Configure Crossplane ProviderConfig for multi-account AWS access using IAM role assumption per composite resource with selector-based config references
Create multiple ProviderConfig objects, each specifying a distinct IAM role ARN to assume, and label them with identifying metadata such as account ID or environment
In the Composition, use a providerConfigRef patch that reads a field from the composite resource spec and maps it to the appropriate ProviderConfig name using a conversion or string transform
Alternatively, configure a ProviderConfig selector in the Composition using matchLabels to dynamically resolve the correct ProviderConfig based on labels present on the composite resource
Validate the IRSA or OIDC trust policy on each target IAM role to ensure the Crossplane provider's service account identity is allowed to assume it
Apply a test composite resource targeting each account and confirm that managed resources are created in the correct AWS account by inspecting the resource ARNs in their status
Known gotchas
Crossplane provider pods assume the source role first and then chain to the target role; if the trust policy on the target role does not include the source role ARN, assumption silently fails and the managed resource stays in a creating state indefinitely
ProviderConfig objects are cluster-scoped; a single misconfigured ProviderConfig can affect all Compositions that resolve to it, so label selectors must be precise to avoid accidental cross-account resource creation
When using selector-based ProviderConfig resolution, the selector is evaluated at reconciliation time; changing labels on a composite resource mid-lifecycle can cause the provider config to switch and trigger unexpected drift
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp