Amazon EKS Auth

2023/11/27 - Amazon EKS Auth - 1 new api methods

Changes  This release adds support for EKS Pod Identity feature. EKS Pod Identity makes it easy for customers to obtain IAM permissions for their applications running in the EKS clusters.

AssumeRoleForPodIdentity (new) Link ΒΆ

The Amazon EKS Auth API and the AssumeRoleForPodIdentity action are only used by the EKS Pod Identity Agent.

We recommend that applications use the Amazon Web Services SDKs to connect to Amazon Web Services services; if credentials from an EKS Pod Identity association are available in the pod, the latest versions of the SDKs use them automatically.

See also: AWS API Documentation

Request Syntax

client.assume_role_for_pod_identity(
    clusterName='string',
    token='string'
)
type clusterName:

string

param clusterName:

[REQUIRED]

The name of the cluster for the request.

type token:

string

param token:

[REQUIRED]

The token of the Kubernetes service account for the pod.

rtype:

dict

returns:

Response Syntax

{
    'subject': {
        'namespace': 'string',
        'serviceAccount': 'string'
    },
    'audience': 'string',
    'podIdentityAssociation': {
        'associationArn': 'string',
        'associationId': 'string'
    },
    'assumedRoleUser': {
        'arn': 'string',
        'assumeRoleId': 'string'
    },
    'credentials': {
        'sessionToken': 'string',
        'secretAccessKey': 'string',
        'accessKeyId': 'string',
        'expiration': datetime(2015, 1, 1)
    }
}

Response Structure

  • (dict) --

    • subject (dict) --

      The name of the Kubernetes service account inside the cluster to associate the IAM credentials with.

      • namespace (string) --

        The name of the Kubernetes namespace inside the cluster to create the association in. The service account and the pods that use the service account must be in this namespace.

      • serviceAccount (string) --

        The name of the Kubernetes service account inside the cluster to associate the IAM credentials with.

    • audience (string) --

      The identity that is allowed to use the credentials. This value is always pods.eks.amazonaws.com.

    • podIdentityAssociation (dict) --

      The Amazon Resource Name (ARN) and ID of the EKS Pod Identity association.

      • associationArn (string) --

        The Amazon Resource Name (ARN) of the EKS Pod Identity association.

      • associationId (string) --

        The ID of the association.

    • assumedRoleUser (dict) --

      An object with the permanent IAM role identity and the temporary session name.

      The ARN of the IAM role that the temporary credentials authenticate to.

      The session name of the temporary session requested to STS. The value is a unique identifier that contains the role ID, a colon ( :), and the role session name of the role that is being assumed. The role ID is generated by IAM when the role is created. The role session name part of the value follows this format: eks-clustername-podname-random UUID

      • arn (string) --

        The ARN of the IAM role that the temporary credentials authenticate to.

      • assumeRoleId (string) --

        The session name of the temporary session requested to STS. The value is a unique identifier that contains the role ID, a colon ( :), and the role session name of the role that is being assumed. The role ID is generated by IAM when the role is created. The role session name part of the value follows this format: eks-clustername-podname-random UUID

    • credentials (dict) --

      The Amazon Web Services Signature Version 4 type of temporary credentials.

      • sessionToken (string) --

        The token that applications inside the pods must pass to any service API to use the temporary credentials.

      • secretAccessKey (string) --

        The secret access key that applications inside the pods use to sign requests.

      • accessKeyId (string) --

        The access key ID that identifies the temporary security credentials.

      • expiration (datetime) --

        The Unix epoch timestamp in seconds when the current credentials expire.