1. 创建 AWS 服务的 Client 首先需要创建 AWS 服务的客户端对象, 以 EC2 服务为例：

import * as AWS from "@aws-cdk/aws-ec2";

const ec2Client = new AWS.EC2({
  region: "us-east-1",
  credentials: {
     accessKeyId: 'ACCESS KEY',
     secretAccessKey: 'SECRET KEY',
  },
});

2. 跨账户资源访问 如果想要调用其它AWS账号中的资源，需要将所需的 STS (Security Token Service) 身份信息传递给客户端

import { STS } from "aws-sdk";

const sts = new STS({
  region: "us-east-1",
  credentials: {
    accessKeyId: "accessKeyId",
    secretAccessKey: "secretAccessKey",
  },
});

const credentials = await sts.assumeRole({
  RoleArn: "arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME",
  RoleSessionName: "SESSION_NAME",
}).promise();

const ec2Client = new AWS.EC2({
  region: "us-east-1",
  credentials,
});

await ec2Client.describeInstances().promise();

3. 资源引用 跨账户的 Stack 需要引用其它账户的资源，需要使用 aws-cdk-lib 库中的 Aws 类创建 Env 对象，指定所需访问的账号 ID 及区域。

import * as ec2 from "@aws-cdk/aws-ec2";
import * as s3 from "@aws-cdk/aws-s3";
import { Aws } from "aws-cdk-lib";

const env = {
  account: "ACCOUNT_ID",
  region: "us-east-1",
};

const myVpc = new ec2.Vpc(stack, "MyVpc", {
  cidr: "10.100.0.0/16",
  natGateways: 0,
  maxAzs: 2,
});

const myBucket = new s3.Bucket(stack, "MyBucket");