Troubleshoot Pod Identities for EKS add-ons - Amazon EKS
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Help improve this page

Want to contribute to this user guide? Choose the Edit this page on GitHub link that is located in the right pane of every page. Your contributions will help make our user guide better for everyone.

Troubleshoot Pod Identities for EKS add-ons

If your add-ons are encountering errors while attempting Amazon API, SDK, or CLI operations, confirm the following:

  • The Pod Identity Agent is installed in your cluster.

  • The Add-on has a valid Pod Identity association.

    • Use the Amazon CLI to retrieve the associations for the service account name used by the add-on.

      aws eks list-pod-identity-associations --cluster-name <cluster-name>
  • The IAM role has the required trust policy for Pod Identities.

    • Use the Amazon CLI to retrieve the trust policy for an add-on.

      aws iam get-role --role-name <role-name> --query Role.AssumeRolePolicyDocument
  • The IAM role has the necessary permissions for the add-on.

    • Use Amazon CloudTrail to review AccessDenied or UnauthorizedOperation events .

  • The service account name in the pod identity association matches the service account name used by the add-on.