You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Adding additional guidance for how customers using Pod Identity can further restrict a Pod Identity IAM Role trust policy by clarifying what Request Tags the AssumeRole calls provide and including an example.
Copy file name to clipboardExpand all lines: latest/ug/manage-access/aws-access/pod-id-role.adoc
+43-3Lines changed: 43 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -36,7 +36,47 @@ EKS Pod Identity uses `AssumeRole` to assume the IAM role before passing the tem
36
36
37
37
*`sts:TagSession`*::
38
38
EKS Pod Identity uses `TagSession` to include _session tags_ in the requests to {aws} STS.
39
+
40
+
*Setting Conditions*::
41
+
You can use these tags in the _condition keys_ in the trust policy to restrict which service accounts, namespaces, and clusters can use this role. When the Pod Identity IAM Role is assumed, it sends the following Request Tags:
42
+
43
+
* `eks-cluster-arn`
44
+
* `eks-cluster-name`
45
+
* `kubernetes-namespace`
46
+
* `kubernetes-service-account`
47
+
* `kubernetes-pod-name`
48
+
* `kubernetes-pod-uid`
49
+
39
50
+
40
-
You can use these tags in the _condition keys_ in the trust policy to restrict which service accounts, namespaces, and clusters can use this role.
41
-
+
42
-
For a list of Amazon EKS condition keys, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-policy-keys[Conditions defined by Amazon Elastic Kubernetes Service,type="documentation"] in the _Service Authorization Reference_. To learn which actions and resources you can use a condition key with, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-actions-as-permissions[Actions defined by Amazon Elastic Kubernetes Service,type="documentation"].
51
+
For example, to restrict a Pod Identity IAM Role to a specific `ServiceAccount` and `Namespace`, the following Trust Policy with the added `Condition` policies can further restrict what can assume the role:
52
+
[source,json,subs="verbatim,attributes"]
53
+
----
54
+
{
55
+
"Version": "2012-10-17",
56
+
"Statement": [
57
+
{
58
+
"Sid": "AllowEksAuthToAssumeRoleForPodIdentity",
59
+
"Effect": "Allow",
60
+
"Principal": {
61
+
"Service": "pods.eks.amazonaws.com"
62
+
},
63
+
"Action": [
64
+
"sts:AssumeRole",
65
+
"sts:TagSession"
66
+
],
67
+
"Condition": {
68
+
"StringEquals": {
69
+
"aws:RequestTag/kubernetes-namespace": [
70
+
"<Namespace>"
71
+
],
72
+
"aws:RequestTag/kubernetes-service-account": [
73
+
"<ServiceAccount>"
74
+
]
75
+
}
76
+
}
77
+
}
78
+
]
79
+
}
80
+
----
81
+
82
+
For a list of Amazon EKS condition keys, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-policy-keys[Conditions defined by Amazon Elastic Kubernetes Service,type="documentation"] in the _Service Authorization Reference_. To learn which actions and resources you can use a condition key with, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-actions-as-permissions[Actions defined by Amazon Elastic Kubernetes Service,type="documentation"].
0 commit comments