π― Use Case
Say you have
- π¦ EKS cluster in Account A
- π¦ S3 bucket or DynamoDB table in Account B
Now, your pods in Account A can automatically access resources in Account B, securely and transparently.
βοΈ How It Works
Two IAM roles are involved
- PodIdentityRole in Account A (used by EKS)
- TargetResourceRole in Account B (with access to S3/DynamoDB)
Use the new create-pod-identity-association API to link them
aws eks create-pod-identity-association \
--cluster-name my-cluster \
--namespace finance \
--service-account report-generator \
--role-arn arn:aws:iam::<AccountA>:role/PodIdentityRole \
--target-role-arn arn:aws:iam::<AccountB>:role/TargetResourceRole
π EKS handles IAM role chaining behind the scenes
Your application running inside the pod:
- Gets credentials automatically from the identity service
- Doesnβt need to know about role assumptions or accounts
- Keeps running as usual β securely accessing remote AWS services
π§ Why Itβs Cool
- β No code changes in your app
- π Secure cross-account access via IAM
- π Native support for role chaining
- π οΈ Works with Cloud-native patterns
- πΌ Ideal for multi-account enterprise setups
π§ Real-World Benefit
Letβs say your app in EKS reads daily data from an S3 bucket in another business unit.
Now, with a single Pod Identity association, your pod gets credentials to access that bucket β securely and automatically.
π TL;DR
Amazon EKS Pod Identity now supports cross-account resource access using IAM role chaining β with just one API call and no app rewrites. π―
π¬ Are you running EKS in a multi-account setup?
How do you handle cross-account permissions today?
Top comments (1)
Some comments may only be visible to logged-in visitors. Sign in to view all comments.