11-21_
-
-* Support for new resources: `PrivateDNSResolverOutboundEndpoint.network.azure.upbound.io/v1beta1`
-and `TrustedAccessRoleBinding.authorization.azure.upbound.io/v1beta1`
-* This release introduces new resources, bug fixes, enhancements, and dependency updates.
-
-_Refer to the [v1.9.0 release notes][v1-9-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace]
-
-## v1.8.0
-
-_Released 2024-11-07_
-
-* Support for new resources: `PrivateDNSResolverInboundEndpoint.network.azure.upbound.io/v1beta1`,
-`RedisCacheAccessPolicy.cache.azure.upbound.io/v1beta1` and `RedisCacheAccessPolicyAssignment.cache.azure.upbound.io/v1beta1`
-* Upgraded the underlying Terraform provider version from `v3.110.0` to `v3.116.0`
-* This release also introduces new resources, bug fixes, enhancements, and dependency updates.
-
-_Refer to the [v1.8.0 release notes][v1-8-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-1]
-
-## v1.7.0
-
-_Released 2024-10-04_
-
-* Support for new resources: `CustomDomain.containerapp.azure.upbound.io/v1beta1`,
-`EnvironmentCertificate.containerapp.azure.upbound.io/v1beta1`, `EnvironmentCustomDomain.containerapp.azure.upbound.io/v1beta1`,
-`EnvironmentDaprComponent.containerapp.azure.upbound.io/v1beta1`, `EnvironmentStorage.containerapp.azure.upbound.io/v1beta1`
-and `BackupInstanceKubernetesCluster.dataprotection.azure.upbound.io/v1beta1`
-* Upgraded the underlying Terraform provider version from `v3.95.0` to `v3.110.0`
-* This release also introduces new resources, enhancements, and dependency updates.
-
-_Refer to the [v1.7.0 release notes][v1-7-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-2]
-
-## v1.6.1
-
-_Released 2024-09-25_
-
-* This release introduces the fix to the issues of the StorageAccount resource.
-
-_Refer to the [v1.6.1 release notes][v1-6-1-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-3]
-
-## v1.6.0
-
-_Released 2024-09-20_
-
-* Support for new resources: `KubernetesClusterExtension.containerservice.azure.upbound.io/v1beta1`
-and `BackupPolicyKubernetesCluster.dataprotection.azure.upbound.io/v1beta1`
-* This release introduces new resources enhancements, and dependency updates.
-
-_Refer to the [v1.6.0 release notes][v1-6-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-4]
-
-## v1.5.1
-
-_Released 2024-09-16_
-
-* This release fixes the issue of hiding error messages.
-
-_Refer to the [v1.5.1 release notes][v1-5-1-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-5]
-
-## v1.5.0
-
-_Released 2024-08-23_
-
-* Support for a new resource: `StorageDefender.security.azure.upbound.io/v1beta1`
-* This release includes a new resource, bug fixes, enhancements, and dependency updates.
-
-_Refer to the [v1.5.0 release notes][v1-5-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-6]
-
-## v1.4.0
-
-_Released 2024-07-04_
-
-* Support for a new resource: `BastionHost.network.azure.upbound.io/v1beta1`
-* This release includes a new resource, bug fixes, and dependency updates.
-
-_Refer to the [v1.4.0 release notes][v1-4-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-7]
-
-## v1.3.0
-
-_Released 2024-06-13_
-
-* Support for new resources: `PimActiveRoleAssignment.authorization.azure.upbound.io/v1beta1`
-and `PimEligibleRoleAssignment.authorization.azure.upbound.io/v1beta1`
-* This release includes new resources, bug fixes, enhancements,
-and dependency updates.
-
-_Refer to the [v1.3.0 release notes][v1-3-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-8]
-
-## v1.2.0
-
-_Released 2024-05-22_
-
-* Support for new resource: `VirtualMachineRunCommand.compute`
-* This release includes converting singleton lists in the MR APIs to embedded objects
-, a new resource, bug fixes, and dependency updates.
-
-_Refer to the [v1.2.0 release notes][v1-2-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-9]
-
-## v1.1.0
-
-_Released 2024-04-25_
-
-* Support for new resource: `Deployment.cognitiveservices.azure.upbound.io/v1beta1`
-* This release includes a new set of managed resource (MR) metrics, a new resource, bug fixes, enhancements, and dependency updates.
-
-_Refer to the [v1.1.0 release notes][v1-1-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-10]
-
-## v1.0.1
-
-_Released 2024-04-04_
-
-* Sets the Azure partner tracking `GUID` to `a9cee75d-8f11-42e4-bc19-953757f4ea3c` in the requests that the provider makes.
-* Adds two words to the `UserAgent` header: the provider name/version such as `crossplane-provider-upjet-azure/v1.0.1` and the
-`CPU` architecture and operating system name the provider is running on, such as `(arm64-darwin)`
-
-_Refer to the [v1.0.1 release notes][v1-0-1-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-11]
-
-## v1.0.0
-
-_Released 2024-03-21_
-
-* Update the Azure Terraform provider version to v3.95.0
-* Support for new resource: `WorkspaceRootDbfsCustomerManagedKey.databricks.azure.upbound.io/v1beta1`
-* This release brings support for the conversion functions to be able to handle any future breaking API changes.
-* The release contains some important bug fixes, adding a new resource, and updates of dependencies.
-
-_Refer to the [v1.0.0 release notes][v1-0-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-12]
-
-## v0.42.2
-
-_Released 2024-03-21_
-
-* Sets a default `io.Discard` logger for the controller-runtime if debug logging isn't enabled.
-* Adds information logs in the monolithic provider's output that communicate the deprecation and the next steps.
-
-_Refer to the [v0.42.2 release notes][v0-42-2-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-13]
-
-## v0.42.1
-
-_Released 2024-02-22_
-
-* This release includes some important bug fixes and dependency bumps, please select the release notes for more details.
-
-_Refer to the [v0.42.1 release notes][v0-42-1-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-14]
-
-## v0.42.0
-
-_Released 2024-01-25_
-
-* Support for new resource: `CustomDomain.apimanagement.azure.upbound.io/v1beta1`
-* The release contains adding a new resource, and updates of dependencies.
-
-_Refer to the [v0.42.0 release notes][v0-42-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-15]
-
-## v0.41.0
-
-_Released 2024-01-03_
-
-* This release brings a change with how interact with the underlying Terraform Azure provider. Instead of interfacing with
-Terraform via the TF CLI, the new implementation consumes the Terraform provider's Go provider schema and invokes the CRUD
-functions registered in that schema, and no longer fork the underlying Terraform provider process.
-
-_Refer to the [v0.41.0 release notes][v0-41-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-16]
-
-## v0.40.0
-
-_Released 2023-12-28_
-
-* Support for new resources: `FrontdoorFirewallPolicy.cdn` and `FrontdoorSecurityPolicy.cdn`
-* Adds client certificate support for Azure service principal credentials.
-* The release contains some important bug fixes, adding new resources, and updates of dependencies.
-
-_Refer to the [v0.40.0 release notes][v0-40-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-17]
-
-## v0.39.0
-
-_Released 2023-11-30_
-
-* Support for new resource: `VirtualMachineDataDiskAttachment.compute`
-* The release contains some bug fixes and updates of dependencies.
-
-_Refer to the [v0.39.0 release notes][v0-39-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-18]
-
-## v0.38.2
-
-_Released 2023-11-02_
-
-* This release updates Crossplane Runtime to v1.14.1 which includes a fix in the retry mechanism while persisting the critical annotations.
-
-_Refer to the [v0.38.2 release notes][v0-38-2-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-19]
-
-## v0.38.1
-
-_Released 2023-10-30_
-
-* This release sets `async` mode true for `ResourceGroup` resource.
-
-_Refer to the [v0.38.1 release notes][v0-38-1-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-20]
-
-## v0.38.0
-
-_Released 2023-10-26_
-
-* Support for new family providers: `provider-azure-containerapp` and `provider-azure-loadtestservice`
-* Support for new resources: `ContainerApp.containerapp`, `Environment.containerapp` and `LoadTest.loadtestservice`
-* The release contains some bug fixes, updates of dependencies, and promoting granular management policies to Beta.
-
-_Refer to the [v0.38.0 release notes][v0-38-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-21]
-
-## v0.37.1
-
-_Released 2023-10-02_
-
-* The release contains fixing import of `ManagementGroupSubscriptionAssociation.management` resource.
-
-_Refer to the [v0.37.1 release notes][v0-37-1-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-22]
-
-## v0.37.0
-
-_Released 2023-09-29_
-
-* Support for new resources: `FlexibleServerActiveDirectoryAdministrator.dbforpostgresql`and `VirtualMachineExtension.compute`
-* The release contains some bug fixes and configuring the default poll jitter for the controllers.
-
-_Refer to the [v0.37.0 release notes][v0-37-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-23]
-
-## v0.36.0
-
-_Released 2023-08-23_
-
-* The release contains some important bug fixes to the granular
-management policies and a fix in the reconciliation logic of the Upjet runtime.
-* Updated Terraform CLI to 1.5.5 to address CVEs in previous Terraform versions.
-
-_Refer to the [v0.36.0 release notes][v0-36-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-24]
-
-## v0.35.0
-
-_Released 2023-08-01_
-
-* This release adds support for the `spec.initProvider` API and for the granular management
-policies alpha feature.
-* Support for new resources: `ManagementGroupSubscriptionAssociation`
-* Various bug fixes and enhancements.
-
-_Refer to the [v0.35.0 release notes][v0-35-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-25]
-
-## v0.34.0
-
-_Released 2023-06-27_
-
-* ⚠️ The family providers now declare a dependency on version v1.12.1 of
-Crossplane.
-* Various bug fixes and enhancements.
-
-_Refer to the [v0.33.0 release notes][v0-33-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-26]
-
-## v0.33.0
-
-_Released 2023-06-13_
-
-* This release introduces the new [provider families architecture][provider-families-architecture] for
-the Upbound Official Azure provider.
-* Various bug fixes and enhancements.
-
-_Refer to the [v0.33.0 release notes][v0-33-0-release-notes-27] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-28]
-
-## v0.32.0
-
-_Released 2023-05-15_
-
-* Update the Azure Terraform provider version to v3.55.0
-* Various bug fixes and enhancements.
-
-_Refer to the [v0.32.0 release notes][v0-32-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-29]
-<!-- vale Google.Headings = YES -->
-
-
-[support-and-maintenance]: /reference/usage/support
-[provider-families-architecture]: /manuals/packages/providers/provider-families
-
-
-[v1-9-0-release-notes]: https://github.com/crossplane-contrib/provider-upjet-azure/releases/tag/v1.9.0
-[upbound-marketplace]: https://marketplace.upbound.io/providers/upbound/provider-family-azure/v1.9.0
-[v1-8-0-release-notes]: https://github.com/crossplane-contrib/provider-upjet-azure/releases/tag/v1.8.0
-[upbound-marketplace-1]: https://marketplace.upbound.io/providers/upbound/provider-family-azure/v1.8.0
-[v1-7-0-release-notes]: https://github.com/crossplane-contrib/provider-upjet-azure/releases/tag/v1.7.0
-[upbound-marketplace-2]: https://marketplace.upbound.io/providers/upbound/provider-family-azure/v1.7.0
-[v1-6-1-release-notes]: https://github.com/crossplane-contrib/provider-upjet-azure/releases/tag/v1.6.1
-[upbound-marketplace-3]: https://marketplace.upbound.io/providers/upbound/provider-family-azure/v1.6.1
-[v1-6-0-release-notes]: https://github.com/crossplane-contrib/provider-upjet-azure/releases/tag/v1.6.0
-[upbound-marketplace-4]: https://marketplace.upbound.io/providers/upbound/provider-family-azure/v1.6.0
-[v1-5-1-release-notes]: https://github.com/crossplane-contrib/provider-upjet-azure/releases/tag/v1.5.1
-[upbound-marketplace-5]: https://marketplace.upbound.io/providers/upbound/provider-family-azure/v1.5.1
-[v1-5-0-release-notes]: https://github.com/crossplane-contrib/provider-upjet-azure/releases/tag/v1.5.0
-[upbound-marketplace-6]: https://marketplace.upbound.io/providers/upbound/provider-family-azure/v1.5.0
-[v1-4-0-release-notes]: https://github.com/crossplane-contrib/provider-upjet-azure/releases/tag/v1.4.0
-[upbound-marketplace-7]: https://marketplace.upbound.io/providers/upbound/provider-family-azure/v1.4.0
-[v1-3-0-release-notes]: https://github.com/crossplane-contrib/provider-upjet-azure/releases/tag/v1.3.0
-[upbound-marketplace-8]: https://marketplace.upbound.io/providers/upbound/provider-family-azure/v1.3.0
-[v1-2-0-release-notes]: https://github.com/crossplane-contrib/provider-upjet-azure/releases/tag/v1.2.0
-[upbound-marketplace-9]: https://marketplace.upbound.io/providers/upbound/provider-family-azure/v1.2.0
-[v1-1-0-release-notes]: https://github.com/crossplane-contrib/provider-upjet-azure/releases/tag/v1.1.0
-[upbound-marketplace-10]: https://marketplace.upbound.io/providers/upbound/provider-family-azure/v1.1.0
-[v1-0-1-release-notes]: https://github.com/crossplane-contrib/provider-upjet-azure/releases/tag/v1.0.1
-[upbound-marketplace-11]: https://marketplace.upbound.io/providers/upbound/provider-family-azure/v1.0.1
-[v1-0-0-release-notes]: https://github.com/crossplane-contrib/provider-upjet-azure/releases/tag/v1.0.0
-[upbound-marketplace-12]: https://marketplace.upbound.io/providers/upbound/provider-family-azure/v1.0.0
-[v0-42-2-release-notes]: https://github.com/crossplane-contrib/provider-upjet-azure/releases/tag/v0.42.2
-[upbound-marketplace-13]: https://marketplace.upbound.io/providers/upbound/provider-family-azure/v0.42.2
-[v0-42-1-release-notes]: https://github.com/upbound/provider-azure/releases/tag/v0.42.1
-[upbound-marketplace-14]: https://marketplace.upbound.io/providers/upbound/provider-family-azure/v0.42.1
-[v0-42-0-release-notes]: https://github.com/upbound/provider-azure/releases/tag/v0.42.0
-[upbound-marketplace-15]: https://marketplace.upbound.io/providers/upbound/provider-family-azure/v0.42.0
-[v0-41-0-release-notes]: https://github.com/upbound/provider-azure/releases/tag/v0.41.0
-[upbound-marketplace-16]: https://marketplace.upbound.io/providers/upbound/provider-family-azure/v0.41.0
-[v0-40-0-release-notes]: https://github.com/upbound/provider-azure/releases/tag/v0.40.0
-[upbound-marketplace-17]: https://marketplace.upbound.io/providers/upbound/provider-family-azure/v0.40.0
