# AssumeRoleForPodIdentity
<a name="API_auth_AssumeRoleForPodIdentity"></a>

The Amazon EKS Auth API and the `AssumeRoleForPodIdentity` action are only used by the EKS Pod Identity Agent.

We recommend that applications use the Amazon SDKs to connect to Amazon services; if credentials from an EKS Pod Identity association are available in the pod, the latest versions of the SDKs use them automatically.

## Request Syntax
<a name="API_auth_AssumeRoleForPodIdentity_RequestSyntax"></a>

```
POST /clusters/clusterName/assume-role-for-pod-identity HTTP/1.1
Content-type: application/json

{
   "token": "string"
}
```

## URI Request Parameters
<a name="API_auth_AssumeRoleForPodIdentity_RequestParameters"></a>

The request uses the following URI parameters.

 ** [clusterName](#API_auth_AssumeRoleForPodIdentity_RequestSyntax) **   <a name="AmazonEKS-auth_AssumeRoleForPodIdentity-request-uri-clusterName"></a>
The name of the cluster for the request.  
Length Constraints: Minimum length of 1. Maximum length of 100.  
Pattern: `[0-9A-Za-z][A-Za-z0-9\-_]*`   
Required: Yes

## Request Body
<a name="API_auth_AssumeRoleForPodIdentity_RequestBody"></a>

The request accepts the following data in JSON format.

 ** [token](#API_auth_AssumeRoleForPodIdentity_RequestSyntax) **   <a name="AmazonEKS-auth_AssumeRoleForPodIdentity-request-token"></a>
The token of the Kubernetes service account for the pod.  
Type: String  
Length Constraints: Minimum length of 1.  
Pattern: `[A-Za-z0-9-_=]+\.[A-Za-z0-9-_=]+\.[A-Za-z0-9-_=]+`   
Required: Yes

## Response Syntax
<a name="API_auth_AssumeRoleForPodIdentity_ResponseSyntax"></a>

```
HTTP/1.1 200
Content-type: application/json

{
   "assumedRoleUser": { 
      "arn": "string",
      "assumeRoleId": "string"
   },
   "audience": "string",
   "credentials": { 
      "accessKeyId": "string",
      "expiration": number,
      "secretAccessKey": "string",
      "sessionToken": "string"
   },
   "podIdentityAssociation": { 
      "associationArn": "string",
      "associationId": "string"
   },
   "subject": { 
      "namespace": "string",
      "serviceAccount": "string"
   }
}
```

## Response Elements
<a name="API_auth_AssumeRoleForPodIdentity_ResponseElements"></a>

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [assumedRoleUser](#API_auth_AssumeRoleForPodIdentity_ResponseSyntax) **   <a name="AmazonEKS-auth_AssumeRoleForPodIdentity-response-assumedRoleUser"></a>
An object with the permanent IAM role identity and the temporary session name.  
The ARN of the IAM role that the temporary credentials authenticate to.  
The session name of the temporary session requested to Amazon STS. The value is a unique identifier that contains the role ID, a colon (`:`), and the role session name of the role that is being assumed. The role ID is generated by IAM when the role is created. The role session name part of the value follows this format: `eks-clustername-podname-random UUID `   
Type: [AssumedRoleUser](API_auth_AssumedRoleUser.md) object

 ** [audience](#API_auth_AssumeRoleForPodIdentity_ResponseSyntax) **   <a name="AmazonEKS-auth_AssumeRoleForPodIdentity-response-audience"></a>
The identity that is allowed to use the credentials. This value is always `pods.eks.amazonaws.com`.  
Type: String

 ** [credentials](#API_auth_AssumeRoleForPodIdentity_ResponseSyntax) **   <a name="AmazonEKS-auth_AssumeRoleForPodIdentity-response-credentials"></a>
The * Amazon Signature Version 4* type of temporary credentials.  
Type: [Credentials](API_auth_Credentials.md) object

 ** [podIdentityAssociation](#API_auth_AssumeRoleForPodIdentity_ResponseSyntax) **   <a name="AmazonEKS-auth_AssumeRoleForPodIdentity-response-podIdentityAssociation"></a>
The Amazon Resource Name (ARN) and ID of the EKS Pod Identity association.  
Type: [PodIdentityAssociation](API_auth_PodIdentityAssociation.md) object

 ** [subject](#API_auth_AssumeRoleForPodIdentity_ResponseSyntax) **   <a name="AmazonEKS-auth_AssumeRoleForPodIdentity-response-subject"></a>
The name of the Kubernetes service account inside the cluster to associate the IAM credentials with.  
Type: [Subject](API_auth_Subject.md) object

## Errors
<a name="API_auth_AssumeRoleForPodIdentity_Errors"></a>

For information about the errors that are common to all actions, see [Common Errors](CommonErrors.md).

