Amazon Elastic Kubernetes Service

2025/06/11 - Amazon Elastic Kubernetes Service - 4 updated api methods

Changes  Release for EKS Pod Identity Cross Account feature and disableSessionTags flag.

CreatePodIdentityAssociation (updated) Link ¶
Changes (request, response)
Request 
{'disableSessionTags': 'boolean', 'targetRoleArn': 'string'}
Response 
{'association': {'disableSessionTags': 'boolean',
                 'externalId': 'string',
                 'targetRoleArn': 'string'}}

Creates an EKS Pod Identity association between a service account in an Amazon EKS cluster and an IAM role with EKS Pod Identity. Use EKS Pod Identity to give temporary IAM credentials to Pods and the credentials are rotated automatically.

Amazon EKS Pod Identity associations provide the ability to manage credentials for your applications, similar to the way that Amazon EC2 instance profiles provide credentials to Amazon EC2 instances.

If a Pod uses a service account that has an association, Amazon EKS sets environment variables in the containers of the Pod. The environment variables configure the Amazon Web Services SDKs, including the Command Line Interface, to use the EKS Pod Identity credentials.

EKS Pod Identity is a simpler method than IAM roles for service accounts, as this method doesn't use OIDC identity providers. Additionally, you can configure a role for EKS Pod Identity once, and reuse it across clusters.

Similar to Amazon Web Services IAM behavior, EKS Pod Identity associations are eventually consistent, and may take several seconds to be effective after the initial API call returns successfully. You must design your applications to account for these potential delays. We recommend that you don’t include association create/updates in the critical, high-availability code paths of your application. Instead, make changes in a separate initialization or setup routine that you run less frequently.

You can set a target IAM role in the same or a different account for advanced scenarios. With a target role, EKS Pod Identity automatically performs two role assumptions in sequence: first assuming the role in the association that is in this account, then using those credentials to assume the target IAM role. This process provides your Pod with temporary credentials that have the permissions defined in the target role, allowing secure access to resources in another Amazon Web Services account.

See also: AWS API Documentation

Request Syntax

client.create_pod_identity_association(
    clusterName='string',
    namespace='string',
    serviceAccount='string',
    roleArn='string',
    clientRequestToken='string',
    tags={
        'string': 'string'
    },
    disableSessionTags=True|False,
    targetRoleArn='string'
)
type clusterName:

string

param clusterName:

[REQUIRED]

The name of the cluster to create the EKS Pod Identity association in.

type namespace:

string

param namespace:

[REQUIRED]

The name of the Kubernetes namespace inside the cluster to create the EKS Pod Identity association in. The service account and the Pods that use the service account must be in this namespace.

type serviceAccount:

string

param serviceAccount:

[REQUIRED]

The name of the Kubernetes service account inside the cluster to associate the IAM credentials with.

type roleArn:

string

param roleArn:

[REQUIRED]

The Amazon Resource Name (ARN) of the IAM role to associate with the service account. The EKS Pod Identity agent manages credentials to assume this role for applications in the containers in the Pods that use this service account.

type clientRequestToken:

string

param clientRequestToken:

A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.

This field is autopopulated if not provided.

type tags:

dict

param tags:

Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don't propagate to any other cluster or Amazon Web Services resources.

The following basic restrictions apply to tags:

  • Maximum number of tags per resource – 50

  • For each resource, each tag key must be unique, and each tag key can have only one value.

  • Maximum key length – 128 Unicode characters in UTF-8

  • Maximum value length – 256 Unicode characters in UTF-8

  • If your tagging schema is used across multiple services and resources, remember that other services may have restrictions on allowed characters. Generally allowed characters are: letters, numbers, and spaces representable in UTF-8, and the following characters: + - = . _ : / @.

  • Tag keys and values are case-sensitive.

  • Do not use aws:, AWS:, or any upper or lowercase combination of such as a prefix for either keys or values as it is reserved for Amazon Web Services use. You cannot edit or delete tag keys or values with this prefix. Tags with this prefix do not count against your tags per resource limit.

  • (string) --

    One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values.

    • (string) --

      The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key).

type disableSessionTags:

boolean

param disableSessionTags:

Disable the automatic sessions tags that are appended by EKS Pod Identity.