-[v0-39-0-release-notes]: https://github.com/upbound/provider-azure/releases/tag/v0.39.0
-[upbound-marketplace-18]: https://marketplace.upbound.io/providers/upbound/provider-family-azure/v0.39.0
-[v0-38-2-release-notes]: https://github.com/upbound/provider-azure/releases/tag/v0.38.2
-[upbound-marketplace-19]: https://marketplace.upbound.io/providers/upbound/provider-family-azure/v0.38.2
-[v0-38-1-release-notes]: https://github.com/upbound/provider-azure/releases/tag/v0.38.1
-[upbound-marketplace-20]: https://marketplace.upbound.io/providers/upbound/provider-family-azure/v0.38.1
-[v0-38-0-release-notes]: https://github.com/upbound/provider-azure/releases/tag/v0.38.0
-[upbound-marketplace-21]: https://marketplace.upbound.io/providers/upbound/provider-family-azure/v0.38.0
-[v0-37-1-release-notes]: https://github.com/upbound/provider-azure/releases/tag/v0.37.1
-[upbound-marketplace-22]: https://marketplace.upbound.io/providers/upbound/provider-family-azure/v0.37.1
-[v0-37-0-release-notes]: https://github.com/upbound/provider-azure/releases/tag/v0.37.0
-[upbound-marketplace-23]: https://marketplace.upbound.io/providers/upbound/provider-family-azure/v0.37.0
-[v0-36-0-release-notes]: https://github.com/upbound/provider-azure/releases/tag/v0.36.0
-[upbound-marketplace-24]: https://marketplace.upbound.io/providers/upbound/provider-family-azure/v0.36.0
-[v0-35-0-release-notes]: https://github.com/upbound/provider-azure/releases/tag/v0.35.0
-[upbound-marketplace-25]: https://marketplace.upbound.io/providers/upbound/provider-family-azure/v0.35.0
-[v0-33-0-release-notes]: https://github.com/upbound/provider-azure/releases/tag/v0.34.0
-[upbound-marketplace-26]: https://marketplace.upbound.io/providers/upbound/provider-family-azure/v0.34.0
-[v0-33-0-release-notes-27]: https://github.com/upbound/provider-azure/releases/tag/v0.33.0
-[upbound-marketplace-28]: https://marketplace.upbound.io/providers/upbound/provider-family-azure/v0.33.0
-[v0-32-0-release-notes]: https://github.com/upbound/provider-azure/releases/tag/v0.32.0
-[upbound-marketplace-29]: https://marketplace.upbound.io/providers/upbound/provider-family-azure/v0.32.0
diff --git a/docs/manuals/packages/providers/provider-azuread/index.md b/docs/manuals/packages/providers/provider-azuread/index.md
deleted file mode 100644
index b5907d304..000000000
--- a/docs/manuals/packages/providers/provider-azuread/index.md
+++ /dev/null
@@ -1,278 +0,0 @@
----
-title: Provider AzureAD
-sidebar_position: 1
-description: Release notes for the AzureAD official provider
----
-
-The below release notes are for the Upbound AzureAD official provider. These notes
-only contain noteworthy changes and you should refer to each release's GitHub
-release notes for full details.
-
-For more information on the release cadence and support protocol refer to the
-provider [support and maintenance][support-and-maintenance] page.
-
-:::important
-Beginning with `v1.21.0` and later, you need at least a `Team` subscription to pull a given Official Provider version. All prior versions are pullable without a subscription. 
-If you're not subscribed to Upbound or have an `Individual` tier subscription, you can still always pull **the most recent provider version** using the `v1` tag.
-:::
-
-<!-- vale Google.Headings = NO -->
-
-## v1.6.0
-
-_Released 2024-10-05_
-
-* This release introduces the Terraform provider upgrade from `2.47.0` to `2.53.1`,
-support for Upbound authentication, bug fixes, enhancements, and dependency
-updates.
-
-_Refer to the [v1.5.0 release notes][v1-5-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace]
-
-## v1.5.0
-
-_Released 2024-09-20_
-
-* This release introduces support for `ManagedIdentity` and `OIDC` authentication
-methods, and dependency updates.
-
-_Refer to the [v1.5.0 release notes][v1-5-0-release-notes-1] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-2]
-
-## v1.4.1
-
-_Released 2024-09-16_
-
-* This release fixes the issue of hiding error messages.
-
-_Refer to the [v1.4.1 release notes][v1-4-1-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-3]
-
-## v1.4.0
-
-_Released 2024-08-29_
-
-* This release includes bug fixes, enhancements, and dependency updates.
-
-_Refer to the [v1.4.0 release notes][v1-4-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-4]
-
-
-## v1.3.0
-
-_Released 2024-06-13_
-
-* This release generates the secret references under `spec.initProvider` API trees and updates dependencies.
-
-_Refer to the [v1.3.0 release notes][v1-3-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-5]
-
-## v1.2.0
-
-_Released 2024-05-16_
-
-* This release includes converting singleton lists in the MR APIs to embedded objects, and dependency updates.
-
-_Refer to the [v1.2.0 release notes][v1-2-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-6]
-
-## v1.1.0
-
-_Released 2024-04-25_
-
-* This release includes a new set of managed resource (MR) metrics, bug fixes, and dependency updates.
-
-_Refer to the [v1.1.0 release notes][v1-1-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-7]
-
-## v1.0.0
-
-_Released 2024-03-21_
-
-* Update the Azure Terraform provider version to v2.47.0
-* The release contains some important bug fixes, and updates of dependencies.
-
-_Refer to the [v1.0.0 release notes][v1-0-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-8]
-
-## v0.15.3
-
-_Released 2024-03-21_
-
-* This release sets a default `io.Discard` logger for the controller-runtime if debug logging isn't enabled.
-
-_Refer to the [v0.15.3 release notes][v0-15-3-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-9]
-
-## v0.15.2
-
-_Released 2024-02-29_
-
-* This release includes updates to the dependencies, please select the release notes for more details.
-
-_Refer to the [v0.15.2 release notes][v0-15-2-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-10]
-
-## v0.15.1
-
-_Released 2024-02-22_
-
-* This release includes some important bug fixes and dependency bumps, please select the release notes for more details.
-
-_Refer to the [v0.15.1 release notes][v0-15-1-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-11]
-
-## v0.15.0
-
-_Released 2023-12-28_
-
-* This release generates reference fields for the `spec.initProvider` of all resources.
-
-_Refer to the [v0.15.0 release notes][v0-15-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-12]
-
-## v0.14.0
-
-_Released 2023-11-30_
-
-* This release brings a change with how interact with the underlying Terraform AzureAD provider. Instead of interfacing with
-Terraform via the TF CLI, the new implementation consumes the Terraform provider's Go provider schema and invokes the CRUD
-functions registered in that schema, and no longer fork the underlying Terraform provider process.
-
-_Refer to the [v0.14.0 release notes][v0-14-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-13]
-
-## v0.13.1
-
-_Released 2023-11-02_
-
-* This release updates Crossplane Runtime to v1.14.1 which includes a fix in the retry mechanism while persisting the critical annotations.
-
-_Refer to the [v0.13.1 release notes][v0-13-1-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-14]
-
-## v0.13.0
-
-_Released 2023-10-26_
-
-* The release contains updates of dependencies and promoting granular management policies to Beta.
-
-_Refer to the [v0.13.0 release notes][v0-13-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-15]
-
-## v0.12.0
-
-_Released 2023-09-29_
-
-* The release contains some bug fixes and configuring the default poll jitter for the controllers.
-
-_Refer to the [v0.12.0 release notes][v0-12-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-16]
-
-## v0.11.0
-
-_Released 2023-08-23_
-
-* The release contains some important bug fixes to the granular
-management policies and a fix in the reconciliation logic of the Upjet runtime.
-* Updated Terraform CLI to 1.5.5 to address CVEs in previous Terraform versions.
-* Update the AzureAD Terraform provider version v2.41.0
-
-_Refer to the [v0.11.0 release notes][v0-11-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-17]
-
-
-## v0.10.0
-
-_Released 2023-08-01_
-
-* This release adds support for the spec.initProvider API and for the granular management policies alpha feature.
-* Various bug fixes and enhancements.
-
-_Refer to the [v0.10.0 release notes][v0-10-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-18]
-
-## v0.9.0
-
-_Released 2023-06-16_
-
-* Update the AzureAD Terraform provider version v2.39.0
-* Various bug fixes and enhancements.
-
-_Refer to the [v0.9.0 release notes][v0-9-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-19]
-
-## v0.8.0
-
-_Released 2023-05-15_
-
-* Update the AzureAD Terraform provider version to v2.38.0
-* Various bug fixes and enhancements.
-
-_Refer to the [v0.8.0 release notes][v0-8-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-20]
-<!-- vale Google.Headings = YES -->
-
-
-[support-and-maintenance]: /reference/usage/support
-
-[v1-5-0-release-notes]: https://github.com/crossplane-contrib/provider-upjet-azuread/releases/tag/v1.5.0
-[upbound-marketplace]: https://marketplace.upbound.io/providers/upbound/provider-azuread/v1.5.0
-[v1-5-0-release-notes-1]: https://github.com/crossplane-contrib/provider-upjet-azuread/releases/tag/v1.5.0
-[upbound-marketplace-2]: https://marketplace.upbound.io/providers/upbound/provider-azuread/v1.5.0
-[v1-4-1-release-notes]: https://github.com/crossplane-contrib/provider-upjet-azuread/releases/tag/v1.4.1
-[upbound-marketplace-3]: https://marketplace.upbound.io/providers/upbound/provider-azuread/v1.4.1
-[v1-4-0-release-notes]: https://github.com/crossplane-contrib/provider-upjet-azuread/releases/tag/v1.4.0
-[upbound-marketplace-4]: https://marketplace.upbound.io/providers/upbound/provider-azuread/v1.4.0
-[v1-3-0-release-notes]: https://github.com/crossplane-contrib/provider-upjet-azuread/releases/tag/v1.3.0
-[upbound-marketplace-5]: https://marketplace.upbound.io/providers/upbound/provider-azuread/v1.3.0
-[v1-2-0-release-notes]: https://github.com/crossplane-contrib/provider-upjet-azuread/releases/tag/v1.2.0
-[upbound-marketplace-6]: https://marketplace.upbound.io/providers/upbound/provider-azuread/v1.2.0
-[v1-1-0-release-notes]: https://github.com/crossplane-contrib/provider-upjet-azuread/releases/tag/v1.1.0
-[upbound-marketplace-7]: https://marketplace.upbound.io/providers/upbound/provider-azuread/v1.1.0
-[v1-0-0-release-notes]: https://github.com/crossplane-contrib/provider-upjet-azuread/releases/tag/v1.0.0
-[upbound-marketplace-8]: https://marketplace.upbound.io/providers/upbound/provider-azuread/v1.0.0
-[v0-15-3-release-notes]: https://github.com/crossplane-contrib/provider-upjet-azuread/releases/tag/v0.15.3
-[upbound-marketplace-9]: https://marketplace.upbound.io/providers/upbound/provider-azuread/v0.15.3
-[v0-15-2-release-notes]: https://github.com/crossplane-contrib/provider-upjet-azuread/releases/tag/v0.15.2
-[upbound-marketplace-10]: https://marketplace.upbound.io/providers/upbound/provider-azuread/v0.15.2
-[v0-15-1-release-notes]: https://github.com/upbound/provider-azuread/releases/tag/v0.15.1
-[upbound-marketplace-11]: https://marketplace.upbound.io/providers/upbound/provider-azuread/v0.15.1
-[v0-15-0-release-notes]: https://github.com/upbound/provider-azuread/releases/tag/v0.15.0
-[upbound-marketplace-12]: https://marketplace.upbound.io/providers/upbound/provider-azuread/v0.15.0
-[v0-14-0-release-notes]: https://github.com/upbound/provider-azuread/releases/tag/v0.14.0
-[upbound-marketplace-13]: https://marketplace.upbound.io/providers/upbound/provider-azuread/v0.14.0
-[v0-13-1-release-notes]: https://github.com/upbound/provider-azuread/releases/tag/v0.13.1
-[upbound-marketplace-14]: https://marketplace.upbound.io/providers/upbound/provider-azuread/v0.13.1
-[v0-13-0-release-notes]: https://github.com/upbound/provider-azuread/releases/tag/v0.13.0
-[upbound-marketplace-15]: https://marketplace.upbound.io/providers/upbound/provider-azuread/v0.13.0
-[v0-12-0-release-notes]: https://github.com/upbound/provider-azuread/releases/tag/v0.12.0
-[upbound-marketplace-16]: https://marketplace.upbound.io/providers/upbound/provider-azuread/v0.12.0
-[v0-11-0-release-notes]: https://github.com/upbound/provider-azuread/releases/tag/v0.11.0
-[upbound-marketplace-17]: https://marketplace.upbound.io/providers/upbound/provider-azuread/v0.11.0
-[v0-10-0-release-notes]: https://github.com/upbound/provider-azuread/releases/tag/v0.10.0
-[upbound-marketplace-18]: https://marketplace.upbound.io/providers/upbound/provider-azuread/v0.10.0
-[v0-9-0-release-notes]: https://github.com/upbound/provider-azuread/releases/tag/v0.9.0
-[upbound-marketplace-19]: https://marketplace.upbound.io/providers/upbound/provider-azuread/v0.9.0
-[v0-8-0-release-notes]: https://github.com/upbound/provider-azuread/releases/tag/v0.8.0
-[upbound-marketplace-20]: https://marketplace.upbound.io/providers/upbound/provider-azuread/v0.8.0
diff --git a/docs/manuals/packages/providers/provider-gcp/authentication.md b/docs/manuals/packages/providers/provider-gcp/authentication.md
deleted file mode 100644
index 075a5b453..000000000
--- a/docs/manuals/packages/providers/provider-gcp/authentication.md
+++ /dev/null
@@ -1,884 +0,0 @@
----
-title: Authentication
-sidebar_position: 1
-description: Authentication options with the Upbound GCP official provider
----
-
-
-The Upbound Official GCP Provider supports multiple authentication methods.
-
-* [Upbound auth (OIDC)][upbound-auth-oidc]
-* [Service account keys][service-account-keys]
-* [OAuth 2.0 access token][oauth-2-0-access-token]
-* [Workload identity][workload-identity]
-  for Google managed Kubernetes clusters (`GKE`)
-* [Service account impersonation][service-account-impersonation]
-
-## Upbound auth (OIDC)
-
-:::note
-This method of authentication is only supported in control planes running on [Upbound Cloud Spaces][upbound-cloud-spaces]
-:::
-
-When your control plane runs in an Upbound Cloud Space, you can use this authentication method. Upbound authentication uses OpenID Connect (OIDC) to authenticate to GCP without requiring you to store credentials in Upbound.
-
-### Create an identity pool
-
-1. Open the **[GCP IAM Admin console][gcp-iam-admin-console]**.
-2. Select **[Workload Identity Federation][workload-identity-federation]**.
-3. If this is your first Workload Identity Federation configuration select **Get Started**
-4. At the top of the page, select **Create Pool**.
