Values.PodIdentityAssociationSourceAmazon EKS Pod Identity associations provide the ability to manage credentials for your applications, similar to the way that Amazon EC2 instance profiles provide credentials to Amazon EC2 instances.
type nonrec t = {clusterName : String_.t option;The name of the cluster that the association is in.
*)namespace : String_.t option;The name of the Kubernetes namespace inside the cluster to create the association in. The service account and the Pods that use the service account must be in this namespace.
*)serviceAccount : String_.t option;The name of the Kubernetes service account inside the cluster to associate the IAM credentials with.
*)roleArn : String_.t option;The Amazon Resource Name (ARN) of the IAM role to associate with the service account. The EKS Pod Identity agent manages credentials to assume this role for applications in the containers in the Pods that use this service account.
*)associationArn : String_.t option;The Amazon Resource Name (ARN) of the association.
*)associationId : String_.t option;The ID of the association.
*)createdAt : Timestamp.t option;The timestamp that the association was created at.
*)modifiedAt : Timestamp.t option;The most recent timestamp that the association was modified at.
*)ownerArn : String_.t option;If defined, the EKS Pod Identity association is owned by an Amazon EKS add-on.
*)disableSessionTags : BoxedBoolean.t option;The state of the automatic sessions tags. The value of true disables these tags. EKS Pod Identity adds a pre-defined set of session tags when it assumes the role. You can use these tags to author a single role that can work across resources by allowing access to Amazon Web Services resources based on matching tags. By default, EKS Pod Identity attaches six tags, including tags for cluster name, namespace, and service account name. For the list of tags added by EKS Pod Identity, see List of session tags added by EKS Pod Identity in the Amazon EKS User Guide.
*)targetRoleArn : String_.t option;The Amazon Resource Name (ARN) of the target IAM role to associate with the service account. This role is assumed by using the EKS Pod Identity association role, then the credentials for this role are injected into the Pod.
*)externalId : String_.t option;The unique identifier for this EKS Pod Identity association for a target IAM role. You put this value in the trust policy of the target role, in a Condition to match the sts.ExternalId. This ensures that the target role can only be assumed by this association. This prevents the confused deputy problem. For more information about the confused deputy problem, see The confused deputy problem in the IAM User Guide. If you want to use the same target role with multiple associations or other roles, use independent statements in the trust policy to allow sts:AssumeRole access from each role.
*)policy : String_.t option;An optional IAM policy in JSON format (as an escaped string) that applies additional restrictions to this pod identity association beyond the IAM policies attached to the IAM role. This policy is applied as the intersection of the role's policies and this policy, allowing you to reduce the permissions that applications in the pods can use. Use this policy to enforce least privilege access while still leveraging a shared IAM role across multiple applications.
*)}val to_value :
t ->
[> `Structure of
(string
* [> `Boolean of BoxedBoolean.t
| `Map of
([> `String of TagKey.t ] * [> `String of TagValue.t ]) list
| `String of String_.t
| `Timestamp of Timestamp.t ])
list ]