EKS Pod Identity adds a pre-defined set of session tags when it assumes the role. You can use these tags to author a single role that can work across resources by allowing access to Amazon Web Services resources based on matching tags. By default, EKS Pod Identity attaches six tags, including tags for cluster name, namespace, and service account name. For the list of tags added by EKS Pod Identity, see List of session tags added by EKS Pod Identity in the Amazon EKS User Guide.

Amazon Web Services compresses inline session policies, managed policy ARNs, and session tags into a packed binary format that has a separate limit. If you receive a PackedPolicyTooLarge error indicating the packed binary format has exceeded the size limit, you can attempt to reduce the size by disabling the session tags added by EKS Pod Identity.

type targetRoleArn:

string

param targetRoleArn:

The Amazon Resource Name (ARN) of the target IAM role to associate with the service account. This role is assumed by using the EKS Pod Identity association role, then the credentials for this role are injected into the Pod.

When you run applications on Amazon EKS, your application might need to access Amazon Web Services resources from a different role that exists in the same or different Amazon Web Services account. For example, your application running in “Account A” might need to access resources, such as Amazon S3 buckets in “Account B” or within “Account A” itself. You can create a association to access Amazon Web Services resources in “Account B” by creating two IAM roles: a role in “Account A” and a role in “Account B” (which can be the same or different account), each with the necessary trust and permission policies. After you provide these roles in the IAM role and Target IAM role fields, EKS will perform role chaining to ensure your application gets the required permissions. This means Role A will assume Role B, allowing your Pods to securely access resources like S3 buckets in the target account.

rtype:

dict

returns:

Response Syntax

{
    'association': {
        'clusterName': 'string',
        'namespace': 'string',
        'serviceAccount': 'string',
        'roleArn': 'string',
        'associationArn': 'string',
        'associationId': 'string',
        'tags': {
            'string': 'string'
        },
        'createdAt': datetime(2015, 1, 1),
        'modifiedAt': datetime(2015, 1, 1),
        'ownerArn': 'string',
        'disableSessionTags': True|False,
        'targetRoleArn': 'string',
        'externalId': 'string'
    }
}

Response Structure

  • (dict) --

    • association (dict) --

      The full description of your new association.

      The description includes an ID for the association. Use the ID of the association in further actions to manage the association.

      • clusterName (string) --

        The name of the cluster that the association is in.

      • namespace (string) --

        The name of the Kubernetes namespace inside the cluster to create the association in. The service account and the Pods that use the service account must be in this namespace.

      • serviceAccount (string) --

        The name of the Kubernetes service account inside the cluster to associate the IAM credentials with.

      • roleArn (string) --

        The Amazon Resource Name (ARN) of the IAM role to associate with the service account. The EKS Pod Identity agent manages credentials to assume this role for applications in the containers in the Pods that use this service account.

      • associationArn (string) --

        The Amazon Resource Name (ARN) of the association.

      • associationId (string) --

        The ID of the association.

      • tags (dict) --

        Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don't propagate to any other cluster or Amazon Web Services resources.

        The following basic restrictions apply to tags:

        • Maximum number of tags per resource – 50

        • For each resource, each tag key must be unique, and each tag key can have only one value.

        • Maximum key length – 128 Unicode characters in UTF-8

        • Maximum value length – 256 Unicode characters in UTF-8

        • If your tagging schema is used across multiple services and resources, remember that other services may have restrictions on allowed characters. Generally allowed characters are: letters, numbers, and spaces representable in UTF-8, and the following characters: + - = . _ : / @.

        • Tag keys and values are case-sensitive.

        • Do not use aws:, AWS:, or any upper or lowercase combination of such as a prefix for either keys or values as it is reserved for Amazon Web Services use. You cannot edit or delete tag keys or values with this prefix. Tags with this prefix do not count against your tags per resource limit.

        • (string) --

          One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values.

          • (string) --

            The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key).

      • createdAt (datetime) --

        The timestamp that the association was created at.

      • modifiedAt (datetime) --

        The most recent timestamp that the association was modified at.

      • ownerArn (string) --

        If defined, the EKS Pod Identity association is owned by an Amazon EKS add-on.

      • disableSessionTags (boolean) --

        The state of the automatic sessions tags. The value of true disables these tags.