-5. Name the pool, like **upbound-oidc-pool**.
-6. Enter a description like **An identity provider for Upbound**.
-7. **Enable** the pool.
-8. Select **Continue**
-
-#### Add Upbound to the pool
-
-Under the _Add a provider to pool_ configuration under _Select a provider_ use **OpenID Connect (OIDC)**
-
-_Provider Name_: **upbound-oidc-provider**
-_Provider ID_: **upbound-oidc-provider-id**
-_Issuer (URL)_: **https://proidc.upbound.io**
-
-Select **Allowed audiences**
-For _Audience 1_ enter **sts.googleapis.com**
-
-Select **Continue**.
-
-#### Configure provider attributes
-
-The provider attributes restrict which remote entities you allow access to your resources.
-When Upbound authenticates to GCP it provides an OIDC subject (`sub`) in the form:
-
-`mcp:<account>/<mcp-name>:provider:<provider-name>`
-
-Configure the _google.subject_ attribute as **assertion.sub**
-
-Under _Attribute Conditions_ select **Add Condition**.
-
-<!-- vale gitlab.Uppercase = NO -->
-To authenticate any control plane in your organization, in the _Conditional CEL_ input box put
-```console
-google.subject.contains("mcp:ORGANIZATION_NAME")
-```
-
-:::warning
-Not providing a CEL condition allows any control plane to access your GCP account if they know the project ID and service account name.
-:::
-<!-- vale gitlab.Uppercase = YES -->
-
-Select **Save**.
-
-### Create a GCP Service Account
-
-GCP requires Upbound to use a [Service Account][service-account]. The required GCP _roles_ of the service account depend on the services managed by your control plane.
-
-1. Open the **[GCP IAM Admin console][gcp-iam-admin-console-1]**.
-2. Select **[Service Accounts][service-accounts]**.
-3. From the top of the page, select **Create Service Account**.
-
-### Service account details
-<!-- vale Google.WordList = NO -->
-<!-- ignore account name -->
-<!-- vale Google.FirstPerson = NO -->
-Under _Service account details_ enter
-_Service account name_: **upbound-service-account**
-_Service account ID_: **upbound-service-account-id**
-_Description_: **Upbound control planes service account**
-<!-- vale Google.WordList = YES -->
-<!-- vale Google.FirstPerson = YES -->
-
-Select **Create and Continue**.
-
-### Grant this service account access to project
-
-For the _CloudSQL as a service_ configuration the service account requires the roles:
-**Cloud SQL Admin**
-**Workload Identity User**
-
-Select **Done**.
-
-### Record the service account email address
-
-At the list of service accounts copy the service account **email**.
-Upbound requires this to authenticate your control plane.
-
-### Add the service account to the identity pool
-
-Add the service account to the Workload Identity Federation pool to authenticate to Upbound with OIDC.
-1. Return to the **[Workload Identity Federation][workload-identity-federation-2]** page and select the [**upbound-oidc-pool**][upbound-oidc-pool].
-2. Near the top of the page select **Grant Access**.
-3. Select the new service account, **upbound-service-account**.
-4. Under _Select principals_ use **All identities in the pool**.
-Select **Save**.
-In the _Configure your application_ window, select **Dismiss**.
-
-### Create a ProviderConfig
-
-Create a
-<Hover label="pc-upbound-auth" line="2">ProviderConfig</Hover> to set the
-provider authentication method to
-<Hover label="pc-upbound-auth" line="8">Upbound</Hover>.
-
-Supply the <Hover label="pc-upbound-auth" line="6">projectID</Hover>, <Hover label="pc-upbound-auth" line="11">providerID</Hover>, and <Hover label="pc-upbound-auth" line="12">serviceAccount</Hover> found in the previous section.
-
-:::tip
-To apply Upbound based authentication by default name the ProviderConfig
-<Hover label="pc-upbound-auth" line="4">default</Hover>.
-:::
-<div id="pc-upbound-auth">
-
-```yaml
-apiVersion: gcp.upbound.io/v1beta1
-kind: ProviderConfig
-metadata:
-  name: default
-spec:
-  projectID: crossplane-playground
-  credentials:
-    source: Upbound
-    upbound:
-      federation:
-        providerID: projects/<project-id>/locations/global/workloadIdentityPools/<identity-pool>/providers/<identity-provider>
-        serviceAccount: <service-account-name>@<project-name>.iam.gserviceaccount.com
-```
-</div>
-## Service account keys
-
-Using GCP service account keys requires storing the GCP account keys JSON file
-as a Kubernetes secret.
-
-To create the Kubernetes secret create or
-[download your GCP service account key][download-your-gcp-service-account-key]
-JSON file.
-
-
-### Create a Kubernetes secret
-Create the Kubernetes secret with
-<Hover label="kubesecret" line="1">}kubectl create secret generic</Hover>}.
-
-<!-- vale Google.FirstPerson = NO -->
-<!-- vale gitlab.Substitutions = NO -->
-For example, name the secret
-<Hover label="kubesecret" line="2">}gcp-secret</Hover>} in the
-<Hover label="kubesecret" line="3">}crossplane-system</Hover>} namespace
-and import the text file with the credentials
-<Hover label="kubesecret" line="4">}gcp-credentials.json</Hover> and
-assign them to the secret key
-<Hover label="kubesecret" line="4">my-gcp-secret</Hover>.
-<!-- vale Google.FirstPerson = YES -->
-<!-- vale gitlab.Substitutions = YES -->
-
-```shell {label="kubesecret"}
-kubectl create secret generic \
-gcp-secret \
--n crossplane-system \
---from-file=my-gcp-secret=./gcp-credentials.json
-```
-
-To create a secret declaratively requires encoding the authentication keys as a
-base-64 string.
-
-<!-- vale Google.FirstPerson = NO -->
-Create a <Hover label="decSec" line="2">Secret</Hover> object with
-the <Hover label="decSec" line="7">data</Hover> containing the secret
-key name, <Hover label="decSec" line="8">my-gcp-secret</Hover> and the
-base-64 encoded keys.
-<!-- vale Google.FirstPerson = YES -->
-
-<div id="decSec">
-```yaml
-apiVersion: v1
-kind: Secret
-metadata:
-  name: gcp-secret
-  namespace: crossplane-system
-type: Opaque
-data:
-  my-gcp-secret: ewogICJ0eXBlIjogInNlcnZpY2VfYWNjb3VudCIsCiAgInByb2plY3RfaWQiOiAiZG9jcyIsCiAgInByaXZhdGVfa2V5X2lkIjogIjEyMzRhYmNkIiwKICAicHJpdmF0ZV9rZXkiOiAiLS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tXG5cbi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS1cbiIsCiAgImNsaWVudF9lbWFpbCI6ICJkb2NzQHVwYm91bmQuaWFtLmdzZXJ2aWNlYWNjb3VudC5jb20iLAogICJjbGllbnRfaWQiOiAiMTIzNDUiLAogICJhdXRoX3VyaSI6ICJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20vby9vYXV0aDIvYXV0aCIsCiAgInRva2VuX3VyaSI6ICJodHRwczovL29hdXRoMi5nb29nbGVhcGlzLmNvbS90b2tlbiIsCiAgImF1dGhfcHJvdmlkZXJfeDUwOV9jZXJ0X3VybCI6ICJodHRwczovL3d3dy5nb29nbGVhcGlzLmNvbS9vYXV0aDIvdjEvY2VydHMiLAogICJjbGllbnRfeDUwOV9jZXJ0X3VybCI6ICJodHRwczovL3d3dy5nb29nbGVhcGlzLmNvbS9yb2JvdC92MS9tZXRhZGF0YS94NTA5L2RvY3MuaWFtLmdzZXJ2aWNlYWNjb3VudC5jb20iLAogICJ1bml2ZXJzZV9kb21haW4iOiAiZ29vZ2xlYXBpcy5jb20iCn0=
-```
-</div>
-
-### Create a ProviderConfig
-
-Create a <Hover label="pc-keys" line="2">ProviderConfig</Hover> to set the
-provider authentication method to<Hover label="pc-keys" line="7">Secret</Hover>.
-
-
-Create a <Hover label="pc-keys" line="8">secretRef</Hover> with the
-<Hover label="pc-keys" line="9">namespace</Hover>,
-<Hover label="pc-keys" line="10">name</Hover> and
-<Hover label="pc-keys" line="11">key</Hover> of the secret.
-
-:::tip
-To apply key based authentication by default name the ProviderConfig
-<Hover label="pc-keys" line="4">default</Hover>.
-:::
-
-<div id="pc-keys">
-```yaml 
-apiVersion: gcp.upbound.io/v1beta1
-kind: ProviderConfig
-metadata:
-  name: default
-spec:
-  credentials:
-    source: Secret
-    secretRef:
-      namespace: crossplane-system
-      name: gcp-secret
-      key: my-gcp-secret
-```
-</div>
-
-To selectively apply key based authentication name the ProviderConfig and apply
-it when creating managed resources.
-
-For example, creating an ProviderConfig named
-<Hover label="pc-keys2" line="4">key-based-providerconfig</Hover>.
-<div id = "pc-keys2">
-```yaml 
-apiVersion: gcp.upbound.io/v1beta1
-kind: ProviderConfig
-metadata:
-  name: key-based-providerconfig
-spec:
-  credentials:
-    source: Secret
-    secretRef:
-      namespace: crossplane-system
-      name: gcp-secret
-      key: my-gcp-secret
-```
-</div>
-
-Apply the ProviderConfig to a
-managed resource with a
-<Hover label="mr-keys" line="8">providerConfigRef</Hover>.
-
-<div id="mr-keys">
-
-```yaml
-apiVersion: storage.gcp.upbound.io/v1beta1
-kind: Bucket
-metadata:
-  name: my-gcp-bucket
-spec:
-  forProvider:
-    location: US
-  providerConfigRef:
-    name: key-based-providerconfig
-```
-</div>
-## OAuth access tokens
-
-Using GCP access tokens requires storing the GCP account keys JSON file
-as a Kubernetes secret.
-
-Create a GCP access [token for a service account][token-for-a-service-account]
-or with the [`gcloud` CLI][gcloud-cli].
-
-:::warning
-GCP access tokens are valid for 1 hour by default. When the token expires
-Crossplane can't create or delete resources.
-
-The [provider-gcp GitHub repository][provider-gcp-github-repository] contains an example cron job that
-automatically refreshes access tokens.
-:::
-
-### Create a Kubernetes secret
-Create the Kubernetes secret with
-<Hover label="kubesecret" line="1">kubectl create secret generic</Hover>.
-
-<!-- vale Google.FirstPerson = NO -->
-<!-- vale gitlab.Substitutions = NO -->
-For example, name the secret
-<Hover label="kubesecret" line="2">gcp-secret</Hover> in the
-<Hover label="kubesecret" line="3">crossplane-system</Hover> namespace
-and import the text file with the credentials
-<Hover label="kubesecret" line="4">gcp-token.json</Hover> and
-assign them to the secret key
-<Hover label="kubesecret" line="4">my-gcp-secret</Hover>.
-<!-- vale Google.FirstPerson = YES -->
-<!-- vale gitlab.Substitutions = YES -->
-
-<div id = "kubesecret">
-```shell 
-kubectl create secret generic \
-gcp-secret \
--n crossplane-system \
---from-file=my-gcp-secret=./gcp-token.json
-```
-</div>
-
-To create a secret declaratively requires encoding the access token as a
-base-64 string.
-
-<!-- vale Google.FirstPerson = NO -->
-Create a <Hover label="decSec" line="2">Secret</Hover> object with
-the <Hover label="decSec" line="7">data</Hover> containing the secret
-key name, <Hover label="decSec" line="8">my-gcp-secret</Hover> and the
-base-64 encoded token.
-<!-- vale Google.FirstPerson = YES -->
-
-<div id = "decSec">
-```yaml 
-apiVersion: v1
-kind: Secret
-metadata:
-  name: gcp-secret
-  namespace: crossplane-system
-type: Opaque
-data:
-  my-gcp-secret: eWEyOS5hMEFmQl9ieURVVEpSSWt3RDk1c1cxTGE0d3dlLS0xTHpOZkxJeFFYbnIza25VVG9jYV9xY2xsSG1ZUzVycjJwYmNzZnVuR3M5blR6SnVIb2lYb3VmRnBEbGZicGV5bTBJU1lfUmdxWGNCMTdDY3RXZWZOd2hJcVVUblJ2UVdmcHpsODVvbklzUXZaN0F5MEJjUy1ZMGxXYXJXODVJQ2Z5R0RhZEtvYUNnWUtBWXdTQVJFU0ZRSHN2WWxzUnU1Q0w4UVY0OThRc1pvbmxGVXJXQTAxNzE=
-```
-</div>
-
-### Create a ProviderConfig
-
-Create a
-<Hover label="pc-keys" line="2">ProviderConfig</Hover> to set the
-provider authentication method to
-<Hover label="pc-keys" line="7">AccessToken</Hover>.
-
-Create a <Hover label="pc-keys" line="8">secretRef</Hover> with the
-<Hover label="pc-keys" line="9">namespace</Hover>,
-<Hover label="pc-keys" line="10">name</Hover> and
-<Hover label="pc-keys" line="11">key</Hover> of the secret.
-
-:::tip
-To apply key based authentication by default name the ProviderConfig
-<Hover label="pc-keys" line="4">default</Hover>.
-:::
-
-<div id = "pc-keys">
-```yaml 
-apiVersion: gcp.upbound.io/v1beta1
-kind: ProviderConfig
-metadata:
-  name: default
-spec:
-  credentials:
-    source: AccessToken
-    secretRef:
-      namespace: crossplane-system
-      name: gcp-secret
-      key: my-gcp-secret
-```
-</div>
-
-To selectively apply key based authentication name the ProviderConfig and apply
-it when creating managed resources.
-
-For example, creating an ProviderConfig named
-<Hover label="pc-keys2" line="4">key-based-providerconfig</Hover>.
-
-<div id = "pc-keys2">
-```yaml 
-apiVersion: gcp.upbound.io/v1beta1
-kind: ProviderConfig
-metadata:
-  name: token-based-providerconfig
-spec:
-  credentials:
-    source: AccessToken
-    secretRef:
-      namespace: crossplane-system
-      name: gcp-secret
-      key: my-gcp-secret
-```
-</div>
-
-Apply the ProviderConfig to a
-managed resource with a
-<Hover label="mr-keys" line="8">providerConfigRef</Hover>.
-
-<div id = "mr-keys">
-```yaml 
-apiVersion: storage.gcp.upbound.io/v1beta1
-kind: Bucket
-metadata:
-  name: my-gcp-bucket
-spec:
-  forProvider:
-    location: US
-  providerConfigRef:
-    name: token-based-providerconfig
-```
-</div>
-
-## Workload identity
-
-When running the GCP Provider in an Google managed Kubernetes cluster (`GKE`)
-the Provider may use
-[workload identity][workload-identity-3]
-for authentication.
-
-Workload identity allows the Provider to authenticate to GCP APIs with
-permissions mapped to an IAM service account.
-
-:::tip
-Workload identity is only supported with Crossplane running in Google managed
-Kubernetes clusters (`GKE`).
-:::
-
-Configuring workload identity with the GCP Provider requires:
-* a [GCP service account][gcp-service-account]
-* a Crossplane ControllerConfig to reference the GCP service account the Provider
-  uses
-* a Crossplane ProviderConfig to apply the workload identity authentication method.
-
-### Configure the GCP service account
-
-You may use an existing service account or follow the [GCP documentation to
-create a new service account][gcp-documentation-to-create-a-new-service-account].
-
-Apply a [GCP IAM policy binding][gcp-iam-policy-binding]
-to associate the service account with the desired GCP IAM role.
-
-Enable workload identity and link the GCP IAM service account to the Provider
-Kubernetes service account.
-
-This requires defining a name for the Provider's Kubernetes service account.
-The <Hover label="saBinding" line="4">--member</Hover> in the policy
-includes the Crossplane namespace and the name of the Provider's Kubernetes
-service account.
-
-:::tip
-Upbound UXP uses the `upbound-system` namespace.
-Crossplane uses the `crossplane-system` namespace.
-:::
-
-<div id = "saBinding">
-```yaml 
-gcloud iam service-accounts add-iam-policy-binding \
-  <Service_Account_Email_Address> \
---role  roles/iam.workloadIdentityUser    \
---member "serviceAccount:<Project_Name>.svc.id.goog[crossplane-system/<Kubernetes_Service_Account>]" \
---project <Project_Name>
-```
-</div>
-
-For example with the following settings:
