Discussion: Allow resource management in multiple accounts

[ankon]

Right now the service will use the credentials (from wherever) and manage resources through these. If one wants to manage resources for multiple accounts, one needs to bring up multiple services, and provide them with suitable credentials.

Theoretically one can also see a world where the resource "somehow" specifies an account (possibly through a role reference), and the service would then use sts:AssumeRole (or ChainableTemporaryCredentials) for accessing this specific resource.
The upside here would be that one needs fewer service instances (which mostly do nothing) to manage a diverse set of resources. On the downside the issue is that it deviates considerably from the current "basically cloudformation as a operator" approach, and as such we would likely be hitting "interesting" problems.

[ankon]

Quick idea: The account/role reference should be an annotation, not a field in the resource spec. This at least gives us a bit of flexibility with the API.

Given that one needs a role ARN for the credentials/sts:AssumeRole API we definitely should use that, and not try to specify an "account", "region", and "role name" separately.