aws-sdk-eks 1.138.0 → 1.139.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a839b4da440cd4aff716ff553d4dc8185ad4475ccc1d2c3bd15cb1f9d8203d3d
-  data.tar.gz: b6ecfc2a337511c20c601da1066e1f4cf40d7c6b5770e452b5b9d0653dee3d62
+  metadata.gz: bfafb3c4a993afbab984bdb91bc15f1bcb95d2aa5c6014653fcdf609c9b29ece
+  data.tar.gz: 4079bd72a94979ca6da8299cb0f84ee50658ceeded917e1ebe29d5f943117102
 SHA512:
-  metadata.gz: 1e5b1f7218ff939f712867e558028f5c0af3b9b5ae3159d9f496872e92e5b51583ee34ac8e9c20e9e8d0b8ccab5f66b4375df40d3a93b00bf8aef06af9428741
-  data.tar.gz: 3b7ca320fe01ceccb78a530b9e1bc0dba074f0ab09b8bb0af42ac57a2826b0ba2d17a46e924b89c2ae6c7509ac2268e18cbbe1d797b9ec36f4467d0f6268d885
+  metadata.gz: 46bfcabcb9b0fb7087ac0b931ec1e5eeb22169a11bf3ba39ab4e4da8daf23b2339a895763149253b69cf7ab363257e38527cb3058822f64f631790d8ff0ec2b4
+  data.tar.gz: d8042d0978684917d8b55381d1f5c7da5f1ffd672ab35f4f5e6128c30669c3075b05dbeab8fa7938f038c804a6a403985d9d4e1da1b68ddcef01e03a31c4f2a7

data/CHANGELOG.md

@@ -1,6 +1,11 @@
 Unreleased Changes
 ------------------
 
+1.139.0 (2025-06-11)
+------------------
+
+* Feature - Release for EKS Pod Identity Cross Account feature and disableSessionTags flag.
+
 1.138.0 (2025-06-02)
 ------------------
 

data/VERSION

@@ -1 +1 @@
-1.138.0
+1.139.0

data/lib/aws-sdk-eks/client.rb

@@ -927,11 +927,11 @@ module Aws::EKS
     #   `DescribeAddonConfiguration`.
     #
     # @option params [Array<Types::AddonPodIdentityAssociations>] :pod_identity_associations
-    #   An array of Pod Identity Assocations to be created. Each EKS Pod
-    #   Identity association maps a Kubernetes service account to an IAM Role.
+    #   An array of EKS Pod Identity associations to be created. Each
+    #   association maps a Kubernetes service account to an IAM role.
     #
     #   For more information, see [Attach an IAM Role to an Amazon EKS add-on
-    #   using Pod Identity][1] in the *Amazon EKS User Guide*.
+    #   using EKS Pod Identity][1] in the *Amazon EKS User Guide*.
     #
     #
     #
@@ -1019,9 +1019,10 @@ module Aws::EKS
     # You can use the `endpointPublicAccess` and `endpointPrivateAccess`
     # parameters to enable or disable public and private access to your
     # cluster's Kubernetes API server endpoint. By default, public access
-    # is enabled, and private access is disabled. For more information, see
-    # [Amazon EKS Cluster Endpoint Access Control][1] in the <i> <i>Amazon
-    # EKS User Guide</i> </i>.
+    # is enabled, and private access is disabled. The endpoint domain name
+    # and IP address family depends on the value of the `ipFamily` for the
+    # cluster. For more information, see [Amazon EKS Cluster Endpoint Access
+    # Control][1] in the <i> <i>Amazon EKS User Guide</i> </i>.
     #
     # You can use the `logging` parameter to enable or disable exporting the
     # Kubernetes control plane logs for your cluster to CloudWatch Logs. By
@@ -1146,8 +1147,8 @@ module Aws::EKS
     #   If you set this value to `False` when creating a cluster, the default
     #   networking add-ons will not be installed.
     #
-    #   The default networking addons include vpc-cni, coredns, and
-    #   kube-proxy.
+    #   The default networking add-ons include `vpc-cni`, `coredns`, and
+    #   `kube-proxy`.
     #
     #   Use this option when you plan to install third-party alternative
     #   add-ons or self-manage the default networking add-ons.
@@ -1951,31 +1952,49 @@ module Aws::EKS
 