-* service account email `docs@upbound.iam.gserviceaccount.com`
-* project name `upbound`
-* namespace `crossplane-system`
-* Provider Kubernetes service account `my-gcp-sa`
-
-Creates the following command:
-```console
-gcloud iam service-accounts add-iam-policy-binding \
- docs@upbound.iam.gserviceaccount.com \
---role  roles/iam.workloadIdentityUser    \
---member "serviceAccount:upbound.svc.id.goog[crossplane-system/my-gcp-sa]" \
---project upbound
-```
-
-### Create a ControllerConfig
-
-The ControllerConfig creates a custom Provider service account and applies an
-annotation to the Provider's pod.
-
-Create a <Hover label="workloadCC" line="2">ControllerConfig</Hover>
-object. Add an <Hover label="workloadCC" line="5">annotation</Hover>
-mapping the key
-<Hover label="workloadCC" line="6">iam.gke.io/gcp-service-account</Hover>
-to the email address of the GCP IAM service account.
-
-Add a
-<Hover label="workloadCC" line="8">serviceAccountName</Hover> to the
-<Hover label="workloadCC" line="7">spec</Hover> to name the Provider's
-service account. This must match the name used in the GCP IAM binding.
-
-<div id = "workloadCC">
-```yaml 
-apiVersion: pkg.crossplane.io/v1alpha1
-kind: ControllerConfig
-metadata:
-  name: my-controller-config
-  annotations:
-    iam.gke.io/gcp-service-account: <GCP_IAM_service_account_email>
-spec:
-  serviceAccountName: <Kubernetes_service_account_name>
-```
-</div>
-
-<!-- vale Google.FirstPerson = NO -->
-For example, to create a
-<Hover label="wi-cc" line="2">ControllerConfig</Hover> with the
-service account
-<Hover label="wi-cc" line="6">docs@upbound.iam.gserviceaccount.com</Hover>
-and create a Provider service account named
-<Hover label="wi-cc" line="8">my-gcp-sa</Hover>.
-<!-- vale Google.FirstPerson = YES  -->
-
-<div id = "wi-cc">
-```yaml 
-apiVersion: pkg.crossplane.io/v1alpha1
-kind: ControllerConfig
-metadata:
-  name: my-controller-config
-  annotations:
-    iam.gke.io/gcp-service-account: docs@upbound.iam.gserviceaccount.com
-spec:
-  serviceAccountName: my-gcp-sa
-```
-</div>
-
-### Apply the ControllerConfig
-
-Apply the ControllerConfig to the GCP Provider with a
-<Hover label="wi-pc" line="7">controllerConfigRef</Hover> referencing
-the <Hover label="wi-pc" line="8">name</Hover> of the ControllerConfig.
-
-<!-- vale Google.FirstPerson = NO -->
-<!-- vale gitlab.SubstitutionWarning = NO -->
-For example, to apply a ControllerConfig named
-<Hover label="wi-pc" line="8">my-controller-config</Hover>, reference
-the ControllerConfig name in the
-<Hover label="wi-pc" line="7">controllerConfigRef</Hover>.
-<!-- vale Google.FirstPerson = YES  -->
-<!-- vale gitlab.SubstitutionWarning = YES -->
-
-:::tip
-Apply the ControllerConfig to each family provider using workload identity.
-:::
-
-<div id = "wi-pc">
-```yaml 
-apiVersion: pkg.crossplane.io/v1
-kind: Provider
-metadata:
-  name: provider-gcp-storage
-spec:
-  package: xpkg.upbound.io/upbound/provider-gcp-storage:v0.35.0
-  controllerConfigRef:
-    name: my-controller-config
-```
-</div>
-
-### Create a ProviderConfig
-
-Create a
-<Hover label="workloadPC" line="2">ProviderConfig</Hover> to set the
-provider authentication method to
-<Hover label="workloadPC" line="7">InjectedIdentity</Hover> and add the
-<Hover label="workloadPC" line="8">projectID</Hover> to use.
-
-:::tip
-To apply key based authentication by default name the ProviderConfig
-<Hover label="workloadPC" line="4">default</Hover>.
-:::
-
-<div id = "workloadPC">
-```yaml
-apiVersion: gcp.upbound.io/v1beta1
-kind: ProviderConfig
-metadata:
-  name: default
-spec:
-  credentials:
-    source: InjectedIdentity
-  projectID: <Project_Name>
-```
-</div>
-
-To selectively apply key based authentication name the ProviderConfig and apply
-it when creating managed resources.
-
-For example, creating an ProviderConfig named
-<Hover label="workloadPC2" line="4">workload-id-providerconfig</Hover>.
-
-<div id = "workloadPC2">
-```yaml {label="workloadPC2"}
-apiVersion: gcp.upbound.io/v1beta1
-kind: ProviderConfig
-metadata:
-  name: workload-id-providerconfig
-spec:
-  credentials:
-    source: InjectedIdentity
-  projectID: upbound
-```
-</div>
-
-Apply the ProviderConfig to a
-managed resource with a
-<Hover label="mr-keys2" line="8">providerConfigRef</Hover>.
-
-<div id = "mr-keys2">
-```yaml 
-apiVersion: storage.gcp.upbound.io/v1beta1
-kind: Bucket
-metadata:
-  name: my-gcp-bucket
-spec:
-  forProvider:
-    location: US
-  providerConfigRef:
-    name: workload-id-providerconfig
-```
-</div>
-
-## Service account impersonation
-
-When running the GCP Provider in an Google managed Kubernetes cluster (`GKE`)
-the Provider may use
-[service account impersonation][service-account-impersonation-4]
-for authentication.
-
-Account impersonation allows the Provider to authenticate to GCP APIs with
-using one service account and request escalated privileges through a second
-account.
-
-:::important
-Service account impersonation is only supported with Crossplane running in
-Google managed Kubernetes clusters (`GKE`).
-:::
-
-Configuring workload identity with the GCP Provider requires:
-* a lower privileged [GCP service account][gcp-service-account-5].
-* an elevated privileged [GCP service account][gcp-service-account-6]
-* a Crossplane ControllerConfig to reference the lower-privileged GCP service account.
-* a Crossplane ProviderConfig to reference the elevated privileged GCP service account.
-
-### Configure the GCP service accounts
-
-You may use an existing service accounts or follow the [GCP documentation to
-create a new service accounts][gcp-documentation-to-create-a-new-service-accounts].
-
-The lower privilege role requires a
-[GCP IAM policy binding][gcp-iam-policy-binding-7]
-role for the project which includes
-<Hover label="ai-iam" line="3">iam.serviceAccountTokenCreator</Hover>.
-
-<div id = "ai-iam">
-```shell 
-gcloud projects add-iam-policy-binding <Project_Name> \
-    --member "serviceAccount:<Lower_Privilege_Service_Account>@<Project_Name>.iam.gserviceaccount.com" \
-    --role  roles/iam.serviceAccountTokenCreator \
-    --project <Project_Name>
-```
-</div>
-
-For example, to create a role-binding for:
- * project `upbound`
- * account `docs-unprivileged`
-
-<div id = "ai-iam">
-```shell 
-gcloud projects add-iam-policy-binding upbound \
-    --member "serviceAccount:docs-unprivileged@upbound.iam.gserviceaccount.com" \
-    --role  roles/iam.serviceAccountTokenCreator \
-    --project upbound
-```
-</div>
-
-The lower privileged service account requires a
-[GCP IAM service account policy binding][gcp-iam-service-account-policy-binding]
-between the unprivileged account and the Kubernetes provider service account.
-
-
-<div id = "ai-sa">
-```shell 
-gcloud iam service-accounts add-iam-policy-binding <Lower_Privilege_Service_Account>@<Project_Name>.iam.gserviceaccount.com \
-    --role roles/iam.workloadIdentityUser \
-    --member "serviceAccount:<Project_Name>.svc.id.goog[<Crossplane_Namespace>/<Kubernetes_Service_Account_Name>]"
-```
-</div>
-
-For example, to create a policy binding for:
-  * project `upbound`
-  * account `docs-unprivileged`
-  * namespace `crossplane-system`
-  * Provider service account name `gcp-provider-sa`
-
-<div id = "ai-sa">
-```shell
-gcloud iam service-accounts add-iam-policy-binding docs-unprivileged@upbound.iam.gserviceaccount.com \
-    --role roles/iam.workloadIdentityUser \
-    --member "serviceAccount:upbound.svc.id.goog[crossplane-system/gcp-provider-sa]"
-```
-</div>
-
-:::tip
-For more information on the account requirements for account impersonation
-read the [GCP service account impersonation
-documentation][gcp-service-account-impersonation-documentation]
-:::
-
-### Create a ControllerConfig
-
-The ControllerConfig creates a custom Provider service account and applies an
-annotation to the Provider's pod.
-
-Create a <Hover label="ai-cc" line="2">ControllerConfig</Hover>
-object. Add an <Hover label="ai-cc" line="5">annotation</Hover>
-mapping the key
-<Hover label="ai-cc" line="6">iam.gke.io/gcp-service-account</Hover>
-to the email address of the GCP IAM service account.
-
-Add a
-<Hover label="ai-cc" line="8">serviceAccountName</Hover> to the
-<Hover label="ai-cc" line="7">spec</Hover> to create the Provider's
-service account. This must match the name used in the GCP IAM binding.
-
-<div id = "ai-cc">
-```yaml 
-apiVersion: pkg.crossplane.io/v1alpha1
-kind: ControllerConfig
-metadata:
-  name: my-controller-config
-  annotations:
-    iam.gke.io/gcp-service-account: <Lower_Privilege_Service_Account>@<Project_Name>.iam.gserviceaccount.com
-spec:
-  serviceAccountName: <Kubernetes_service_account_name>
-```
-</div>
-
-For example, to use a GCP service account named
-<Hover label="ai-cc2" line="6">docs-unprivileged</Hover> and a
-service account name
-<Hover label="ai-cc2" line="8">gcp-provider-sa</Hover>:
-
-:::important
-The <Hover label="ai-cc2" line="8">`serviceAccountName`</Hover> must match the
-service account referenced in the GCP IAM policy binding.
-:::
-
-<div id = "ai-cc2">
-```yaml 
-apiVersion: pkg.crossplane.io/v1alpha1
-kind: ControllerConfig
-metadata:
-  name: my-controller-config
-  annotations:
-    iam.gke.io/gcp-service-account: docs@upbound.iam.gserviceaccount.com
-spec:
-  serviceAccountName: my-gcp-sa
-```
-</div>
-
-### Create a ProviderConfig
-
-Create a
-<Hover label="ai-pc" line="2">ProviderConfig</Hover> to set the
-provider authentication method to
-<Hover label="ai-pc" line="7">ImpersonateServiceAccount</Hover>. Add the
-<Hover label="ai-pc" line="8">impersonateServiceAccount</Hover> object
-and provide the
-<Hover label="ai-pc" line="9">name</Hover> of the _privileged_ account
-to impersonate.
-Include the
-<Hover label="ai-pc" line="10">projectID</Hover> to use.
-
-:::tip
-To apply key based authentication by default name the ProviderConfig
-<Hover label="ai-pc" line="4">default</Hover>.
-:::
-
-<div id = "ai-pc">
-```yaml 
-apiVersion: gcp.upbound.io/v1beta1
-kind: ProviderConfig
-metadata:
-  name: default
-spec:
-  credentials:
-    source: ImpersonateServiceAccount
-    impersonateServiceAccount:
-      name: <Privileged_Service_Account>}@<Project_Name>.iam.gserviceaccount.com
-  projectID: <Project_Name>
-```
-</div>
-
-For example to create a
-<Hover label="ai-pc2" line="2">ProviderConfig</Hover> with:
- * service account named <Hover label="ai-pc" line="9">docs-privileged</Hover>
- * project named <Hover label="ai-pc" line="10">upbound</Hover>
-
-<div id = "ai-pc2">
-```yaml 
-apiVersion: gcp.upbound.io/v1beta1
-kind: ProviderConfig
-metadata:
-  name: default
-spec:
-  credentials:
-    source: ImpersonateServiceAccount
-    impersonateServiceAccount:
-      name: docs-privileged@upbound.iam.gserviceaccount.com
-  projectID: upbound
-```
-</div>
-
-To selectively apply key based authentication name the ProviderConfig and apply
-it when creating managed resources.
-
-For example, creating an ProviderConfig named
-<Hover label="workloadPC2" line="4">workload-id-providerconfig</Hover>.
-
-<div id = "workloadPC2">
-```yaml 
-apiVersion: gcp.upbound.io/v1beta1
-kind: ProviderConfig
-metadata:
-  name: impersonation-providerconfig
-spec:
-  credentials:
-    source: ImpersonateServiceAccount
-    impersonateServiceAccount:
-      name: <Privileged_Service_Account>}@<Project_Name>.iam.gserviceaccount.com
-  projectID: <Project_Name>
-```
-</div>
-
-Apply the ProviderConfig to a
-managed resource with a
-<Hover label="mr-keys2" line="8">providerConfigRef</Hover>.
-
-<div id = "mr-keys2">
-```yaml 
-apiVersion: storage.gcp.upbound.io/v1beta1
-kind: Bucket
-metadata:
-  name: my-gcp-bucket
-spec:
-  forProvider:
-    location: US
-  providerConfigRef:
-    name: impersonation-providerconfig
-```
-</div>
-
-[upbound-auth-oidc]: /manuals/platform/howtos/oidc
-[upbound-cloud-spaces]: /manuals/spaces/overview
-
-
-[service-account-keys]: https://cloud.google.com/iam/docs/keys-create-delete
-[oauth-2-0-access-token]: https://developers.google.com/identity/protocols/oauth2
-[workload-identity]: https://cloud.google.com/kubernetes-engine/docs/concepts/workload-identity
-[service-account-impersonation]: https://cloud.google.com/iam/docs/service-account-overview#impersonation
-[gcp-iam-admin-console]: https://console.cloud.google.com/iam-admin/iam
-[workload-identity-federation]: https://console.cloud.google.com/iam-admin/workload-identity-pools
-[service-account]: https://cloud.google.com/iam/docs/service-account-overview
-[gcp-iam-admin-console-1]: https://console.cloud.google.com/iam-admin/iam
-[service-accounts]: https://console.cloud.google.com/iam-admin/serviceaccounts
-[workload-identity-federation-2]: https://console.cloud.google.com/iam-admin/workload-identity-pools
-[upbound-oidc-pool]: https://console.cloud.google.com/iam-admin/workload-identity-pools/pool/upbound-oidc-pool
-[download-your-gcp-service-account-key]: https://cloud.google.com/iam/docs/keys-create-delete#creating
-[token-for-a-service-account]: https://developers.google.com/identity/protocols/oauth2#serviceaccount
-[gcloud-cli]: https://cloud.google.com/sdk/gcloud/reference/auth/print-access-token
-[provider-gcp-github-repository]: https://github.com/upbound/provider-gcp/blob/main/docs/Configuration.md#3-create-resources-to-generate-an-access-token
-[workload-identity-3]: https://cloud.google.com/kubernetes-engine/docs/concepts/workload-identity
-[gcp-service-account]: https://cloud.google.com/iam/docs/service-account-overview
-[gcp-documentation-to-create-a-new-service-account]: https://cloud.google.com/iam/docs/service-accounts-create
-[gcp-iam-policy-binding]: https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/add-iam-policy-binding
-[service-account-impersonation-4]: https://cloud.google.com/iam/docs/service-account-overview#impersonation
-[gcp-service-account-5]: https://cloud.google.com/iam/docs/service-account-overview
-[gcp-service-account-6]: https://cloud.google.com/iam/docs/service-account-overview
-[gcp-documentation-to-create-a-new-service-accounts]: https://cloud.google.com/iam/docs/service-accounts-create
-[gcp-iam-policy-binding-7]: https://cloud.google.com/sdk/gcloud/reference/projects/add-iam-policy-binding
-[gcp-iam-service-account-policy-binding]: https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/add-iam-policy-binding
-[gcp-service-account-impersonation-documentation]: https://cloud.google.com/iam/docs/service-account-overview#impersonation
