/AWS1/CL_EKSPODIDASSOCIATION¶
Amazon EKS Pod Identity associations provide the ability to manage credentials for your applications, similar to the way that Amazon EC2 instance profiles provide credentials to Amazon EC2 instances.
CONSTRUCTOR¶
IMPORTING¶
Optional arguments:¶
iv_clustername TYPE /AWS1/EKSSTRING /AWS1/EKSSTRING¶
The name of the cluster that the association is in.
iv_namespace TYPE /AWS1/EKSSTRING /AWS1/EKSSTRING¶
The name of the Kubernetes namespace inside the cluster to create the association in. The service account and the Pods that use the service account must be in this namespace.
iv_serviceaccount TYPE /AWS1/EKSSTRING /AWS1/EKSSTRING¶
The name of the Kubernetes service account inside the cluster to associate the IAM credentials with.
iv_rolearn TYPE /AWS1/EKSSTRING /AWS1/EKSSTRING¶
The Amazon Resource Name (ARN) of the IAM role to associate with the service account. The EKS Pod Identity agent manages credentials to assume this role for applications in the containers in the Pods that use this service account.
iv_associationarn TYPE /AWS1/EKSSTRING /AWS1/EKSSTRING¶
The Amazon Resource Name (ARN) of the association.
iv_associationid TYPE /AWS1/EKSSTRING /AWS1/EKSSTRING¶
The ID of the association.
it_tags TYPE /AWS1/CL_EKSTAGMAP_W=>TT_TAGMAP TT_TAGMAP¶
Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don't propagate to any other cluster or Amazon Web Services resources.
The following basic restrictions apply to tags:
Maximum number of tags per resource – 50
For each resource, each tag key must be unique, and each tag key can have only one value.
Maximum key length – 128 Unicode characters in UTF-8
Maximum value length – 256 Unicode characters in UTF-8
If your tagging schema is used across multiple services and resources, remember that other services may have restrictions on allowed characters. Generally allowed characters are: letters, numbers, and spaces representable in UTF-8, and the following characters: + - = . _ : / @.
Tag keys and values are case-sensitive.
Do not use
aws:,AWS:, or any upper or lowercase combination of such as a prefix for either keys or values as it is reserved for Amazon Web Services use. You cannot edit or delete tag keys or values with this prefix. Tags with this prefix do not count against your tags per resource limit.
iv_createdat TYPE /AWS1/EKSTIMESTAMP /AWS1/EKSTIMESTAMP¶
The timestamp that the association was created at.
iv_modifiedat TYPE /AWS1/EKSTIMESTAMP /AWS1/EKSTIMESTAMP¶
The most recent timestamp that the association was modified at.
iv_ownerarn TYPE /AWS1/EKSSTRING /AWS1/EKSSTRING¶
If defined, the EKS Pod Identity association is owned by an Amazon EKS add-on.
iv_disablesessiontags TYPE /AWS1/EKSBOXEDBOOLEAN /AWS1/EKSBOXEDBOOLEAN¶
The state of the automatic sessions tags. The value of true disables these tags.
EKS Pod Identity adds a pre-defined set of session tags when it assumes the role. You can use these tags to author a single role that can work across resources by allowing access to Amazon Web Services resources based on matching tags. By default, EKS Pod Identity attaches six tags, including tags for cluster name, namespace, and service account name. For the list of tags added by EKS Pod Identity, see List of session tags added by EKS Pod Identity in the Amazon EKS User Guide.
iv_targetrolearn TYPE /AWS1/EKSSTRING /AWS1/EKSSTRING¶
The Amazon Resource Name (ARN) of the target IAM role to associate with the service account. This role is assumed by using the EKS Pod Identity association role, then the credentials for this role are injected into the Pod.
iv_externalid TYPE /AWS1/EKSSTRING /AWS1/EKSSTRING¶
The unique identifier for this EKS Pod Identity association for a target IAM role. You put this value in the trust policy of the target role, in a
Conditionto match thests.ExternalId. This ensures that the target role can only be assumed by this association. This prevents the confused deputy problem. For more information about the confused deputy problem, see The confused deputy problem in the IAM User Guide.If you want to use the same target role with multiple associations or other roles, use independent statements in the trust policy to allow
sts:AssumeRoleaccess from each role.
Queryable Attributes¶
clusterName¶
The name of the cluster that the association is in.
Accessible with the following methods¶
| Method | Description |
|---|---|
GET_CLUSTERNAME() |
Getter for CLUSTERNAME, with configurable default |
ASK_CLUSTERNAME() |
Getter for CLUSTERNAME w/ exceptions if field has no value |
HAS_CLUSTERNAME() |
Determine if CLUSTERNAME has a value |
namespace¶
The name of the Kubernetes namespace inside the cluster to create the association in. The service account and the Pods that use the service account must be in this namespace.
Accessible with the following methods¶
| Method | Description |
|---|---|
GET_NAMESPACE() |
Getter for NAMESPACE, with configurable default |
ASK_NAMESPACE() |
Getter for NAMESPACE w/ exceptions if field has no value |
HAS_NAMESPACE() |
Determine if NAMESPACE has a value |
serviceAccount¶
The name of the Kubernetes service account inside the cluster to associate the IAM credentials with.
Accessible with the following methods¶
| Method | Description |
|---|---|
GET_SERVICEACCOUNT() |
Getter for SERVICEACCOUNT, with configurable default |
ASK_SERVICEACCOUNT() |
Getter for SERVICEACCOUNT w/ exceptions if field has no valu |
HAS_SERVICEACCOUNT() |
Determine if SERVICEACCOUNT has a value |
roleArn¶
The Amazon Resource Name (ARN) of the IAM role to associate with the service account. The EKS Pod Identity agent manages credentials to assume this role for applications in the containers in the Pods that use this service account.
