PodIdentityAssociation
eks.services.k8s.aws/v1alpha1
| Type | Link |
|---|---|
| GoDoc | eks-controller/apis/v1alpha1#PodIdentityAssociation |
Metadata
| Property | Value |
|---|---|
| Scope | Namespaced |
| Kind | PodIdentityAssociation |
| ListKind | PodIdentityAssociationList |
| Plural | podidentityassociations |
| Singular | podidentityassociation |
Amazon EKS Pod Identity associations provide the ability to manage credentials for your applications, similar to the way that Amazon EC2 instance profiles provide credentials to Amazon EC2 instances.
Spec
clientRequestToken: string
clusterName: string
clusterRef:
from:
name: string
namespace: string
disableSessionTags: boolean
namespace: string
roleARN: string
roleRef:
from:
name: string
namespace: string
serviceAccount: string
tags: {}
targetRoleARN: string
| Field | Description |
|---|---|
| clientRequestToken Optional | string A unique, case-sensitive identifier that you provide to ensurethe idempotency of the request. |
| clusterName Optional | string The name of the cluster to create the EKS Pod Identity association in. |
| clusterRef Optional | object AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference type to provide more user friendly syntax for references using ‘from’ field Ex: APIIDRef: from: name: my-api |
| clusterRef.from Optional | object AWSResourceReference provides all the values necessary to reference another k8s resource for finding the identifier(Id/ARN/Name) |
| clusterRef.from.name Optional | string |
| clusterRef.from.namespace Optional | string |
| disableSessionTags Optional | boolean Disable the automatic sessions tags that are appended by EKS Pod Identity. EKS Pod Identity adds a pre-defined set of session tags when it assumes the role. You can use these tags to author a single role that can work across resources by allowing access to Amazon Web Services resources based on matching tags. By default, EKS Pod Identity attaches six tags, including tags for cluster name, namespace, and service account name. For the list of tags added by EKS Pod Identity, see List of session tags added by EKS Pod Identity (https://docs.aws.amazon.com/eks/latest/userguide/pod-id-abac.html#pod-id-abac-tags) in the Amazon EKS User Guide. Amazon Web Services compresses inline session policies, managed policy ARNs, and session tags into a packed binary format that has a separate limit. If you receive a PackedPolicyTooLarge error indicating the packed binary format has exceeded the size limit, you can attempt to reduce the size by disabling the session tags added by EKS Pod Identity. |
| namespace Required | string The name of the Kubernetes namespace inside the cluster to create the EKS Pod Identity association in. The service account and the Pods that use the service account must be in this namespace. |
| roleARN Optional | string The Amazon Resource Name (ARN) of the IAM role to associate with the service account. The EKS Pod Identity agent manages credentials to assume this role for applications in the containers in the Pods that use this service account. |
| roleRef Optional | object AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference type to provide more user friendly syntax for references using ‘from’ field Ex: APIIDRef: from: name: my-api |
| roleRef.from Optional | object AWSResourceReference provides all the values necessary to reference another k8s resource for finding the identifier(Id/ARN/Name) |
| roleRef.from.name Optional | string |
| roleRef.from.namespace Optional | string |
| serviceAccount Required | string The name of the Kubernetes service account inside the cluster to associate the IAM credentials with. |
| tags Optional | object Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don’t propagate to any other cluster or Amazon Web Services resources. The following basic restrictions apply to tags: * Maximum number of tags per resource – 50 * For each resource, each tag key must be unique, and each tag key can have only one value. * Maximum key length – 128 Unicode characters in UTF-8 * Maximum value length – 256 Unicode characters in UTF-8 * If your tagging schema is used across multiple services and resources, remember that other services may have restrictions on allowed characters. Generally allowed characters are: letters, numbers, and spaces representable in UTF-8, and the following characters: + - = . _ : / @. * Tag keys and values are case-sensitive. * Do not use aws:, AWS:, or any upper or lowercase combination of such as a prefix for either keys or values as it is reserved for Amazon Web Services use. You cannot edit or delete tag keys or values with this prefix. Tags with this prefix do not count against your tags per resource limit. |
| targetRoleARN Optional | string The Amazon Resource Name (ARN) of the target IAM role to associate with the service account. This role is assumed by using the EKS Pod Identity association role, then the credentials for this role are injected into the Pod. When you run applications on Amazon EKS, your application might need to access Amazon Web Services resources from a different role that exists in the same or different Amazon Web Services account. For example, your application running in “Account A” might need to access resources, such as Amazon S3 buckets in “Account B” or within “Account A” itself. You can create a association to access Amazon Web Services resources in “Account B” by creating two IAM roles: a role in “Account A” and a role in “Account B” (which can be the same or different account), each with the necessary trust and permission policies. After you provide these roles in the IAM role and Target IAM role fields, EKS will perform role chaining to ensure your application gets the required permissions. This means Role A will assume Role B, allowing your Pods to securely access resources like S3 buckets in the target account. |
Status
ackResourceMetadata:
arn: string
ownerAccountID: string
region: string
associationARN: string
associationID: string
conditions:
- lastTransitionTime: string
message: string
reason: string
status: string
type: string
createdAt: string
externalID: string
modifiedAt: string
ownerARN: string
| Field | Description |
|---|---|
| ackResourceMetadata Optional | object All CRs managed by ACK have a common Status.ACKResourceMetadata memberthat is used to contain resource sync state, account ownership, constructed ARN for the resource |
| ackResourceMetadata.arn Optional | string ARN is the Amazon Resource Name for the resource. This is a globally-unique identifier and is set only by the ACK service controller once the controller has orchestrated the creation of the resource OR when it has verified that an “adopted” resource (a resource where the ARN annotation was set by the Kubernetes user on the CR) exists and matches the supplied CR’s Spec field values. https://github.com/aws/aws-controllers-k8s/issues/270 |
| ackResourceMetadata.ownerAccountID Required | string OwnerAccountID is the AWS Account ID of the account that owns the backend AWS service API resource. |
| ackResourceMetadata.region Required | string Region is the AWS region in which the resource exists or will exist. |
| associationARN Optional | string The Amazon Resource Name (ARN) of the association. |
| associationID Optional | string The ID of the association. |
| conditions Optional | array All CRs managed by ACK have a common Status.Conditions member thatcontains a collection of ackv1alpha1.Condition objects that describethe various terminal states of the CR and its backend AWS service API resource |
| conditions.[] Required | object Condition is the common struct used by all CRDs managed by ACK service |
| controllers to indicate terminal states of the CR and its backend AWS | |
| service API resource | |
| conditions.[].message Optional | string A human readable message indicating details about the transition. |
| conditions.[].reason Optional | string The reason for the condition’s last transition. |
| conditions.[].status Optional | string Status of the condition, one of True, False, Unknown. |
| conditions.[].type Optional | string Type is the type of the Condition |
| createdAt Optional | string The timestamp that the association was created at. |
| externalID Optional | string The unique identifier for this EKS Pod Identity association for a target IAM role. You put this value in the trust policy of the target role, in a Condition to match the sts.ExternalId. This ensures that the target role can only be assumed by this association. This prevents the confused deputy problem. For more information about the confused deputy problem, see The confused deputy problem (https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html) in the IAM User Guide. If you want to use the same target role with multiple associations or other roles, use independent statements in the trust policy to allow sts:AssumeRole access from each role. |
| modifiedAt Optional | string The most recent timestamp that the association was modified at. |
| ownerARN Optional | string If defined, the EKS Pod Identity association is owned by an Amazon EKS add-on. |