diff --git a/docs/manuals/packages/providers/provider-gcp/index.md b/docs/manuals/packages/providers/provider-gcp/index.md
deleted file mode 100644
index 2b09f8f4a..000000000
--- a/docs/manuals/packages/providers/provider-gcp/index.md
+++ /dev/null
@@ -1,423 +0,0 @@
----
-title: Provider GCP
-sidebar_position: 1
-description: Release notes for the GCP official provider
----
-<!-- vale Google.Headings = NO -->
-The below release notes are for the Upbound GCP official provider. These notes
-only contain noteworthy changes and you should refer to each release's GitHub
-release notes for full details.
-
-For more information on the release cadence and support protocol refer to the
-provider [support and maintenance][support-and-maintenance] page.
-
-:::important
-Beginning with `v1.21.0` and later, you need at least a `Team` subscription to pull a given Official Provider version. All prior versions are pullable without a subscription. 
-If you're not subscribed to Upbound or have an `Individual` tier subscription, you can still always pull **the most recent provider version** using the `v1` tag.
-:::
-
-## v1.10.0
-
-_Released 2024-11-21_
-
-* This release introduces new resources: `ResponsePolicy.dns.gcp.upbound.io/v1beta1`,
-`ResponsePolicyRule.dns.gcp.upbound.io/v1beta1` and `TrustConfig.certificatemanager.gcp.upbound.io/v1beta1`
-
-_Refer to the [v1.10.0 release notes][v1-10-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace]
-
-## v1.9.0
-
-_Released 2024-11-07_
-
-* Support for new resources: `ServiceConnectionPolicy.networkconnectivity.gcp.upbound.io/v1beta1`,
-`Cluster.redis.gcp.upbound.io/v1beta1`, `PolicyTag.datacatalog.gcp.upbound.io/v1beta1`
-and `Taxonomy.datacatalog.gcp.upbound.io/v1beta1`
-* Upgraded the underlying Terraform provider version from `5.39.0` to `5.44.2`
-* This release also introduces new resources, bug fixes, enhancements, and dependency updates.
-
-_Refer to the [v1.9.0 release notes][v1-9-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-1]
-
-## v1.8.3
-
-_Released 2024-09-20_
-
-* The release cleaned `uptest` specific codes/placeholders from the examples in the marketplace.
-
-_Refer to the [v1.8.3 release notes][v1-8-3-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-2]
-
-## v1.8.2
-
-_Released 2024-09-16_
-
-* The release fixes the issue of hiding error messages.
-
-_Refer to the [v1.8.2 release notes][v1-8-2-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-3]
-
-## v1.8.1
-
-_Released 2024-09-09_
-
-* The release is reverting the commit `0927b1f`, which caused a regression.
-
-_Refer to the [v1.8.1 release notes][v1-8-1-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-4]
-
-## v1.8.0
-
-_Released 2024-08-23_
-
-* The release contains bug fixes, enhancements, and dependency updates.
-
-_Refer to the [v1.8.0 release notes][v1-8-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-5]
-
-## v1.7.0
-
-_Released 2024-08-06_
-
-* Update the GCP Terraform provider from `5.28.0` to `5.39.0`
-
-_Refer to the [v1.7.0 release notes][v1-7-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-6]
-
-## v1.6.0
-
-_Released 2024-07-26_
-
-* Support for new family providers: `provider-gcp-orgpolicy` and `provider-gcp-tags`
-* Support for new resources: `EnvgroupAttachment.apigee.gcp.upbound.io/v1beta1`, `EnvgroupAttachment.apigee.gcp.upbound.io/v1beta1`,
-`EndpointAttachment.apigee.gcp.upbound.io/v1beta1`, `InstanceAttachment.apigee.gcp.upbound.io/v1beta1`,
-`AddonsConfig.apigee.gcp.upbound.io/v1beta1`, `SyncAuthorization.apigee.gcp.upbound.io/v1beta1`,
-`Policy.orgpolicy.gcp.upbound.io/v1beta1`, `TagBinding.tags.gcp.upbound.io/v1beta1`,
-`TagKey.tags.gcp.upbound.io/v1beta1` and `TagValue.tags.gcp.upbound.io/v1beta1`
-* The release contains new family providers, new resources, an important bug fix,
-enhancements, and dependency updates.
-
-_Refer to the [v1.6.0 release notes][v1-6-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-7]
-
-## v1.5.0
-
-_Released 2024-07-04_
-
-* Update the GCP Terraform provider from `5.19.0` to `5.28.0`
-
-_Refer to the [v1.5.0 release notes][v1-5-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-8]
-
-## v1.4.0
-
-_Released 2024-06-27_
-
-* Support for a new resources: `HMACKey.storage.gcp.upbound.io/v1beta1`
-* This release includes a new resource, enhancements, and dependency updates.
-
-_Refer to the [v1.4.0 release notes][v1-4-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-9]
-
-## v1.3.0
-
-_Released 2024-06-13_
-
-* This release includes bug fixes, documentation updates, and dependency updates.
-
-_Refer to the [v1.3.0 release notes][v1-3-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-10]
-
-## v1.2.0
-
-_Released 2024-05-16_
-
-* This release includes converting singleton lists in the MR APIs to embedded objects, and dependency updates.
-
-_Refer to the [v1.2.0 release notes][v1-2-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-11]
-
-## v1.1.0
-
-_Released 2024-04-25_
-
-* Support for new resources: `RegionNetworkEndpoint.compute.gcp.upbound.io/v1beta1` and `Cluster.containerattached.gcp.upbound.io/v1beta1`
-* This release includes a new set of managed resource (MR) metrics, a new family provider `provider-gcp-containerattached`,
-new resources, bug fixes, enhancements, and dependency updates.
-
-_Refer to the [v1.1.0 release notes][v1-1-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-12]
-
-## v1.0.2
-
-_Released 2024-03-21_
-
-* Switches to the new API for marking as required the fields. The new API marks the fields as required during
-the generation without any native resource schema change.
-* Adds information logs in the monolithic provider's output that communicate the deprecation and the next steps.
-* Adds `SSA` merge strategy to container Cluster's `nodeConfig` to avoid fights over ownership.
-
-_Refer to the [v1.0.2 release notes][v1-0-2-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-13]
-
-## v0.41.4
-
-_Released 2024-03-21_
-
-* Adds information logs in the monolithic provider's output that communicate the deprecation and the next steps.
-* Adds `SSA` merge strategy to container Cluster's `nodeConfig` to avoid fights over ownership.
-
-_Refer to the [v0.41.4 release notes][v0-41-4-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-14]
-
-## v1.0.1
-
-_Released 2024-03-14_
-
-* This release sets a default `io.Discard` logger for the controller-runtime if debug logging isn't enabled.
-
-_Refer to the [v1.0.1 release notes][v1-0-1-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-15]
-
-## v0.41.3
-
-_Released 2024-03-14_
-
-* This release sets a default `io.Discard` logger for the controller-runtime if debug logging isn't enabled.
-
-_Refer to the [v0.41.3 release notes][v0-41-3-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-16]
-
-## v1.0.0
-
-_Released 2024-03-07_
-
-* Update the Google Terraform provider version to v5.19.0
-* This release brings support for the conversion functions to be able to handle any future breaking API changes.
-* The release contains some important bug fixes, and updates of dependencies.
-
-_Refer to the [v1.0.0 release notes][v1-0-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-17]
-
-## v0.41.2
-
-_Released 2024-02-22_
-
-* This release includes some important bug fixes and dependency bumps, please select the release notes for more details.
-
-_Refer to the [v0.41.2 release notes][v0-41-2-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-18]
-
-## v0.41.1
-
-_Released 2024-01-25_
-
-* The release contains updates of dependencies.
-
-_Refer to the [v0.41.1 release notes][v0-41-1-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-19]
-
-## v0.41.0
-
-_Released 2023-12-28_
-
-* Support for new resource: `RegionTargetTCPProxy.compute`
-* The release contains some important bug fixes, adding a new resource, and updates of dependencies.
-
-_Refer to the [v0.41.0 release notes][v0-41-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-20]
-
-## v0.40.0
-
-_Released 2023-12-13_
-
-* This release brings a change with how interact with the underlying Terraform GCP provider. Instead of interfacing with
-Terraform via the TF CLI, the new implementation consumes the Terraform provider's Go provider schema and invokes the CRUD
-functions registered in that schema, and no longer fork the underlying Terraform provider process.
-
-_Refer to the [v0.40.0 release notes][v0-40-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-21]
-
-## v0.39.0
-
-_Released 2023-11-30_
-
-* Support for new resources: `FolderSink.logging`, `FolderExclusion.logging` and `FolderBucketConfig.logging`
-* The release contains some bug fixes and updates of dependencies.
-
-_Refer to the [v0.39.0 release notes][v0-39-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-22]
-
-
-## v0.38.1
-
-_Released 2023-11-02_
-
-* This release updates Crossplane Runtime to v1.14.1 which includes a fix in the retry mechanism while persisting the critical annotations.
-
-_Refer to the [v0.38.1 release notes][v0-38-1-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-23]
-
-## v0.38.0
-
-_Released 2023-10-26_
-
-* The release contains some bug fixes, updates of dependencies, and promoting granular management policies to Beta.
-
-_Refer to the [v0.38.0 release notes][v0-38-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-24]
-
-## v0.37.0
-
-_Released 2023-09-29_
-
-* Update the GCP Terraform provider to v4.77.0
-* Support for new family providers: `provider-gcp-alloydb` and `provider-gcp-vpcaccess`
-* Support for new resources: `Backup.alloydb`, `Cluster.alloydb`, `Instance.alloydb`
-and `Connector.vpcaccess`
-* The release contains some bug fixes and configuring the default poll jitter for the controllers.
-
-_Refer to the [v0.37.0 release notes][v0-37-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-25]
-
-## v0.36.0
-
-_Released 2023-08-23_
-
-* The release contains some important bug fixes to the granular
-management policies and a fix in the reconciliation logic of the Upjet runtime.
-* Updated Terraform CLI to 1.5.5 to address CVEs in previous Terraform versions.
-
-_Refer to the [v0.36.0 release notes][v0-36-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-26]
-
-## v0.35.0
-
-_Release 2023-08-01_
-
-* This release adds support for the `spec.initProvider` API and for the granular management
-policies alpha feature.
-* Support for new resources: `AccessLevel`, `AccessLevelCondition`, `AccessPolicy`, `AccessPolicyIAMMember`,
-`ServicePerimeter`, `ServicePerimeterResource` and `RouterPeer`
-* Bug fixes and enhancements.
-
-_Refer to the [v0.35.0 release notes][v0-35-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-27]
-
-## v0.34.0
-
-_Released 2023-06-27_
-
-* ⚠️ The GCP family providers now require Crossplane v1.12.1 or later.
-* Bug fixes and enhancements.
-
-_Refer to the [v0.34.0 release notes][v0-34-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-28]
-
-## v0.33.0
-
-_Released 2023-06-13_
-
-* This release introduces the new [provider families architecture][provider-families-architecture] for
-the Upbound official GCP provider.
-* Bug fixes and enhancements.
-
-_Refer to the [v0.33.0 release notes][v0-33-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-29]
-<!-- vale Google.Headings = YES -->
-
-
-[support-and-maintenance]: /reference/usage/support
-[provider-families-architecture]: /manuals/packages/providers/provider-families
-
-
-[v1-10-0-release-notes]: https://github.com/crossplane-contrib/provider-upjet-gcp/releases/tag/v1.10.0
-[upbound-marketplace]: https://marketplace.upbound.io/providers/upbound/provider-family-gcp/v1.10.0
-[v1-9-0-release-notes]: https://github.com/crossplane-contrib/provider-upjet-gcp/releases/tag/v1.9.0
-[upbound-marketplace-1]: https://marketplace.upbound.io/providers/upbound/provider-family-gcp/v1.9.0
-[v1-8-3-release-notes]: https://github.com/crossplane-contrib/provider-upjet-gcp/releases/tag/v1.8.3
-[upbound-marketplace-2]: https://marketplace.upbound.io/providers/upbound/provider-family-gcp/v1.8.3
-[v1-8-2-release-notes]: https://github.com/crossplane-contrib/provider-upjet-gcp/releases/tag/v1.8.2
-[upbound-marketplace-3]: https://marketplace.upbound.io/providers/upbound/provider-family-gcp/v1.8.2
-[v1-8-1-release-notes]: https://github.com/crossplane-contrib/provider-upjet-gcp/releases/tag/v1.8.1
-[upbound-marketplace-4]: https://marketplace.upbound.io/providers/upbound/provider-family-gcp/v1.8.1
-[v1-8-0-release-notes]: https://github.com/crossplane-contrib/provider-upjet-gcp/releases/tag/v1.8.0
-[upbound-marketplace-5]: https://marketplace.upbound.io/providers/upbound/provider-family-gcp/v1.8.0
-[v1-7-0-release-notes]: https://github.com/crossplane-contrib/provider-upjet-gcp/releases/tag/v1.7.0
-[upbound-marketplace-6]: https://marketplace.upbound.io/providers/upbound/provider-family-gcp/v1.7.0
-[v1-6-0-release-notes]: https://github.com/crossplane-contrib/provider-upjet-gcp/releases/tag/v1.6.0
-[upbound-marketplace-7]: https://marketplace.upbound.io/providers/upbound/provider-family-gcp/v1.6.0
-[v1-5-0-release-notes]: https://github.com/crossplane-contrib/provider-upjet-gcp/releases/tag/v1.5.0
-[upbound-marketplace-8]: https://marketplace.upbound.io/providers/upbound/provider-family-gcp/v1.5.0
-[v1-4-0-release-notes]: https://github.com/crossplane-contrib/provider-upjet-gcp/releases/tag/v1.4.0
-[upbound-marketplace-9]: https://marketplace.upbound.io/providers/upbound/provider-family-gcp/v1.4.0
-[v1-3-0-release-notes]: https://github.com/crossplane-contrib/provider-upjet-gcp/releases/tag/v1.3.0
-[upbound-marketplace-10]: https://marketplace.upbound.io/providers/upbound/provider-family-gcp/v1.3.0
-[v1-2-0-release-notes]: https://github.com/crossplane-contrib/provider-upjet-gcp/releases/tag/v1.2.0
-[upbound-marketplace-11]: https://marketplace.upbound.io/providers/upbound/provider-family-gcp/v1.2.0
-[v1-1-0-release-notes]: https://github.com/crossplane-contrib/provider-upjet-gcp/releases/tag/v1.1.0
-[upbound-marketplace-12]: https://marketplace.upbound.io/providers/upbound/provider-family-gcp/v1.1.0
-[v1-0-2-release-notes]: https://github.com/crossplane-contrib/provider-upjet-gcp/releases/tag/v1.0.2
-[upbound-marketplace-13]: https://marketplace.upbound.io/providers/upbound/provider-family-gcp/v1.0.2
-[v0-41-4-release-notes]: https://github.com/crossplane-contrib/provider-upjet-gcp/releases/tag/v0.41.4