Accessible with the following methods¶
| Method | Description |
|---|---|
GET_ROLEARN() |
Getter for ROLEARN, with configurable default |
ASK_ROLEARN() |
Getter for ROLEARN w/ exceptions if field has no value |
HAS_ROLEARN() |
Determine if ROLEARN has a value |
associationArn¶
The Amazon Resource Name (ARN) of the association.
Accessible with the following methods¶
| Method | Description |
|---|---|
GET_ASSOCIATIONARN() |
Getter for ASSOCIATIONARN, with configurable default |
ASK_ASSOCIATIONARN() |
Getter for ASSOCIATIONARN w/ exceptions if field has no valu |
HAS_ASSOCIATIONARN() |
Determine if ASSOCIATIONARN has a value |
associationId¶
The ID of the association.
Accessible with the following methods¶
| Method | Description |
|---|---|
GET_ASSOCIATIONID() |
Getter for ASSOCIATIONID, with configurable default |
ASK_ASSOCIATIONID() |
Getter for ASSOCIATIONID w/ exceptions if field has no value |
HAS_ASSOCIATIONID() |
Determine if ASSOCIATIONID has a value |
tags¶
Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don't propagate to any other cluster or Amazon Web Services resources.
The following basic restrictions apply to tags:
Maximum number of tags per resource – 50
For each resource, each tag key must be unique, and each tag key can have only one value.
Maximum key length – 128 Unicode characters in UTF-8
Maximum value length – 256 Unicode characters in UTF-8
If your tagging schema is used across multiple services and resources, remember that other services may have restrictions on allowed characters. Generally allowed characters are: letters, numbers, and spaces representable in UTF-8, and the following characters: + - = . _ : / @.
Tag keys and values are case-sensitive.
Do not use
aws:,AWS:, or any upper or lowercase combination of such as a prefix for either keys or values as it is reserved for Amazon Web Services use. You cannot edit or delete tag keys or values with this prefix. Tags with this prefix do not count against your tags per resource limit.
Accessible with the following methods¶
| Method | Description |
|---|---|
GET_TAGS() |
Getter for TAGS, with configurable default |
ASK_TAGS() |
Getter for TAGS w/ exceptions if field has no value |
HAS_TAGS() |
Determine if TAGS has a value |
createdAt¶
The timestamp that the association was created at.
Accessible with the following methods¶
| Method | Description |
|---|---|
GET_CREATEDAT() |
Getter for CREATEDAT, with configurable default |
ASK_CREATEDAT() |
Getter for CREATEDAT w/ exceptions if field has no value |
HAS_CREATEDAT() |
Determine if CREATEDAT has a value |
modifiedAt¶
The most recent timestamp that the association was modified at.
Accessible with the following methods¶
| Method | Description |
|---|---|
GET_MODIFIEDAT() |
Getter for MODIFIEDAT, with configurable default |
ASK_MODIFIEDAT() |
Getter for MODIFIEDAT w/ exceptions if field has no value |
HAS_MODIFIEDAT() |
Determine if MODIFIEDAT has a value |
ownerArn¶
If defined, the EKS Pod Identity association is owned by an Amazon EKS add-on.
Accessible with the following methods¶
| Method | Description |
|---|---|
GET_OWNERARN() |
Getter for OWNERARN, with configurable default |
ASK_OWNERARN() |
Getter for OWNERARN w/ exceptions if field has no value |
HAS_OWNERARN() |
Determine if OWNERARN has a value |
disableSessionTags¶
The state of the automatic sessions tags. The value of true disables these tags.
EKS Pod Identity adds a pre-defined set of session tags when it assumes the role. You can use these tags to author a single role that can work across resources by allowing access to Amazon Web Services resources based on matching tags. By default, EKS Pod Identity attaches six tags, including tags for cluster name, namespace, and service account name. For the list of tags added by EKS Pod Identity, see List of session tags added by EKS Pod Identity in the Amazon EKS User Guide.
Accessible with the following methods¶
| Method | Description |
|---|---|
GET_DISABLESESSIONTAGS() |
Getter for DISABLESESSIONTAGS, with configurable default |
ASK_DISABLESESSIONTAGS() |
Getter for DISABLESESSIONTAGS w/ exceptions if field has no |
HAS_DISABLESESSIONTAGS() |
Determine if DISABLESESSIONTAGS has a value |
targetRoleArn¶
The Amazon Resource Name (ARN) of the target IAM role to associate with the service account. This role is assumed by using the EKS Pod Identity association role, then the credentials for this role are injected into the Pod.
Accessible with the following methods¶
| Method | Description |
|---|---|
GET_TARGETROLEARN() |
Getter for TARGETROLEARN, with configurable default |
ASK_TARGETROLEARN() |
Getter for TARGETROLEARN w/ exceptions if field has no value |
HAS_TARGETROLEARN() |
Determine if TARGETROLEARN has a value |
externalId¶
The unique identifier for this EKS Pod Identity association for a target IAM role. You put this value in the trust policy of the target role, in a
Conditionto match thests.ExternalId. This ensures that the target role can only be assumed by this association. This prevents the confused deputy problem. For more information about the confused deputy problem, see The confused deputy problem in the IAM User Guide.If you want to use the same target role with multiple associations or other roles, use independent statements in the trust policy to allow
sts:AssumeRoleaccess from each role.
Accessible with the following methods¶
| Method | Description |
|---|---|
GET_EXTERNALID() |
Getter for EXTERNALID, with configurable default |
ASK_EXTERNALID() |
Getter for EXTERNALID w/ exceptions if field has no value |
HAS_EXTERNALID() |
Determine if EXTERNALID has a value |