Skip to content

Update pod-id-role.adoc #1047

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: mainline
Choose a base branch
from
Open

Update pod-id-role.adoc #1047

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 43 additions & 3 deletions latest/ug/manage-access/aws-access/pod-id-role.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,47 @@ EKS Pod Identity uses `AssumeRole` to assume the IAM role before passing the tem

*`sts:TagSession`*::
EKS Pod Identity uses `TagSession` to include _session tags_ in the requests to {aws} STS.

*Setting Conditions*::
You can use these tags in the _condition keys_ in the trust policy to restrict which service accounts, namespaces, and clusters can use this role. When the Pod Identity IAM Role is assumed, it sends the following Request Tags:

* `eks-cluster-arn`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a copy of this list

amazon-eks-user-guide/latest/ug/manage-access/aws-access/pod-id-abac.adoc

Line 57 in af33993

* `eks-cluster-arn`

Its a little easier for us to only have one copy of a list, but if its relevant to the example, that's OK.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@antmatts do you think having it in the linked location is sufficient? or worth duplicating here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@geoffcline I think it's okay having it use the linked location so the list is maintained in one spot; but leave the example so users know how to use them in the Trust Policy.

Copy link
Contributor Author

@antmatts antmatts Jul 17, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Side question, I don't see the referenced Pod ID ABAC doc showing in the public documentation. Is this doc supposed to be live already?

* `eks-cluster-name`
* `kubernetes-namespace`
* `kubernetes-service-account`
* `kubernetes-pod-name`
* `kubernetes-pod-uid`
+
You can use these tags in the _condition keys_ in the trust policy to restrict which service accounts, namespaces, and clusters can use this role.
+
For a list of Amazon EKS condition keys, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-policy-keys[Conditions defined by Amazon Elastic Kubernetes Service,type="documentation"] in the _Service Authorization Reference_. To learn which actions and resources you can use a condition key with, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-actions-as-permissions[Actions defined by Amazon Elastic Kubernetes Service,type="documentation"].
For example, to restrict a Pod Identity IAM Role to a specific `ServiceAccount` and `Namespace`, the following Trust Policy with the added `Condition` policies can further restrict what can assume the role:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The double preposition is a tad awkward: For example, To restrict ...,

Writing around the second one, maybe more like:

For example, you can restrict which pods can assume the role a Pod Identity IAM Role to a specific ServiceAccount and Namespace with the following Trust Policy with the added Condition:

[source,json,subs="verbatim,attributes"]
----
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowEksAuthToAssumeRoleForPodIdentity",
"Effect": "Allow",
"Principal": {
"Service": "pods.eks.amazonaws.com"
},
"Action": [
"sts:AssumeRole",
"sts:TagSession"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/kubernetes-namespace": [
"<Namespace>"
],
"aws:RequestTag/kubernetes-service-account": [
"<ServiceAccount>"
]
}
}
}
]
}
----

For a list of Amazon EKS condition keys, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-policy-keys[Conditions defined by Amazon Elastic Kubernetes Service,type="documentation"] in the _Service Authorization Reference_. To learn which actions and resources you can use a condition key with, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-actions-as-permissions[Actions defined by Amazon Elastic Kubernetes Service,type="documentation"].