-[upbound-marketplace-14]: https://marketplace.upbound.io/providers/upbound/provider-family-gcp/v0.41.4
-[v1-0-1-release-notes]: https://github.com/crossplane-contrib/provider-upjet-gcp/releases/tag/v1.0.1
-[upbound-marketplace-15]: https://marketplace.upbound.io/providers/upbound/provider-family-gcp/v1.0.1
-[v0-41-3-release-notes]: https://github.com/crossplane-contrib/provider-upjet-gcp/releases/tag/v0.41.3
-[upbound-marketplace-16]: https://marketplace.upbound.io/providers/upbound/provider-family-gcp/v0.41.3
-[v1-0-0-release-notes]: https://github.com/crossplane-contrib/provider-upjet-gcp/releases/tag/v1.0.0
-[upbound-marketplace-17]: https://marketplace.upbound.io/providers/upbound/provider-family-gcp/v1.0.0
-[v0-41-2-release-notes]: https://github.com/upbound/provider-gcp/releases/tag/v0.41.2
-[upbound-marketplace-18]: https://marketplace.upbound.io/providers/upbound/provider-family-gcp/v0.41.2
-[v0-41-1-release-notes]: https://github.com/upbound/provider-gcp/releases/tag/v0.41.1
-[upbound-marketplace-19]: https://marketplace.upbound.io/providers/upbound/provider-family-gcp/v0.41.1
-[v0-41-0-release-notes]: https://github.com/upbound/provider-gcp/releases/tag/v0.41.0
-[upbound-marketplace-20]: https://marketplace.upbound.io/providers/upbound/provider-family-gcp/v0.41.0
-[v0-40-0-release-notes]: https://github.com/upbound/provider-gcp/releases/tag/v0.40.0
-[upbound-marketplace-21]: https://marketplace.upbound.io/providers/upbound/provider-family-gcp/v0.40.0
-[v0-39-0-release-notes]: https://github.com/upbound/provider-gcp/releases/tag/v0.39.0
-[upbound-marketplace-22]: https://marketplace.upbound.io/providers/upbound/provider-family-gcp/v0.39.0
-[v0-38-1-release-notes]: https://github.com/upbound/provider-gcp/releases/tag/v0.38.1
-[upbound-marketplace-23]: https://marketplace.upbound.io/providers/upbound/provider-family-gcp/v0.38.1
-[v0-38-0-release-notes]: https://github.com/upbound/provider-gcp/releases/tag/v0.38.0
-[upbound-marketplace-24]: https://marketplace.upbound.io/providers/upbound/provider-family-gcp/v0.38.0
-[v0-37-0-release-notes]: https://github.com/upbound/provider-gcp/releases/tag/v0.37.0
-[upbound-marketplace-25]: https://marketplace.upbound.io/providers/upbound/provider-family-gcp/v0.37.0
-[v0-36-0-release-notes]: https://github.com/upbound/provider-gcp/releases/tag/v0.36.0
-[upbound-marketplace-26]: https://marketplace.upbound.io/providers/upbound/provider-family-gcp/v0.36.0
-[v0-35-0-release-notes]: https://github.com/upbound/provider-gcp/releases/tag/v0.35.0
-[upbound-marketplace-27]: https://marketplace.upbound.io/providers/upbound/provider-family-gcp/v0.35.0
-[v0-34-0-release-notes]: https://github.com/upbound/provider-gcp/releases/tag/v0.34.0
-[upbound-marketplace-28]: https://marketplace.upbound.io/providers/upbound/provider-family-gcp/v0.34.0
-[v0-33-0-release-notes]: https://github.com/upbound/provider-gcp/releases/tag/v0.33.0
-[upbound-marketplace-29]: https://marketplace.upbound.io/providers/upbound/provider-family-gcp/v0.33.0
diff --git a/docs/manuals/packages/providers/provider-helm/index.md b/docs/manuals/packages/providers/provider-helm/index.md
deleted file mode 100644
index a87b0ee91..000000000
--- a/docs/manuals/packages/providers/provider-helm/index.md
+++ /dev/null
@@ -1,48 +0,0 @@
----
-title: Provider Helm
-sidebar_position: 1
-description: Release notes for the Helm official provider
----
-
-The below release notes are for the Upbound Helm official provider. These
-notes only contain noteworthy changes and you should refer to each release's
-GitHub release notes for full details.
-
-For more information on the release cadence and support protocol refer to the
-provider [support and maintenance][support-and-maintenance] page.
-
-:::important
-Beginning with `v1.21.0` and later, you need at least a `Team` subscription to pull a given Official Provider version. All prior versions are pullable without a subscription. 
-If you're not subscribed to Upbound or have an `Individual` tier subscription, you can still always pull **the most recent provider version** using the `v1` tag.
-:::
-
-<!-- vale Google.Headings = NO -->
-
-## v0.20.0
-
-_Released 2024-11-07_
-
-* This release introduces dependency updates and workflow updates.
-
-_Refer to the [v0.20.0 release notes][v0-20-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace]
-
-## v0.19.0
-
-_Released 2024-07-04_
-
-* This release introduces bug fixes, dependency updates and some improvements.
-
-_Refer to the [v0.19.0 release notes][v0-19-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-1]
-<!-- vale Google.Headings = YES -->
-
-
-[support-and-maintenance]: /reference/usage/support
-
-[v0-20-0-release-notes]: https://github.com/crossplane-contrib/provider-helm/releases/tag/v0.20.0
-[upbound-marketplace]: https://marketplace.upbound.io/providers/upbound/provider-helm/v0.21.1
-[v0-19-0-release-notes]: https://github.com/crossplane-contrib/provider-helm/releases/tag/v0.19.0
-[upbound-marketplace-1]: https://marketplace.upbound.io/providers/upbound/provider-helm/v0.21.1
diff --git a/docs/manuals/packages/providers/provider-kubernetes/authentication.md b/docs/manuals/packages/providers/provider-kubernetes/authentication.md
deleted file mode 100644
index 3c5385a8e..000000000
--- a/docs/manuals/packages/providers/provider-kubernetes/authentication.md
+++ /dev/null
@@ -1,218 +0,0 @@
----
-title: Authentication
-sidebar_position: 1
-description: Authentication options with the Upbound Kubernetes official provider
----
-
-
-The Upbound Official Kubernetes Provider supports many authentication methods.
-
-* [Upbound Identity][upbound-identity]
-* Injected Identity
-* Kubeconfigs
-* AWS, Azure, and GCP auth mechanisms
-
-## Upbound Identity
-
-:::note
-This method of authentication is only supported in control planes running on [Upbound Cloud Spaces][upbound-cloud-spaces]
-:::
-
-Use this auth mechanism when you want to use a control plane with provider-kubernetes to interact with [Upbound APIs][upbound-apis]. Upbound Identity can be configured to use the following to authenticate with Upbound:
-
-- a user's personal access token (PAT) 
-- a token generated from a robot
-
-<!-- vale Google.Headings = NO -->
-### Create an access token
-
-<Tabs>
-<TabItem value="robot" label="Robot">
-This method creates a Robot, the Upbound-equivalent of a service account, and uses it's identity to authenticate and perform actions.
-
-1. Login to Upbound
-```ini
-up login
-```
-
-2. Create a robot
-```ini
-up robot create "provider-kubernetes" --description="Robot used for authenticating to Upbound by provider-kubernetes"
-```
-
-3. Create and store an access token for this robot as an environment variable:
-```ini
-export UPBOUND_TOKEN=$(up robot token create "provider-kubernetes" "provider-kubernetes-token" --file - | jq -r '.token')
-```
-
-:::note
-Follow the [`jq` installation guide][jq-install] if your machine doesn't include
-it by default.
-:::
-
-
-4. Assign the robot [to a team][to-a-team] and use Upbound RBAC to [grant the team a role][grant-the-team-a-role] for permissions.
-</TabItem>
-
-<TabItem value="pat" label="Personal Access Token">
-Create a personal access token and store it as an environment variable.
-
-```ini
-export UPBOUND_TOKEN="YOUR_API_TOKEN"
-```
-</TabItem>
-</Tabs>
-<!-- vale Google.Headings = YES -->
-
-### Generate a kubeconfig for Upbound APIs
-
-Upbound APIs are Kubernetes-compatible. Generate a kubeconfig for the context you want to interact with:
-
-- [Generate a kubeconfig for a Space][generate-a-kubeconfig-for-a-space]
-- [Generate a kubeconfig for a control plane in a Space][generate-a-kubeconfig-for-a-control-plane-in-a-space]
-
-Set the desired context path below depending on your use case. Generate a kubeconfig according to the token method you followed in the prior section.
-
-<Tabs>
-<TabItem value="robot" label="Robot">
-
-1. Login to Upbound with the robot access token:
-```ini
-up login -t $UPBOUND_TOKEN
-```
-
-2. Set your Upbound context:
-```ini
-up ctx org/space/group/control-plane
-up ctx . -f - > upbound-context.yaml
-```
-
-</TabItem>
-
-<TabItem value="user" label="User account">
-
-1. Login to Upbound:
-```ini
-up login
-```
-
-2. Set your Upbound context:
-```ini
-up ctx org/space/group/control-plane
-up ctx . -f - > upbound-context.yaml
-```
-
-</TabItem>
-</Tabs>
-
-Store the generated context as an environment variable:
-
-```ini
-export CONTROLPLANE_CONFIG=upbound-context.yaml
-```
-
-### Create secrets to store configs
-
-In the control plane where you've installed provider-kubernetes, store the tokens created in the earlier step as secrets:
-
-```ini
-kubectl -n crossplane-system create secret generic cluster-config --from-file=kubeconfig=$CONTROLPLANE_CONFIG
-kubectl -n crossplane-system create secret generic upbound-credentials --from-literal=token=$UPBOUND_TOKEN
-```
-
-### Create a ProviderConfig
-
-Create a ProviderConfig to set the provider authentication method to UpboundTokens.
-
-```yaml
-apiVersion: kubernetes.crossplane.io/v1alpha1
-kind: ProviderConfig
-metadata:
-  name: default
-spec:
-  credentials:
-    secretRef:
-      key: kubeconfig
-      name: cluster-config
-      namespace: crossplane-system
-    source: Secret
-  identity:
-    secretRef:
-      key: token
-      name: upbound-credentials
-      namespace: crossplane-system
-    source: Secret
-    type: UpboundTokens
-```
-
-## Injected Identity
-
-Use this auth mechanism when you want to configure a control plane to use provider-kubernetes to manage or interact with resources in itself. Injected Identity configures the provider to use a `cluster-admin` role defined in itself.
-
-### Create a ProviderConfig
-
-```yaml
-apiVersion: kubernetes.crossplane.io/v1alpha1
-kind: ProviderConfig
-metadata:
-  name: default
-spec:
-  credentials:
-    source: InjectedIdentity
-```
-
-### Create a DeploymentRuntimeConfig
-
-Create a _ClusteRoleBinding_ and _DeploymentRuntimeConfig_ to allow the provider to be granted the `cluster-admin` role.
-
-```yaml
-apiVersion: pkg.crossplane.io/v1beta1
-kind: DeploymentRuntimeConfig
-metadata:
-  name: provider-kubernetes
-spec:
-  serviceAccountTemplate:
-    metadata:
-      name: provider-kubernetes
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: provider-kubernetes-cluster-admin
-subjects:
-  - kind: ServiceAccount
-    name: provider-kubernetes
-    namespace: crossplane-system
-roleRef:
-  kind: ClusterRole
-  name: cluster-admin
-  apiGroup: rbac.authorization.k8s.io
-```
-
-Reference this _DeploymentRuntimeConfig_ to complete the configuration of the provider:
-
-```yaml
-apiVersion: pkg.crossplane.io/v1
-kind: Provider
-metadata:
-  name: provider-kubernetes
-spec:
-  package: xpkg.upbound.io/upbound/provider-kubernetes:v0.16.0
-  runtimeConfigRef:
-    apiVersion: pkg.crossplane.io/v1beta1
-    kind: DeploymentRuntimeConfig
-    name: provider-kubernetes
-```
-
-## Other auth mechanisms
-
-Read the provider-kubernetes examples for examples of how to configure the provider with other auth mechanisms.
-
-[jq-install]: https://jqlang.org/download/
-[upbound-identity]: /manuals/platform/howtos/oidc
-[upbound-cloud-spaces]: /manuals/spaces/overview
-[upbound-apis]: /manuals/spaces/howtos/self-hosted/gitops/#gitops-for-upbound-resources
-[to-a-team]: /manuals/platform/concepts/identity-management/robots/#assign-a-robot-to-a-team
-[grant-the-team-a-role]: /manuals/platform/concepts/authorization/upbound-rbac/#assign-group-role-permissions
-[generate-a-kubeconfig-for-a-space]: /manuals/cli/howtos/context-config/#generate-a-kubeconfig-for-a-space
-[generate-a-kubeconfig-for-a-control-plane-in-a-space]: /manuals/cli/howtos/context-config/#generate-a-kubeconfig-for-a-control-plane-in-a-group
diff --git a/docs/manuals/packages/providers/provider-kubernetes/index.md b/docs/manuals/packages/providers/provider-kubernetes/index.md
deleted file mode 100644
index 5781eaa71..000000000
--- a/docs/manuals/packages/providers/provider-kubernetes/index.md
+++ /dev/null
@@ -1,49 +0,0 @@
----
-title: Provider Kubernetes
-sidebar_position: 1
-description: Release notes for the Kubernetes official provider
----
-
-The below release notes are for the Upbound Kubernetes official provider. These
-notes only contain noteworthy changes and you should refer to each release's
-GitHub release notes for full details.
-
-For more information on the release cadence and support protocol refer to the
-provider [support and maintenance][support-and-maintenance] page.
-
-:::important
-Beginning with `v1.21.0` and later, you need at least a `Team` subscription to pull a given Official Provider version. All prior versions are pullable without a subscription. 
-If you're not subscribed to Upbound or have an `Individual` tier subscription, you can still always pull **the most recent provider version** using the `v1` tag.
-:::
-
-<!-- vale Google.Headings = NO -->
-
-## v0.16.0
-
-_Released 2024-11-07_
-
-* This release introduces dependency updates and workflow updates.
-
-_Refer to the [v0.16.0 release notes][v0-16-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace]
-
-## v0.15.0
-
-_Released 2024-09-17_
-
-* This release introduces Alpha support for Server Side Apply.
-Enable this feature using the `--enable-server-side-apply` flag.
-
-_Refer to the [v0.15.0 release notes][v0-15-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-1]
-<!-- vale Google.Headings = YES -->
-
-
-[support-and-maintenance]: /reference/usage/support
-
-[v0-16-0-release-notes]: https://github.com/crossplane-contrib/provider-kubernetes/releases/tag/v0.16.0
-[upbound-marketplace]: https://marketplace.upbound.io/providers/upbound/provider-kubernetes/v0.16.0
-[v0-15-0-release-notes]: https://github.com/crossplane-contrib/provider-kubernetes/releases/tag/v0.15.0
-[upbound-marketplace-1]: https://marketplace.upbound.io/providers/upbound/provider-kubernetes/v0.15.0
diff --git a/docs/manuals/packages/providers/provider-terraform/index.md b/docs/manuals/packages/providers/provider-terraform/index.md
index 91ce18b4a..a7b7638da 100644
--- a/docs/manuals/packages/providers/provider-terraform/index.md
+++ b/docs/manuals/packages/providers/provider-terraform/index.md
@@ -1,174 +1,56 @@
 ---
 title: Provider Terraform
 sidebar_position: 1
-description: Release notes for the Terraform official provider
+description: Execute Terraform modules from Crossplane
 ---
 