        EKS Pod Identity adds a pre-defined set of session tags when it assumes the role. You can use these tags to author a single role that can work across resources by allowing access to Amazon Web Services resources based on matching tags. By default, EKS Pod Identity attaches six tags, including tags for cluster name, namespace, and service account name. For the list of tags added by EKS Pod Identity, see List of session tags added by EKS Pod Identity in the Amazon EKS User Guide.

      • targetRoleArn (string) --

        The Amazon Resource Name (ARN) of the target IAM role to associate with the service account. This role is assumed by using the EKS Pod Identity association role, then the credentials for this role are injected into the Pod.

      • externalId (string) --

        The unique identifier for this EKS Pod Identity association for a target IAM role. You put this value in the trust policy of the target role, in a Condition to match the sts.ExternalId. This ensures that the target role can only be assumed by this association. This prevents the confused deputy problem. For more information about the confused deputy problem, see The confused deputy problem in the IAM User Guide.

        If you want to use the same target role with multiple associations or other roles, use independent statements in the trust policy to allow sts:AssumeRole access from each role.

DeletePodIdentityAssociation (updated) Link ¶
Changes (response) 
{'association': {'disableSessionTags': 'boolean',
                 'externalId': 'string',
                 'targetRoleArn': 'string'}}

Deletes a EKS Pod Identity association.

The temporary Amazon Web Services credentials from the previous IAM role session might still be valid until the session expiry. If you need to immediately revoke the temporary session credentials, then go to the role in the IAM console.

See also: AWS API Documentation

Request Syntax

client.delete_pod_identity_association(
    clusterName='string',
    associationId='string'
)
type clusterName:

string

param clusterName:

[REQUIRED]

The cluster name that

type associationId:

string

param associationId:

[REQUIRED]

The ID of the association to be deleted.

rtype:

dict

returns:

Response Syntax

{
    'association': {
        'clusterName': 'string',
        'namespace': 'string',
        'serviceAccount': 'string',
        'roleArn': 'string',
        'associationArn': 'string',
        'associationId': 'string',
        'tags': {
            'string': 'string'
        },
        'createdAt': datetime(2015, 1, 1),
        'modifiedAt': datetime(2015, 1, 1),
        'ownerArn': 'string',
        'disableSessionTags': True|False,
        'targetRoleArn': 'string',
        'externalId': 'string'
    }
}

Response Structure

  • (dict) --

    • association (dict) --

      The full description of the EKS Pod Identity association that was deleted.

      • clusterName (string) --

        The name of the cluster that the association is in.

      • namespace (string) --

        The name of the Kubernetes namespace inside the cluster to create the association in. The service account and the Pods that use the service account must be in this namespace.

      • serviceAccount (string) --

        The name of the Kubernetes service account inside the cluster to associate the IAM credentials with.

      • roleArn (string) --

        The Amazon Resource Name (ARN) of the IAM role to associate with the service account. The EKS Pod Identity agent manages credentials to assume this role for applications in the containers in the Pods that use this service account.

      • associationArn (string) --

        The Amazon Resource Name (ARN) of the association.

      • associationId (string) --

        The ID of the association.

      • tags (dict) --

        Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don't propagate to any other cluster or Amazon Web Services resources.

        The following basic restrictions apply to tags:

        • Maximum number of tags per resource – 50

        • For each resource, each tag key must be unique, and each tag key can have only one value.

        • Maximum key length – 128 Unicode characters in UTF-8

        • Maximum value length – 256 Unicode characters in UTF-8

        • If your tagging schema is used across multiple services and resources, remember that other services may have restrictions on allowed characters. Generally allowed characters are: letters, numbers, and spaces representable in UTF-8, and the following characters: + - = . _ : / @.

        • Tag keys and values are case-sensitive.

        • Do not use aws:, AWS:, or any upper or lowercase combination of such as a prefix for either keys or values as it is reserved for Amazon Web Services use. You cannot edit or delete tag keys or values with this prefix. Tags with this prefix do not count against your tags per resource limit.

        • (string) --

          One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values.

          • (string) --

            The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key).

      • createdAt (datetime) --

        The timestamp that the association was created at.

      • modifiedAt (datetime) --

        The most recent timestamp that the association was modified at.

      • ownerArn (string) --

        If defined, the EKS Pod Identity association is owned by an Amazon EKS add-on.

      • disableSessionTags (boolean) --

        The state of the automatic sessions tags. The value of true disables these tags.

