Forgive me if this is a naive question, but it appears to me that a Pulumi stack can interact with only one AWS account at a time. Is that true? The use case I'm thinking about for accessing multiple accounts is: all of our Route 53 domains are in a "utils" account, but I wish to deploy a CloudFront Distribution to a "dev" account and then create a CNAME record for it in the "utils" account. Do I need to create two separate Pulumi projects for this?

Yes, unfortunately. My understanding is that is a restriction imposed by Terraform.

A combination of how Terraform providers work and how we instantiate them. Today we can only configure one "instance" of the AWS provider, and things like credentials, region, and account are properties of the provider. We've had early discussions on how to expose multiple instances of providers without ruining the "magic" of being able to program simply against a default instance. We hope to have to more to share on that in the coming weeks.

To reiterate a couple of those point: (1) this is indeed a current restriction in Pulumi (2) we fully intend to support this in the very near future - https://github.com/pulumi/pulumi/issues/1221 (3) you can in the meantime manage these using two Pulumi programs - though we certainly understand that that is not the ideal solution.

Thanks everyone. Good info.

Is it also worth folding in a discussion about authentication methods there? For example, it’s common to assume a role in account B using base credentials in account A, and that likely wants representing somehow in the provider configuration?