-The below release notes are for the Upbound Terraform official provider. These
-notes only contain noteworthy changes and you should refer to each release's
-GitHub release notes for full details.
+The Upbound Terraform Provider enables you to execute Terraform modules directly from Crossplane. This allows you to integrate existing Terraform configurations into your Crossplane-managed infrastructure.
+<!-- vale gitlab.HeadingContent = NO -->
+## Overview
+<!-- vale gitlab.HeadingContent = YES -->
 
-For more information on the release cadence and support protocol refer to the
-provider [support and maintenance][support-and-maintenance] page.
+Provider Terraform bridges the gap between Terraform and Crossplane, enabling you to:
 
-:::important
-Beginning with `v1.21.0` and later, you need at least a `Team` subscription to pull a given Official Provider version. All prior versions are pullable without a subscription. 
-If you're not subscribed to Upbound or have an `Individual` tier subscription, you can still always pull **the most recent provider version** using the `v1` tag.
-:::
+- Execute existing Terraform modules as Crossplane managed resources
+- Leverage your team's existing Terraform expertise
+- Gradually migrate infrastructure from Terraform to native Crossplane providers
+- Use Terraform for resources not yet available in Crossplane providers
 
-<!-- vale Google.Headings = NO -->
+## Installation
 
-## v0.19.0
+Install the provider from the [Upbound Marketplace][upbound-marketplace]:
 
-_Released 2024-11-05_
+```yaml
+apiVersion: pkg.crossplane.io/v1
+kind: Provider
+metadata:
+  name: provider-terraform
+spec:
+  package: xpkg.upbound.io/upbound/provider-terraform:v0.19.0
+```
 
-* This release introduces dependency updates and workflow updates.
+## Release notes
+<!-- vale write-good.Passive = NO -->
+Release notes for provider-terraform are published on the [Upbound Marketplace listing][upbound-marketplace]. The marketplace includes:
+<!-- vale write-good.Passive = YES -->
 
-_Refer to the [v0.19.0 release notes][v0-19-0-release-notes] for full details._
+- Current and historical release notes
+- Version-specific changelogs
+- Installation instructions
+- API documentation
 
-Install the provider from the [Upbound Marketplace][upbound-marketplace]
+## Migration guides
 
-## v0.18.0
+If you're migrating from standalone Terraform to provider-terraform, or migrating existing provider-terraform configurations, see the following guides:
 
-_Released 2024-08-29_
+- [Migrate Terraform configurations][migrate-hcl] - Convert `HCL` configurations to provider-terraform
+- [Migrate provider-terraform configurations][migrate-provider-tf] - Update between provider-terraform versions
 
-* This release introduces JSON format for inline module, bug fixes, and dependency updates.
-
-_Refer to the [v0.18.0 release notes][v0-18-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-1]
-
-## v0.17.0
-
-_Released 2024-07-11_
-
-* This release includes some important bug fixes, enhancements, and dependency updates.
-
-_Refer to the [v0.17.0 release notes][v0-17-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-2]
-
-## v0.16.0
-
-_Released 2024-04-25_
-
-* This release includes adding support for setting environment variables in a workspace and dependency updates.
-
-_Refer to the [v0.16.0 release notes][v0-16-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-3]
-
-## v0.15.0
-
-_Released 2024-03-28_
-
-* Swaps the `SYNCED` and `READY` columns in the kubectl get workspace output so that they
-read left-to-right in the order that you would expect them to occur.
-* The release contains bug fixes and updates of dependencies.
-
-_Refer to the [v0.15.0 release notes][v0-15-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-4]
-
-## v0.14.1
-
-_Released 2024-02-07_
-
-* The release makes the terraform harness only take the lock if the plugin cache enabled.
-
-_Refer to the [v0.14.1 release notes][v0-14-1-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-5]
-
-## v0.14.0
-
-_Released 2024-01-25_
-
-* The release contains adding support for defining the `backend` file content, and updates of dependencies.
-
-_Refer to the [v0.14.0 release notes][v0-14-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-6]
-
-## v0.13.0
-
-_Released 2023-12-28_
-
-* The release contains updates of dependencies, and promoting granular management policies to Beta.
-
-_Refer to the [v0.13.0 release notes][v0-13-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-7]
-
-## v0.12.0
-
-_Released 2023-11-30_
-
-* Adds example for `provider config` terraform for Azure.
-* The release contains some bug fixes and updates of dependencies.
-
-_Refer to the [v0.12.0 release notes][v0-12-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-8]
-
-## v0.11.0
-
-_Released 2023-10-26_
-
-* This release adds support for jitter.
-* Upgrade terraform binary to v1.5.5
-
-_Refer to the [v0.11.0 release notes][v0-11-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-9]
-
-## v0.10.0
-
-_Released 2023-08-17_
-
-* This release adds support for nested objects in output.
-* Upgrade alpine Docker tag to v3.18.3
-
-_Refer to the [v0.10.0 release notes][v0-10-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-10]
-
-## v0.9.0
-
-_Released 2023-08-01_
-
-* This release adds example of random value generators.
-* Upgrade terraform binary to v1.5.2
-
-_Refer to the [v0.9.0 release notes][v0-9-0-release-notes] for full details._
-
-Install the provider from the [Upbound Marketplace][upbound-marketplace-11]
-<!-- vale Google.Headings = YES -->
+## Support
 
+For more information on the release cadence and support protocol refer to the provider [support and maintenance][support-and-maintenance] page.
 