        EKS Pod Identity adds a pre-defined set of session tags when it assumes the role. You can use these tags to author a single role that can work across resources by allowing access to Amazon Web Services resources based on matching tags. By default, EKS Pod Identity attaches six tags, including tags for cluster name, namespace, and service account name. For the list of tags added by EKS Pod Identity, see List of session tags added by EKS Pod Identity in the Amazon EKS User Guide.

      • targetRoleArn (string) --

        The Amazon Resource Name (ARN) of the target IAM role to associate with the service account. This role is assumed by using the EKS Pod Identity association role, then the credentials for this role are injected into the Pod.

      • externalId (string) --

        The unique identifier for this EKS Pod Identity association for a target IAM role. You put this value in the trust policy of the target role, in a Condition to match the sts.ExternalId. This ensures that the target role can only be assumed by this association. This prevents the confused deputy problem. For more information about the confused deputy problem, see The confused deputy problem in the IAM User Guide.

        If you want to use the same target role with multiple associations or other roles, use independent statements in the trust policy to allow sts:AssumeRole access from each role.

DescribePodIdentityAssociation (updated) Link ¶
Changes (response) 
{'association': {'disableSessionTags': 'boolean',
                 'externalId': 'string',
                 'targetRoleArn': 'string'}}

Returns descriptive information about an EKS Pod Identity association.

This action requires the ID of the association. You can get the ID from the response to the CreatePodIdentityAssocation for newly created associations. Or, you can list the IDs for associations with ListPodIdentityAssociations and filter the list by namespace or service account.

See also: AWS API Documentation

Request Syntax

client.describe_pod_identity_association(
    clusterName='string',
    associationId='string'
)
type clusterName:

string

param clusterName:

[REQUIRED]

The name of the cluster that the association is in.

type associationId:

string

param associationId:

[REQUIRED]

The ID of the association that you want the description of.

rtype:

dict

returns:

Response Syntax

{
    'association': {
        'clusterName': 'string',
        'namespace': 'string',
        'serviceAccount': 'string',
        'roleArn': 'string',
        'associationArn': 'string',
        'associationId': 'string',
        'tags': {
            'string': 'string'
        },
        'createdAt': datetime(2015, 1, 1),
        'modifiedAt': datetime(2015, 1, 1),
        'ownerArn': 'string',
        'disableSessionTags': True|False,
        'targetRoleArn': 'string',
        'externalId': 'string'
    }
}

Response Structure

  • (dict) --

    • association (dict) --

      The full description of the EKS Pod Identity association.

      • clusterName (string) --

        The name of the cluster that the association is in.

      • namespace (string) --

        The name of the Kubernetes namespace inside the cluster to create the association in. The service account and the Pods that use the service account must be in this namespace.

      • serviceAccount (string) --

        The name of the Kubernetes service account inside the cluster to associate the IAM credentials with.

      • roleArn (string) --

        The Amazon Resource Name (ARN) of the IAM role to associate with the service account. The EKS Pod Identity agent manages credentials to assume this role for applications in the containers in the Pods that use this service account.

      • associationArn (string) --

        The Amazon Resource Name (ARN) of the association.

      • associationId (string) --

        The ID of the association.

      • tags (dict) --

        Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don't propagate to any other cluster or Amazon Web Services resources.

        The following basic restrictions apply to tags:

        • Maximum number of tags per resource – 50

        • For each resource, each tag key must be unique, and each tag key can have only one value.

        • Maximum key length – 128 Unicode characters in UTF-8

        • Maximum value length – 256 Unicode characters in UTF-8

        • If your tagging schema is used across multiple services and resources, remember that other services may have restrictions on allowed characters. Generally allowed characters are: letters, numbers, and spaces representable in UTF-8, and the following characters: + - = . _ : / @.

        • Tag keys and values are case-sensitive.

        • Do not use aws:, AWS:, or any upper or lowercase combination of such as a prefix for either keys or values as it is reserved for Amazon Web Services use. You cannot edit or delete tag keys or values with this prefix. Tags with this prefix do not count against your tags per resource limit.

        • (string) --

          One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values.

          • (string) --

            The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key).

      • createdAt (datetime) --

        The timestamp that the association was created at.

      • modifiedAt (datetime) --

        The most recent timestamp that the association was modified at.

