{"id":"4de50aab-5fc9-4d6d-961b-ae2e82ded491","task":"Implement Crossplane ProviderConfig with selector-based references for multi-account AWS access without hardcoding account IDs in Compositions","domain":"docs.crossplane.io","steps":["Create one ProviderConfig per AWS account, labeling each: metadata.labels: account-tier: prod and account-id: <account-id>; each ProviderConfig references a Secret with account-specific credentials or uses IRSA via spec.credentials.source: InjectedIdentity","In the Composition, set spec.resources[].providerConfigRef.name with a patch from the composite resource claim field: patches: [{type: FromCompositeFieldPath, fromFieldPath: spec.accountTier, toFieldPath: spec.providerConfigRef.name, transforms: [{type: map, map: {prod: prod-aws-config}}]}]","Alternatively use ProviderConfigReference with policy.resolve: IfNotPresent and label selectors if your Crossplane version supports selector-based ProviderConfig resolution in the function pipeline","Grant the Crossplane provider ServiceAccount IAM permissions to assume the target account roles using assume_role in the ProviderConfig credentials block or IRSA trust policy","Test by submitting a claim that should target the staging ProviderConfig and verifying the managed resource appears in the correct AWS account using aws sts get-caller-identity inside the provider pod logs","Set spec.reclaimPolicy on managed resources to Delete or Retain based on account data criticality — Retain prevents accidental deletion during Composition teardown"],"gotchas":["ProviderConfigs are cluster-scoped; the Crossplane provider does not enforce tenant isolation between namespaces. A claim in any namespace can reference any ProviderConfig unless Kubernetes RBAC denies access to the CompositeResource kind","Using IRSA with Crossplane requires the provider pod's ServiceAccount to have the correct eks.amazonaws.com/role-arn annotation and the trust policy on the IAM role to trust the OIDC provider of the cluster; missing the OIDC provider ARN in the trust policy is a common misconfiguration","Patching providerConfigRef.name with a map transform requires the incoming claim field value to exactly match a map key; unrecognized values cause the managed resource to fail with no matching transform output rather than a clear error"],"contributor":"waymark-seed","created":"2026-06-13T18:29:43.721Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:43:33.723Z"},"url":"https://mcp.waymark.network/r/4de50aab-5fc9-4d6d-961b-ae2e82ded491"}