+[migrate-hcl]: /manuals/packages/providers/provider-terraform/migrate-hcl/
+[migrate-provider-tf]: /manuals/packages/providers/provider-terraform/migrate-provider-tf/
+[upbound-marketplace]: https://marketplace.upbound.io/providers/upbound/provider-terraform/latest
 [support-and-maintenance]: /reference/usage/support
-
-[v0-19-0-release-notes]: https://github.com/upbound/provider-terraform/releases/tag/v0.19.0
-[upbound-marketplace]: https://marketplace.upbound.io/providers/upbound/provider-terraform/v0.19.0
-[v0-18-0-release-notes]: https://github.com/upbound/provider-terraform/releases/tag/v0.18.0
-[upbound-marketplace-1]: https://marketplace.upbound.io/providers/upbound/provider-terraform/v0.18.0
-[v0-17-0-release-notes]: https://github.com/upbound/provider-terraform/releases/tag/v0.17.0
-[upbound-marketplace-2]: https://marketplace.upbound.io/providers/upbound/provider-terraform/v0.17.0
-[v0-16-0-release-notes]: https://github.com/upbound/provider-terraform/releases/tag/v0.16.0
-[upbound-marketplace-3]: https://marketplace.upbound.io/providers/upbound/provider-terraform/v0.16.0
-[v0-15-0-release-notes]: https://github.com/upbound/provider-terraform/releases/tag/v0.15.0
-[upbound-marketplace-4]: https://marketplace.upbound.io/providers/upbound/provider-terraform/v0.15.0
-[v0-14-1-release-notes]: https://github.com/upbound/provider-terraform/releases/tag/v0.14.1
-[upbound-marketplace-5]: https://marketplace.upbound.io/providers/upbound/provider-terraform/v0.14.1
-[v0-14-0-release-notes]: https://github.com/upbound/provider-terraform/releases/tag/v0.14.0
-[upbound-marketplace-6]: https://marketplace.upbound.io/providers/upbound/provider-terraform/v0.14.0
-[v0-13-0-release-notes]: https://github.com/upbound/provider-terraform/releases/tag/v0.13.0
-[upbound-marketplace-7]: https://marketplace.upbound.io/providers/upbound/provider-terraform/v0.13.0
-[v0-12-0-release-notes]: https://github.com/upbound/provider-terraform/releases/tag/v0.12.0
-[upbound-marketplace-8]: https://marketplace.upbound.io/providers/upbound/provider-terraform/v0.12.0
-[v0-11-0-release-notes]: https://github.com/upbound/provider-terraform/releases/tag/v0.11.0
-[upbound-marketplace-9]: https://marketplace.upbound.io/providers/upbound/provider-terraform/v0.11.0
-[v0-10-0-release-notes]: https://github.com/upbound/provider-terraform/releases/tag/v0.10.0
-[upbound-marketplace-10]: https://marketplace.upbound.io/providers/upbound/provider-terraform/v0.10.0
-[v0-9-0-release-notes]: https://github.com/upbound/provider-terraform/releases/tag/v0.9.0
-[upbound-marketplace-11]: https://marketplace.upbound.io/providers/upbound/provider-terraform/v0.9.0
diff --git a/docs/manuals/packages/providers/provider-terraform/migrate-hcl.md b/docs/manuals/packages/providers/provider-terraform/migrate-hcl.md
index ce0630a4e..57beac671 100644
--- a/docs/manuals/packages/providers/provider-terraform/migrate-hcl.md
+++ b/docs/manuals/packages/providers/provider-terraform/migrate-hcl.md
@@ -529,11 +529,11 @@ configuration.
 
 
 [migrating-from-terraform-to-crossplane-guide]: /manuals/packages/providers/provider-terraform/migrate-provider-tf
-[authentication-keys]: /manuals/packages/manuals/packages/providers/provider-aws/authentication
-[web-identity]: /manuals/packages/manuals/packages/providers/provider-aws/authentication
-[service-accounts]: /manuals/packages/manuals/packages/providers/provider-aws/authentication
-[provider-azure]: /manuals/packages/manuals/packages/providers/provider-azure/authentication
-[provider-gcp]: /manuals/packages/manuals/packages/providers/provider-gcp/authentication
+[authentication-keys]: /manuals/packages/providers/authentication#aws-access-keys
+[web-identity]: /manuals/packages/providers/authentication#aws-webidentity
+[service-accounts]: /manuals/packages/providers/authentication#aws-irsa
+[provider-azure]: /manuals/packages/providers/authentication#azure-service-principal
+[provider-gcp]: /manuals/packages/providers/authentication#gcp-service-account-keys
 
 
 [upbound-marketplace]: https://marketplace.upbound.io
diff --git a/docs/manuals/packages/providers/provider-terraform/migrate-provider-tf.md b/docs/manuals/packages/providers/provider-terraform/migrate-provider-tf.md
index a14d25682..9af796dc4 100644
--- a/docs/manuals/packages/providers/provider-terraform/migrate-provider-tf.md
+++ b/docs/manuals/packages/providers/provider-terraform/migrate-provider-tf.md
@@ -163,7 +163,7 @@ spec:
       - key: vmName
         value: crossplanevm
 ```
-
+<!-- vale gitlab.FutureTense = NO -->
 :::warning
 This configuration won't work if applied now.
 :::
@@ -173,18 +173,6 @@ This configuration won't work if applied now.
 The provider configuration handles authentication. You must
 create a Kubernetes secret file to authenticate with your AWS account.
 
-The provider supports AWS authentication with:
-The provider supports AWS authentication with:
-
-<!-- - [Authentication Keys][authentication-keys] -->
-<!-- - [Web Identity][web-identity] -->
-<!-- - [Service Accounts][service-accounts] -->
-
-:::note
-For more information on cloud provider authentication, read the
-<!-- [Provider Azure][provider-azure] or [Provider GCP][provider-gcp] authentication documentation. -->
-:::
-
 This guide uses the authentication key method. Download your AWS credentials and
 save them to a new file called `aws-credentials`.
 
@@ -312,6 +300,7 @@ spec:
 :::warning
 This configuration won't work as is. Review the [example backend configuration][example-backend-configuration] and the [Terraform File documentation][terraform-file-documentation]
 :::
+<!-- vale gitlab.FutureTense = YES -->
 
 You can apply this `ProviderConfig` and let Crossplane continuously reconcile
 the resources in your cloud provider and update the state file.
@@ -331,11 +320,11 @@ definition, composition, and claim.
 <!-- vale gitlab.FutureTense = YES -->
 
 
-[authentication-keys]: /manuals/packages/manuals/packages/providers/provider-aws/authentication
-[web-identity]: /manuals/packages/manuals/packages/providers/provider-aws/authentication
-[service-accounts]: /manuals/packages/manuals/packages/providers/provider-aws/authentication
-[provider-azure]: /manuals/packages/manuals/packages/providers/provider-azure/authentication
-[provider-gcp]: /manuals/packages/manuals/packages/providers/provider-gcp/authentication
+[authentication-keys]: /manuals/packages/providers/authentication#aws-access-keys
+[web-identity]: /manuals/packages/providers/authentication#aws-webidentity
+[service-accounts]: /manuals/packages/providers/authentication#aws-irsa
+[provider-azure]: /manuals/packages/providers/authentication#azure-service-principal
+[provider-gcp]: /manuals/packages/providers/authentication#gcp-service-account-keys
 
 
 [install-crossplane]: https://docs.crossplane.io/latest/get-started/install/
diff --git a/docs/manuals/platform/howtos/oidc.md b/docs/manuals/platform/howtos/oidc.md
index 5a503c150..a7e637b79 100644
--- a/docs/manuals/platform/howtos/oidc.md
+++ b/docs/manuals/platform/howtos/oidc.md
@@ -54,11 +54,13 @@ spec:
 
 When a team creates resources with the control plane, reference the appropriate ProviderConfig to use from the `spec.providerConfigRef` field of any managed resource.
 
+<!-- vale Google.WordList = NO -->
 :::tip
 The example above demonstrates ProviderConfigs using static account credentials.
 **Don't use this auth method for production purposes.** Instead, configure your
-providers to use Upbound Identity, which is based on OIDC and described below.
+providers to use Upbound Identity, based on OIDC and described below.
 :::
+<!-- vale Google.WordList = YES -->
 
 ## Use OpenID Connect with Upbound
 
@@ -167,10 +169,10 @@ spec:
     name: aws-audience
 ```
 
-The provider or function pod will now contain an Upbound OIDC token with the audience set to `my-audience-name`. The token is located in `/var/run/secrets/upbound.io/provider/token` both for provider and function pods.
+The provider or function pod now contains an Upbound OIDC token with the audience set to `my-audience-name`. The token in `/var/run/secrets/upbound.io/provider/token` applies to both provider and function pods.
 
 :::warning
-Note that the audience gets automatically set on AWS, Azure, and GCP Official providers and can't be customized.
+You can't customize the audience on AWS, Azure, and GCP Official providers because the audience is automatic.
 :::
 
 ## OIDC explained
@@ -242,11 +244,12 @@ For example, the following would be a valid _subject_ for `provider-aws` in a co
 ```
 mcp:my-org/prod-1:provider:provider-aws
 ```
-
+<!-- vale write-good.TooWordy = NO -->
 You can include an optional `group` field in the trust path as an additional
 security measure. This ensures the control plane has the correct name _and_
-correct group to prevent cross-group impersonation from another admin in another
+correct group to prevent cross-group impersonation from another administrator in another
 group.
+<!-- vale write-good.TooWordy = YES -->
 
 Add the following control plane annotation to include the `group` field:
 
@@ -275,12 +278,13 @@ The claims for an identity token injected into the file system of a provider in
   "jti": "YL1ouQ5KJiTY2QShIRczqQ=="
 }
 ```
-
+<!-- vale write-good.TooWordy = NO -->
 :::tip
 Identity tokens injected into a provider `Pod` are valid for 1 hour. These
 tokens automatically refresh before expiration to ensure there is no
 interruption in service. 
 :::
+<!-- vale write-good.TooWordy = YES -->
 
 ## Add Upbound OIDC to a Crossplane provider
 
@@ -290,8 +294,8 @@ View [this Pull Request][this-pull-request] for a reference implementation.
 
 
 [control-plane-management]: /manuals/spaces/concepts/control-planes
-[provider-azure-authentication]:/manuals/packages/providers/provider-azure/authentication/#upbound-auth-oidc 
-[provider-gcp-authentication]:/manuals/packages/providers/provider-gcp/authentication/#upbound-auth-oidc 
+[provider-azure-authentication]:/manuals/packages/providers/authentication#azure-upbound-oidc
+[provider-gcp-authentication]:/manuals/packages/providers/authentication#gcp-upbound-oidc 
 [crossplane-providers]: https://docs.crossplane.io/latest/packages/providers/
 [marketplace]: https://marketplace.upbound.io/providers
 [providerconfig]: https://docs.crossplane.io/latest/concepts/providers/#provider-configuration
@@ -301,7 +305,7 @@ View [this Pull Request][this-pull-request] for a reference implementation.
 [workload-identity]: https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
 [openid-connect-oidc]: https://openid.net/connect/
 [oauth-2-0]: https://oauth.net/2/
-[provider-aws-authentication]:/manuals/packages/providers/provider-aws/authentication/#upbound-auth-oidc 
+[provider-aws-authentication]:/manuals/packages/providers/authentication#aws-upbound-oidc 
 [_deploymentruntimeconfig_]: https://docs.crossplane.io/latest/concepts/providers/#runtime-configuration
 [provider-helm]: https://marketplace.upbound.io/providers/upbound/provider-helm/
 [json-web-tokens-jwts]: https://www.rfc-editor.org/rfc/rfc7519
diff --git a/docs/manuals/uxp/concepts/packages/provider-authentication.md b/docs/manuals/uxp/concepts/packages/provider-authentication.md
index 4a1e9bc8b..fe50b70a0 100644
--- a/docs/manuals/uxp/concepts/packages/provider-authentication.md
+++ b/docs/manuals/uxp/concepts/packages/provider-authentication.md
@@ -361,9 +361,9 @@ Now that you have authenticated with your provider, the next step is to [build y
 
 
 [build-your-control-plane-project]: /manuals/cli/howtos/building-pushing
-[provider-documentation]: /manuals/packages/providers/provider-aws/authentication
+[provider-documentation]: /manuals/packages/providers/authentication#aws-authentication
 [download-your-aws-access-key]: https://aws.github.io/aws-sdk-go-v2/docs/getting-started/#get-your-aws-access-keys
-[provider-documentation-1]: /manuals/packages/providers/provider-azure/authentication
+[provider-documentation-1]: /manuals/packages/providers/authentication#azure-authentication
 [install-guide]: https://learn.microsoft.com/en-us/cli/azure/install-azure-cli
-[provider-documentation-2]: /manuals/packages/providers/provider-gcp/authentication
+[provider-documentation-2]: /manuals/packages/providers/authentication#gcp-authentication
 [download-your-gcp-service-account-key]: https://cloud.google.com/iam/docs/keys-create-delete#creating
diff --git a/package.json b/package.json
index e21dc7cb4..9cc0d72af 100644
--- a/package.json
+++ b/package.json
@@ -4,7 +4,7 @@
     "private": true,
     "scripts": {
         "docusaurus": "docusaurus",
-        "start": "npm run process-crds && docusaurus start",
+        "start": "npm run process-crds && docusaurus start --host 0.0.0.0",
         "build": "npm run process-crds && docusaurus build",
         "swizzle": "docusaurus swizzle",
         "deploy": "docusaurus deploy",
diff --git a/vercel.json b/vercel.json
index fd8fafb16..d23f7a87a 100644
--- a/vercel.json
+++ b/vercel.json
@@ -237,7 +237,12 @@
         },
         {
             "source": "/providers/provider-aws/authentication(/)?",
-            "destination": "/manuals/packages/providers/provider-aws/authentication",
+            "destination": "/manuals/packages/providers/authentication#aws-authentication",
+            "permanent": true
+        },
+        {
+            "source": "/manuals/packages/providers/provider-aws/authentication(/)?",
+            "destination": "/manuals/packages/providers/authentication#aws-authentication",
             "permanent": true
         },
         {
@@ -247,7 +252,12 @@
         },
         {
             "source": "/providers/provider-azure/authentication(/)?",
-            "destination": "/manuals/packages/providers/provider-azure/authentication",
+            "destination": "/manuals/packages/providers/authentication#azure-authentication",
+            "permanent": true
+        },
+        {
+            "source": "/manuals/packages/providers/provider-azure/authentication(/)?",
+            "destination": "/manuals/packages/providers/authentication#azure-authentication",
             "permanent": true
         },
         {
@@ -267,7 +277,12 @@
         },
         {
             "source": "/providers/provider-gcp/authentication(/)?",
-            "destination": "/manuals/packages/providers/provider-gcp/authentication",
+            "destination": "/manuals/packages/providers/authentication#gcp-authentication",
+            "permanent": true
+        },
+        {
+            "source": "/manuals/packages/providers/provider-gcp/authentication(/)?",
+            "destination": "/manuals/packages/providers/authentication#gcp-authentication",
             "permanent": true
         },
         {
@@ -282,7 +297,12 @@
         },
         {
             "source": "/providers/provider-kubernetes/authentication(/)?",
-            "destination": "/manuals/packages/providers/provider-kubernetes/authentication",
+            "destination": "/manuals/packages/providers/authentication#kubernetes-authentication",
+            "permanent": true
+        },
+        {
+            "source": "/manuals/packages/providers/provider-kubernetes/authentication(/)?",
+            "destination": "/manuals/packages/providers/authentication#kubernetes-authentication",
             "permanent": true
         },
         {