      • ownerArn (string) --

        If defined, the EKS Pod Identity association is owned by an Amazon EKS add-on.

      • disableSessionTags (boolean) --

        The state of the automatic sessions tags. The value of true disables these tags.

        EKS Pod Identity adds a pre-defined set of session tags when it assumes the role. You can use these tags to author a single role that can work across resources by allowing access to Amazon Web Services resources based on matching tags. By default, EKS Pod Identity attaches six tags, including tags for cluster name, namespace, and service account name. For the list of tags added by EKS Pod Identity, see List of session tags added by EKS Pod Identity in the Amazon EKS User Guide.

      • targetRoleArn (string) --

        The Amazon Resource Name (ARN) of the target IAM role to associate with the service account. This role is assumed by using the EKS Pod Identity association role, then the credentials for this role are injected into the Pod.

      • externalId (string) --

        The unique identifier for this EKS Pod Identity association for a target IAM role. You put this value in the trust policy of the target role, in a Condition to match the sts.ExternalId. This ensures that the target role can only be assumed by this association. This prevents the confused deputy problem. For more information about the confused deputy problem, see The confused deputy problem in the IAM User Guide.

        If you want to use the same target role with multiple associations or other roles, use independent statements in the trust policy to allow sts:AssumeRole access from each role.

UpdatePodIdentityAssociation (updated) Link ¶
Changes (request, response)
Request 
{'disableSessionTags': 'boolean', 'targetRoleArn': 'string'}
Response 
{'association': {'disableSessionTags': 'boolean',
                 'externalId': 'string',
                 'targetRoleArn': 'string'}}

Updates a EKS Pod Identity association. In an update, you can change the IAM role, the target IAM role, or disableSessionTags. You must change at least one of these in an update. An association can't be moved between clusters, namespaces, or service accounts. If you need to edit the namespace or service account, you need to delete the association and then create a new association with your desired settings.

Similar to Amazon Web Services IAM behavior, EKS Pod Identity associations are eventually consistent, and may take several seconds to be effective after the initial API call returns successfully. You must design your applications to account for these potential delays. We recommend that you don’t include association create/updates in the critical, high-availability code paths of your application. Instead, make changes in a separate initialization or setup routine that you run less frequently.

You can set a target IAM role in the same or a different account for advanced scenarios. With a target role, EKS Pod Identity automatically performs two role assumptions in sequence: first assuming the role in the association that is in this account, then using those credentials to assume the target IAM role. This process provides your Pod with temporary credentials that have the permissions defined in the target role, allowing secure access to resources in another Amazon Web Services account.

See also: AWS API Documentation

Request Syntax

client.update_pod_identity_association(
    clusterName='string',
    associationId='string',
    roleArn='string',
    clientRequestToken='string',
    disableSessionTags=True|False,
    targetRoleArn='string'
)
type clusterName:

string

param clusterName:

[REQUIRED]

The name of the cluster that you want to update the association in.

type associationId:

string

param associationId:

[REQUIRED]

The ID of the association to be updated.

type roleArn:

string

param roleArn:

The new IAM role to change in the association.

type clientRequestToken:

string

param clientRequestToken:

A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.

This field is autopopulated if not provided.

type disableSessionTags:

boolean

param disableSessionTags:

Disable the automatic sessions tags that are appended by EKS Pod Identity.

EKS Pod Identity adds a pre-defined set of session tags when it assumes the role. You can use these tags to author a single role that can work across resources by allowing access to Amazon Web Services resources based on matching tags. By default, EKS Pod Identity attaches six tags, including tags for cluster name, namespace, and service account name. For the list of tags added by EKS Pod Identity, see List of session tags added by EKS Pod Identity in the Amazon EKS User Guide.

Amazon Web Services compresses inline session policies, managed policy ARNs, and session tags into a packed binary format that has a separate limit. If you receive a PackedPolicyTooLarge error indicating the packed binary format has exceeded the size limit, you can attempt to reduce the size by disabling the session tags added by EKS Pod Identity.

type targetRoleArn:

string

param targetRoleArn:

The Amazon Resource Name (ARN) of the target IAM role to associate with the service account. This role is assumed by using the EKS Pod Identity association role, then the credentials for this role are injected into the Pod.

