Procedure Pod Identity Support Reference

Retrieve IAM information about an Amazon EKS add-on

Before you create an add-on, use the AWS CLI to determine:

If the add-on requires IAM permissions
The suggested IAM policy to use

Procedure

Determine the name of the add-on you want to install, and the Kubernetes version of your cluster. For more information about add-ons, see Amazon EKS add-ons.

Use the AWS CLI to determine if the add-on requires IAM permissions.


aws eks describe-addon-versions \
--addon-name <addon-name> \
--kubernetes-version <kubernetes-version>

For example:


aws eks describe-addon-versions \
--addon-name aws-ebs-csi-driver \
--kubernetes-version 1.30

Review the following sample output. Note that requiresIamPermissions is true, and the default add-on version. You need to specify the add-on version when retrieving the recommended IAM policy.


{
    "addons": [
        {
            "addonName": "aws-ebs-csi-driver",
            "type": "storage",
            "addonVersions": [
                {
                    "addonVersion": "v1.31.0-eksbuild.1",
                    "architecture": [
                        "amd64",
                        "arm64"
                    ],
                    "compatibilities": [
                        {
                            "clusterVersion": "1.30",
                            "platformVersions": [
                                "*"
                            ],
                            "defaultVersion": true
                        }
                    ],
                    "requiresConfiguration": false,
                    "requiresIamPermissions": true
                },
[...]

If the add-on requires IAM permissions, use the AWS CLI to retrieve a recommended IAM policy.


aws eks describe-addon-configuration \
--query podIdentityConfiguration \
--addon-name <addon-name> \
--addon-version <addon-version>

For example:


aws eks describe-addon-configuration \
--query podIdentityConfiguration \
--addon-name aws-ebs-csi-driver \
--addon-version v1.31.0-eksbuild.1

Review the following output. Note the recommendedManagedPolicies.


[
    {
        "serviceAccount": "ebs-csi-controller-sa",
        "recommendedManagedPolicies": [
            "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
        ]
    }
]

Create an IAM role and attach the recommended Managed Policy. Alternatively, review the managed policy and scope down the permissions as appropriate. For more information see Create a Pod Identity association (AWS Console).

Pod Identity Support Reference

The following table indicates if certain Amazon EKS add-ons support EKS Pod Identity.

Add-on Name	Pod Identity Support	Minimum Version Required
Amazon EBS CSI Driver	Yes	v1.26.0-eksbuild.1
Amazon VPC CNI	Yes	v1.15.5-eksbuild.1
Amazon EFS CSI Driver	Yes	v2.0.5-eksbuild.1
AWS Distro for OpenTelemetry	Yes	v0.94.1-eksbuild.1
Mountpoint for Amazon S3 CSI Driver	No	N/A
Amazon CloudWatch Observability agent	No	N/A

This table was last updated on October 28, 2024.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

IAM roles for Amazon EKS add-ons

Use Pod Identities to assign an IAM role to an Amazon EKS add-on