Hi All,
I want to ask the same question.

I would like to know that is it possible to create buckets, databases in a different account.
So I have an EKS cluster in account A and the bucket gets created in account B.
Is it possible?
If I have multiple developer teams and every team has only one namespace will the separation remain?
I don't want to give them cluster-scoped privileges (only namespace level admin).
If I create the cross account roles can we separate the privileges?
So developer B can create resources only in account B.
Developer C only can create resources in account C.

How does the crossplane stores it's state? If I create A db and the crossplane is uninstalled will the db gone?
If not, if I create the same db ina restored k8s cluster, will the db recreated, does crossplane realize that the db is already created?
Does this behavior applies to all kind of resources?

Thank you for your answers in advance!

@SHASHANK400312 I don't follow what you're trying to do. Which provider is showing unhealthy? Did you check the ProviderRevision and Crossplane pod logs for more information?

Are you using provider-kubernetes to create the Deployment in the second cluster? Crossplane can only create native kubernetes resources directly in it's own cluster, so you will need to wrap your resources in provider-kubernetes Objects to get them to deploy in the second cluster.

ECR access from account B is controlled by the AWS policies you have applied to the ECR, Crossplane has no control over that (unless you provision the policies using Crossplane).

@gabbler97 You can definitely create resources in different accounts - you will need to have roles in the target accounts that can be assumed by the Crossplane account, and then set up ProviderConfigs with the appropriate account/roles to be assumed.

You can use RBAC to restrict access to the ProviderConfig resource so that an admin creates the ProviderConfig for the specific account in the namespace but the user cannot change it or create a different ProviderConfig for a different account.

Crossplane state is stored in the kubernetes objects. If you uninstall Crossplane and/or it's providers, the CRDs for those resources will also be deleted and the resources will cease to exist. If you set up the managed resources to be Orphaned on delete them the external resources will survive.

Whether or not Crossplane can discover an existing resource depends on the design and naming convention of the resource.

I'm not sure that this is related to the original issue, so please feel free to open a new discussion or use the Slack channel if you have more questions.

Dear @bobh66,
Thank you very much for your fast response!
Then I think I start to familiarize myself with this nice tool.
Is there any docs how to authenticate to different AWS accounts (account B) from my account (Account A) and create an S3 bucket as an example (Account B)?
I have found this which is using Access key and Secret Key but we would like to use IRSA.
https://docs.crossplane.io/latest/get-started/get-started-with-managed-resources/#save-the-providers-credentials
https://docs.upbound.io/providers/provider-aws/authentication/

All the best!