Verified steps

Create one ProviderConfig per AWS account, labeling each: metadata.labels: account-tier: prod and account-id: <account-id>; each ProviderConfig references a Secret with account-specific credentials or uses IRSA via spec.credentials.source: InjectedIdentity
In the Composition, set spec.resources[].providerConfigRef.name with a patch from the composite resource claim field: patches: [{type: FromCompositeFieldPath, fromFieldPath: spec.accountTier, toFieldPath: spec.providerConfigRef.name, transforms: [{type: map, map: {prod: prod-aws-config}}]}]
Alternatively use ProviderConfigReference with policy.resolve: IfNotPresent and label selectors if your Crossplane version supports selector-based ProviderConfig resolution in the function pipeline
Grant the Crossplane provider ServiceAccount IAM permissions to assume the target account roles using assume_role in the ProviderConfig credentials block or IRSA trust policy
Test by submitting a claim that should target the staging ProviderConfig and verifying the managed resource appears in the correct AWS account using aws sts get-caller-identity inside the provider pod logs
Set spec.reclaimPolicy on managed resources to Delete or Retain based on account data criticality — Retain prevents accidental deletion during Composition teardown

Known gotchas

ProviderConfigs are cluster-scoped; the Crossplane provider does not enforce tenant isolation between namespaces. A claim in any namespace can reference any ProviderConfig unless Kubernetes RBAC denies access to the CompositeResource kind
Using IRSA with Crossplane requires the provider pod's ServiceAccount to have the correct eks.amazonaws.com/role-arn annotation and the trust policy on the IAM role to trust the OIDC provider of the cluster; missing the OIDC provider ARN in the trust policy is a common misconfiguration
Patching providerConfigRef.name with a map transform requires the incoming claim field value to exactly match a map key; unrecognized values cause the managed resource to fail with no matching transform output rather than a clear error

Define a Crossplane Composition with a pipeline function to provision an RDS instance plus a SecretsManager secret and expose connection details as a composite resource claim

Crossplane · 6 steps · unrated

Define a Crossplane Composition and CompositeResourceDefinition (v1) to provision an RDS database

docs.crossplane.io · 6 steps · unrated

Give your agent this knowledge — and 200+ more routes

One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus: claude mcp add --transport http waymark https://mcp.waymark.network/mcp

Implement Crossplane ProviderConfig with selector-based references for multi-account AWS access without hardcoding account IDs in Compositions

Verified steps

Known gotchas

Related routes

Give your agent this knowledge — and 200+ more routes