EKS Pod Identities

Least privilege – You can scope IAM permissions to a service account, and only Pods that use that service account have access to those permissions. This feature also eliminates the need for third-party solutions such as kiam or kube2iam.

Credential isolation – A Pod's containers can only retrieve credentials for the IAM role that's associated with the service account that the container uses. A container never has access to credentials that are used by other containers in other Pods. When using Pod Identities, the Pod's containers also have the permissions assigned to the Amazon EKS node IAM role, unless you block Pod access to the Amazon EC2 Instance Metadata Service (IMDS). For more information, see Restrict access to the instance profile assigned to the worker node.

Auditability – Access and event logging is available through Amazon CloudTrail to help facilitate retrospective auditing.

Independent operations – In many organizations, creating OIDC identity providers is a responsibility of different teams than administering the Kubernetes clusters. EKS Pod Identity has clean separation of duties, where all configuration of EKS Pod Identity associations is done in Amazon EKS and all configuration of the IAM permissions is done in IAM.

Reusability – EKS Pod Identity uses a single IAM principal instead of the separate principals for each cluster that IAM roles for service accounts use. Your IAM administrator adds the following principal to the trust policy of any role to make it usable by EKS Pod Identities.

            "Principal": {
                "Service": "pods.eks.amazonaws.com"
            }

Scalability – Each set of temporary credentials are assumed by the EKS Auth service in EKS Pod Identity, instead of each Amazon SDK that you run in each pod. Then, the Amazon EKS Pod Identity Agent that runs on each node issues the credentials to the SDKs. Thus the load is reduced to once for each node and isn't duplicated in each pod. For more details of the process, see How EKS Pod Identity works.

You can associate one IAM role to each Kubernetes service account in each cluster. You can change which role is mapped to the service account by editing the EKS Pod Identity association.

You can only associate roles that are in the same Amazon Web Services account as the cluster. You can delegate access from another account to the role in this account that you configure for EKS Pod Identities to use. For a tutorial about delegating access and AssumeRole, see Delegate access across Amazon accounts using IAM roles in the IAM User Guide.

The EKS Pod Identity Agent is required. It runs as a Kubernetes DaemonSet on your nodes and only provides credentials to pods on the node that it runs on. For more information about EKS Pod Identity Agent compatibility, see the following section EKS Pod Identity restrictions.

The EKS Pod Identity Agent uses the hostNetwork of the node and it uses port 80 and port 2703 on a link-local address on the node. This address is 169.254.170.23 for IPv4 and [fd00:ec2::23] for IPv6 clusters.

Amazon VPC CNI plugin for Kubernetes 1.15.5-eksbuild.1 or later

Amazon Load Balancer Controller 2.7.0 or later. Note that the Amazon Load Balancer Controller isn't available as an EKS Add-on, but it is available as a self-managed add-on.

Amazon EKS cluster versions listed in the previous topic EKS Pod Identity cluster versions.

Worker nodes in the cluster that are Linux Amazon EC2 instances.

China Regions.

Amazon GovCloud (US).

Amazon Outposts.

Amazon EKS Anywhere.

Kubernetes clusters that you create and run on Amazon EC2. The EKS Pod Identity components are only available on Amazon EKS.

Pods that run anywhere except Linux Amazon EC2 instances. Linux and Windows pods that run on Amazon Fargate (Fargate) aren't supported. Pods that run on Windows Amazon EC2 instances aren't supported.

Amazon EKS add-ons that need IAM credentials. The EKS add-ons can only use IAM roles for service accounts instead. The list of EKS add-ons that use IAM credentials include: