Help improve this page
Want to contribute to this user guide? Choose the Edit this page on GitHub link that is located in the right pane of every page. Your contributions will help make our user guide better for everyone.
Create IAM role with trust policy required by EKS Pod Identity
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowEksAuthToAssumeRoleForPodIdentity", "Effect": "Allow", "Principal": { "Service": "pods.eks.amazonaws.com" }, "Action": [ "sts:AssumeRole", "sts:TagSession" ] } ] }
-
sts:AssumeRole
-
EKS Pod Identity uses
AssumeRole
to assume the IAM role before passing the temporary credentials to your pods. -
sts:TagSession
-
EKS Pod Identity uses
TagSession
to include session tags in the requests to Amazon STS.You can use these tags in the condition keys in the trust policy to restrict which service accounts, namespaces, and clusters can use this role.
For a list of Amazon EKS condition keys, see Conditions defined by Amazon Elastic Kubernetes Service in the Service Authorization Reference. To learn which actions and resources you can use a condition key with, see Actions defined by Amazon Elastic Kubernetes Service.