When you run applications on Amazon EKS, your application might need to access Amazon Web Services resources from a different role that exists in the same or different Amazon Web Services account. For example, your application running in “Account A” might need to access resources, such as buckets in “Account B” or within “Account A” itself. You can create a association to access Amazon Web Services resources in “Account B” by creating two IAM roles: a role in “Account A” and a role in “Account B” (which can be the same or different account), each with the necessary trust and permission policies. After you provide these roles in the IAM role and Target IAM role fields, EKS will perform role chaining to ensure your application gets the required permissions. This means Role A will assume Role B, allowing your Pods to securely access resources like S3 buckets in the target account.

rtype:

dict

returns:

Response Syntax

{
    'association': {
        'clusterName': 'string',
        'namespace': 'string',
        'serviceAccount': 'string',
        'roleArn': 'string',
        'associationArn': 'string',
        'associationId': 'string',
        'tags': {
            'string': 'string'
        },
        'createdAt': datetime(2015, 1, 1),
        'modifiedAt': datetime(2015, 1, 1),
        'ownerArn': 'string',
        'disableSessionTags': True|False,
        'targetRoleArn': 'string',
        'externalId': 'string'
    }
}

Response Structure

  • (dict) --

    • association (dict) --

      The full description of the association that was updated.

      • clusterName (string) --

        The name of the cluster that the association is in.

      • namespace (string) --

        The name of the Kubernetes namespace inside the cluster to create the association in. The service account and the Pods that use the service account must be in this namespace.

      • serviceAccount (string) --

        The name of the Kubernetes service account inside the cluster to associate the IAM credentials with.

      • roleArn (string) --

        The Amazon Resource Name (ARN) of the IAM role to associate with the service account. The EKS Pod Identity agent manages credentials to assume this role for applications in the containers in the Pods that use this service account.

      • associationArn (string) --

        The Amazon Resource Name (ARN) of the association.

      • associationId (string) --

        The ID of the association.

      • tags (dict) --

        Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don't propagate to any other cluster or Amazon Web Services resources.

        The following basic restrictions apply to tags:

        • Maximum number of tags per resource – 50

        • For each resource, each tag key must be unique, and each tag key can have only one value.

        • Maximum key length – 128 Unicode characters in UTF-8

        • Maximum value length – 256 Unicode characters in UTF-8

        • If your tagging schema is used across multiple services and resources, remember that other services may have restrictions on allowed characters. Generally allowed characters are: letters, numbers, and spaces representable in UTF-8, and the following characters: + - = . _ : / @.

        • Tag keys and values are case-sensitive.

        • Do not use aws:, AWS:, or any upper or lowercase combination of such as a prefix for either keys or values as it is reserved for Amazon Web Services use. You cannot edit or delete tag keys or values with this prefix. Tags with this prefix do not count against your tags per resource limit.

        • (string) --

          One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values.

          • (string) --

            The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key).

      • createdAt (datetime) --

        The timestamp that the association was created at.

      • modifiedAt (datetime) --

        The most recent timestamp that the association was modified at.

      • ownerArn (string) --

        If defined, the EKS Pod Identity association is owned by an Amazon EKS add-on.

      • disableSessionTags (boolean) --

        The state of the automatic sessions tags. The value of true disables these tags.

        EKS Pod Identity adds a pre-defined set of session tags when it assumes the role. You can use these tags to author a single role that can work across resources by allowing access to Amazon Web Services resources based on matching tags. By default, EKS Pod Identity attaches six tags, including tags for cluster name, namespace, and service account name. For the list of tags added by EKS Pod Identity, see List of session tags added by EKS Pod Identity in the Amazon EKS User Guide.

      • targetRoleArn (string) --

        The Amazon Resource Name (ARN) of the target IAM role to associate with the service account. This role is assumed by using the EKS Pod Identity association role, then the credentials for this role are injected into the Pod.

      • externalId (string) --

        The unique identifier for this EKS Pod Identity association for a target IAM role. You put this value in the trust policy of the target role, in a Condition to match the sts.ExternalId. This ensures that the target role can only be assumed by this association. This prevents the confused deputy problem. For more information about the confused deputy problem, see The confused deputy problem in the IAM User Guide.

        If you want to use the same target role with multiple associations or other roles, use independent statements in the trust policy to allow sts:AssumeRole access from each role.