Class: Aws::EKS::Types::UpdatePodIdentityAssociationRequest

Inherits:
Struct
  • Object
show all
Defined in:
gems/aws-sdk-eks/lib/aws-sdk-eks/types.rb

Overview

See Also:

Constant Summary collapse

SENSITIVE = 
[]

Instance Attribute Summary collapse

Instance Attribute Details

#association_idString

The ID of the association to be updated.

Returns:

  • (String) 


8436
8437
8438
8439
8440
8441
8442
8443
8444
8445
8446
 
# File 'gems/aws-sdk-eks/lib/aws-sdk-eks/types.rb', line 8436

class UpdatePodIdentityAssociationRequest < Struct.new(
  :cluster_name,
  :association_id,
  :role_arn,
  :client_request_token,
  :disable_session_tags,
  :target_role_arn,
  :policy)
  SENSITIVE = []
  include Aws::Structure
end

#client_request_tokenString

A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.

A suitable default value is auto-generated. You should normally not need to pass this option.

Returns:

  • (String) 


8436
8437
8438
8439
8440
8441
8442
8443
8444
8445
8446
 
# File 'gems/aws-sdk-eks/lib/aws-sdk-eks/types.rb', line 8436

class UpdatePodIdentityAssociationRequest < Struct.new(
  :cluster_name,
  :association_id,
  :role_arn,
  :client_request_token,
  :disable_session_tags,
  :target_role_arn,
  :policy)
  SENSITIVE = []
  include Aws::Structure
end

#cluster_nameString

The name of the cluster that you want to update the association in.

Returns:

  • (String) 


8436
8437
8438
8439
8440
8441
8442
8443
8444
8445
8446
 
# File 'gems/aws-sdk-eks/lib/aws-sdk-eks/types.rb', line 8436

class UpdatePodIdentityAssociationRequest < Struct.new(
  :cluster_name,
  :association_id,
  :role_arn,
  :client_request_token,
  :disable_session_tags,
  :target_role_arn,
  :policy)
  SENSITIVE = []
  include Aws::Structure
end

#disable_session_tagsBoolean

Disable the automatic sessions tags that are appended by EKS Pod Identity.

EKS Pod Identity adds a pre-defined set of session tags when it assumes the role. You can use these tags to author a single role that can work across resources by allowing access to Amazon Web Services resources based on matching tags. By default, EKS Pod Identity attaches six tags, including tags for cluster name, namespace, and service account name. For the list of tags added by EKS Pod Identity, see List of session tags added by EKS Pod Identity in the Amazon EKS User Guide.

Amazon Web Services compresses inline session policies, managed policy ARNs, and session tags into a packed binary format that has a separate limit. If you receive a PackedPolicyTooLarge error indicating the packed binary format has exceeded the size limit, you can attempt to reduce the size by disabling the session tags added by EKS Pod Identity.

Returns:

  • (Boolean) 


8436
8437
8438
8439
8440
8441
8442
8443
8444
8445
8446
 
# File 'gems/aws-sdk-eks/lib/aws-sdk-eks/types.rb', line 8436

class UpdatePodIdentityAssociationRequest < Struct.new(
  :cluster_name,
  :association_id,
  :role_arn,
  :client_request_token,
  :disable_session_tags,
  :target_role_arn,
  :policy)
  SENSITIVE = []
  include Aws::Structure
end

#policyString

An optional IAM policy in JSON format (as an escaped string) that applies additional restrictions to this pod identity association beyond the IAM policies attached to the IAM role. This policy is applied as the intersection of the role's policies and this policy, allowing you to reduce the permissions that applications in the pods can use. Use this policy to enforce least privilege access while still leveraging a shared IAM role across multiple applications.

Important considerations

  • Session tags: When using this policy, disableSessionTags must be set to true.

  • Target role permissions: If you specify both a TargetRoleArn and a policy, the policy restrictions apply only to the target role's permissions, not to the initial role used for assuming the target role.

Returns:

  • (String) 


8436
8437
8438
8439
8440
8441
8442
8443
8444
8445
8446
 
# File 'gems/aws-sdk-eks/lib/aws-sdk-eks/types.rb', line 8436

class UpdatePodIdentityAssociationRequest < Struct.new(
  :cluster_name,
  :association_id,
  :role_arn,
  :client_request_token,
  :disable_session_tags,
  :target_role_arn,
  :policy)
  SENSITIVE = []
  include Aws::Structure
end

#role_arnString

The new IAM role to change in the association.

Returns:

  • (String) 


8436
8437
8438
8439
8440
8441
8442
8443
8444
8445
8446
 
# File 'gems/aws-sdk-eks/lib/aws-sdk-eks/types.rb', line 8436

class UpdatePodIdentityAssociationRequest < Struct.new(
  :cluster_name,
  :association_id,
  :role_arn,
  :client_request_token,
  :disable_session_tags,
  :target_role_arn,
  :policy)
  SENSITIVE = []
  include Aws::Structure
end

#target_role_arnString

The Amazon Resource Name (ARN) of the target IAM role to associate with the service account. This role is assumed by using the EKS Pod Identity association role, then the credentials for this role are injected into the Pod.

When you run applications on Amazon EKS, your application might need to access Amazon Web Services resources from a different role that exists in the same or different Amazon Web Services account. For example, your application running in “Account A” might need to access resources, such as buckets in “Account B” or within “Account A” itself. You can create a association to access Amazon Web Services resources in “Account B” by creating two IAM roles: a role in “Account A” and a role in “Account B” (which can be the same or different account), each with the necessary trust and permission policies. After you provide these roles in the IAM role and Target IAM role fields, EKS will perform role chaining to ensure your application gets the required permissions. This means Role A will assume Role B, allowing your Pods to securely access resources like S3 buckets in the target account.

Returns:

  • (String) 


8436
8437
8438
8439
8440
8441
8442
8443
8444
8445
8446
 
# File 'gems/aws-sdk-eks/lib/aws-sdk-eks/types.rb', line 8436

class UpdatePodIdentityAssociationRequest < Struct.new(
  :cluster_name,
  :association_id,
  :role_arn,
  :client_request_token,
  :disable_session_tags,
  :target_role_arn,
  :policy)
  SENSITIVE = []
  include Aws::Structure
end