 ** AccessDeniedException **   
You don't have permissions to perform the requested operation. The IAM principal making the request must have at least one IAM permissions policy attached that grants the required permissions. For more information, see [Access management](https://docs.amazonaws.cn/IAM/latest/UserGuide/access.html) in the *IAM User Guide*.   
HTTP Status Code: 400

 ** ExpiredTokenException **   
The specified Kubernetes service account token is expired.  
HTTP Status Code: 400

 ** InternalServerException **   
These errors are usually caused by a server-side issue.  
HTTP Status Code: 500

 ** InvalidParameterException **   
The specified parameter is invalid. Review the available parameters for the API request.  
HTTP Status Code: 400

 ** InvalidRequestException **   
This exception is thrown if the request contains a semantic error. The precise meaning will depend on the API, and will be documented in the error message.  
HTTP Status Code: 400

 ** InvalidTokenException **   
The specified Kubernetes service account token is invalid.  
HTTP Status Code: 400

 ** ResourceNotFoundException **   
The specified resource could not be found.  
HTTP Status Code: 404

 ** ServiceUnavailableException **   
The service is unavailable. Back off and retry the operation.  
HTTP Status Code: 503

 ** ThrottlingException **   
The request was denied because your request rate is too high. Reduce the frequency of requests.  
HTTP Status Code: 429

## Examples
<a name="API_auth_AssumeRoleForPodIdentity_Examples"></a>

In the following example or examples, the Authorization header contents (`AUTHPARAMS`) must be replaced with an Amazon Signature Version 4 signature. For more information about creating these signatures, see [Signature Version 4 Signing Process](https://docs.amazonaws.cn/general/latest/gr/signature-version-4.html) in the *Amazon EKS General Reference*.

You need to learn how to sign HTTP requests only if you intend to manually create them. When you use the [Amazon Command Line Interface (Amazon CLI)](http://www.amazonaws.cn/cli/) or one of the [Amazon SDKs](http://www.amazonaws.cn/tools/) to make requests to Amazon, these tools automatically sign the requests for you with the access key that you specify when you configure the tools. When you use these tools, you don't need to learn how to sign requests yourself.

### Example
<a name="API_auth_AssumeRoleForPodIdentity_Example_1"></a>

The following example assumes an IAM role with the EKS Pod Identity association called `my-association` in a cluster called `my-cluster`.

#### Sample Request
<a name="API_auth_AssumeRoleForPodIdentity_Example_1_Request"></a>

```
POST /clusters/my-cluster/assume-role-for-pod-identity HTTP/1.1
Host: eks-auth.us-west-2.api.aws
Accept-Encoding: identity
User-Agent: aws-cli/1.29.81 md/Botocore#1.31.81 ua/2.0 os/macos#22.6.0 md/arch#x86_64 lang/python#3.8.0 md/pyimpl#CPython cfg/retry-mode#legacy botocore/1.31.81
X-Amz-Date: 20231121T192727Z
Authorization: AUTHPARAMS
Content-length: 1043

{
    "token": "eyJhbEXAMPLE"
}
```

#### Sample Response
<a name="API_auth_AssumeRoleForPodIdentity_Example_1_Response"></a>

```
HTTP/1.1 200 OK
Date: Fri, 22 Mar 2019 16:01:58 GMT
Content-Type: application/json
Content-Length: 682
x-amzn-RequestId: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx
x-amz-apigw-id: W84GUEIbPHcFW2Q=
X-Amzn-Trace-Id: Root=1-xxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxx
Connection: keep-alive

{
    "assumedRoleUser": {
        "arn": "arn:aws:sts::012345678910:assumed-role/my-role/eks-my-cluster-podname-randomUUID",
        "assumeRoleId": "AROA123456789EXAMPLE:eks-my-cluster-podname-randomUUID"
    },
    "audience": "pods.eks.amazonaws.com",
    "credentials": {
        "accessKeyId": "ASIAIOSFODNN7EXAMPLE",
        "expiration": 1.70061547E9,
        "secretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
        "sessionToken": "EXAMPLE"
    },
    "podIdentityAssociation": {
        "associationArn": "arn:aws:eks:us-west-2:012345678910:podidentityassociation/my-association/a-abcdefghijklmnop1",
        "associationId": "a-abcdefghijklmnop1"
    },
    "subject": {
        "namespace": "my-namespace",
        "serviceAccount": "my-serviceaccount"
    }
}
```

## See Also
<a name="API_auth_AssumeRoleForPodIdentity_SeeAlso"></a>

For more information about using this API in one of the language-specific Amazon SDKs, see the following:
+  [Amazon Command Line Interface V2](https://docs.amazonaws.cn/goto/cli2/eks-auth-2023-11-26/AssumeRoleForPodIdentity) 
+  [Amazon SDK for .NET V4](https://docs.amazonaws.cn/goto/DotNetSDKV4/eks-auth-2023-11-26/AssumeRoleForPodIdentity) 
+  [Amazon SDK for C\$1\$1](https://docs.amazonaws.cn/goto/SdkForCpp/eks-auth-2023-11-26/AssumeRoleForPodIdentity) 
+  [Amazon SDK for Go v2](https://docs.amazonaws.cn/goto/SdkForGoV2/eks-auth-2023-11-26/AssumeRoleForPodIdentity) 
+  [Amazon SDK for Java V2](https://docs.amazonaws.cn/goto/SdkForJavaV2/eks-auth-2023-11-26/AssumeRoleForPodIdentity) 
+  [Amazon SDK for JavaScript V3](https://docs.amazonaws.cn/goto/SdkForJavaScriptV3/eks-auth-2023-11-26/AssumeRoleForPodIdentity) 
+  [Amazon SDK for Kotlin](https://docs.amazonaws.cn/goto/SdkForKotlin/eks-auth-2023-11-26/AssumeRoleForPodIdentity) 
+  [Amazon SDK for PHP V3](https://docs.amazonaws.cn/goto/SdkForPHPV3/eks-auth-2023-11-26/AssumeRoleForPodIdentity) 
+  [Amazon SDK for Python](https://docs.amazonaws.cn/goto/boto3/eks-auth-2023-11-26/AssumeRoleForPodIdentity) 
+  [Amazon SDK for Ruby V3](https://docs.amazonaws.cn/goto/SdkForRubyV3/eks-auth-2023-11-26/AssumeRoleForPodIdentity)