     # Creates an EKS Pod Identity association between a service account in
     # an Amazon EKS cluster and an IAM role with *EKS Pod Identity*. Use EKS
-    # Pod Identity to give temporary IAM credentials to pods and the
+    # Pod Identity to give temporary IAM credentials to Pods and the
     # credentials are rotated automatically.
     #
     # Amazon EKS Pod Identity associations provide the ability to manage
     # credentials for your applications, similar to the way that Amazon EC2
     # instance profiles provide credentials to Amazon EC2 instances.
     #
-    # If a pod uses a service account that has an association, Amazon EKS
-    # sets environment variables in the containers of the pod. The
+    # If a Pod uses a service account that has an association, Amazon EKS
+    # sets environment variables in the containers of the Pod. The
     # environment variables configure the Amazon Web Services SDKs,
     # including the Command Line Interface, to use the EKS Pod Identity
     # credentials.
     #
-    # Pod Identity is a simpler method than *IAM roles for service
+    # EKS Pod Identity is a simpler method than *IAM roles for service
     # accounts*, as this method doesn't use OIDC identity providers.
-    # Additionally, you can configure a role for Pod Identity once, and
+    # Additionally, you can configure a role for EKS Pod Identity once, and
     # reuse it across clusters.
     #
+    # Similar to Amazon Web Services IAM behavior, EKS Pod Identity
+    # associations are eventually consistent, and may take several seconds
+    # to be effective after the initial API call returns successfully. You
+    # must design your applications to account for these potential delays.
+    # We recommend that you don’t include association create/updates in the
+    # critical, high-availability code paths of your application. Instead,
+    # make changes in a separate initialization or setup routine that you
+    # run less frequently.
+    #
+    # You can set a *target IAM role* in the same or a different account for
+    # advanced scenarios. With a target role, EKS Pod Identity automatically
+    # performs two role assumptions in sequence: first assuming the role in
+    # the association that is in this account, then using those credentials
+    # to assume the target IAM role. This process provides your Pod with
+    # temporary credentials that have the permissions defined in the target
+    # role, allowing secure access to resources in another Amazon Web
+    # Services account.
+    #
     # @option params [required, String] :cluster_name
-    #   The name of the cluster to create the association in.
+    #   The name of the cluster to create the EKS Pod Identity association in.
     #
     # @option params [required, String] :namespace
     #   The name of the Kubernetes namespace inside the cluster to create the
-    #   association in. The service account and the pods that use the service
-    #   account must be in this namespace.
+    #   EKS Pod Identity association in. The service account and the Pods that
+    #   use the service account must be in this namespace.
     #
     # @option params [required, String] :service_account
     #   The name of the Kubernetes service account inside the cluster to
@@ -1984,7 +2003,7 @@ module Aws::EKS
     # @option params [required, String] :role_arn
     #   The Amazon Resource Name (ARN) of the IAM role to associate with the
     #   service account. The EKS Pod Identity agent manages credentials to
-    #   assume this role for applications in the containers in the pods that
+    #   assume this role for applications in the containers in the Pods that
     #   use this service account.
     #
     # @option params [String] :client_request_token
@@ -2024,6 +2043,51 @@ module Aws::EKS
     #     values with this prefix. Tags with this prefix do not count against
     #     your tags per resource limit.
     #
+    # @option params [Boolean] :disable_session_tags
+    #   Disable the automatic sessions tags that are appended by EKS Pod
+    #   Identity.
+    #
+    #   EKS Pod Identity adds a pre-defined set of session tags when it
+    #   assumes the role. You can use these tags to author a single role that
+    #   can work across resources by allowing access to Amazon Web Services
+    #   resources based on matching tags. By default, EKS Pod Identity
+    #   attaches six tags, including tags for cluster name, namespace, and
+    #   service account name. For the list of tags added by EKS Pod Identity,
+    #   see [List of session tags added by EKS Pod Identity][1] in the *Amazon
+    #   EKS User Guide*.
+    #
+    #   Amazon Web Services compresses inline session policies, managed policy
+    #   ARNs, and session tags into a packed binary format that has a separate
+    #   limit. If you receive a `PackedPolicyTooLarge` error indicating the
+    #   packed binary format has exceeded the size limit, you can attempt to
+    #   reduce the size by disabling the session tags added by EKS Pod
+    #   Identity.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/eks/latest/userguide/pod-id-abac.html#pod-id-abac-tags
+    #
+    # @option params [String] :target_role_arn
+    #   The Amazon Resource Name (ARN) of the target IAM role to associate
+    #   with the service account. This role is assumed by using the EKS Pod
+    #   Identity association role, then the credentials for this role are
+    #   injected into the Pod.
+    #
+    #   When you run applications on Amazon EKS, your application might need
+    #   to access Amazon Web Services resources from a different role that
+    #   exists in the same or different Amazon Web Services account. For
+    #   example, your application running in “Account A” might need to access
+    #   resources, such as Amazon S3 buckets in “Account B” or within “Account
+    #   A” itself. You can create a association to access Amazon Web Services
+    #   resources in “Account B” by creating two IAM roles: a role in “Account
+    #   A” and a role in “Account B” (which can be the same or different
+    #   account), each with the necessary trust and permission policies. After
+    #   you provide these roles in the *IAM role* and *Target IAM role*
+    #   fields, EKS will perform role chaining to ensure your application gets
+    #   the required permissions. This means Role A will assume Role B,
+    #   allowing your Pods to securely access resources like S3 buckets in the
+    #   target account.
+    #
     # @return [Types::CreatePodIdentityAssociationResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::CreatePodIdentityAssociationResponse#association #association} => Types::PodIdentityAssociation
@@ -2039,6 +2103,8 @@ module Aws::EKS
     #     tags: {
     #       "TagKey" => "TagValue",
     #     },
+    #     disable_session_tags: false,
+    #     target_role_arn: "String",
     #   })
     #
     # @example Response structure
@@ -2054,6 +2120,9 @@ module Aws::EKS
     #   resp.association.created_at #=> Time
     #   resp.association.modified_at #=> Time
     #   resp.association.owner_arn #=> String
+    #   resp.association.disable_session_tags #=> Boolean
+    #   resp.association.target_role_arn #=> String
+    #   resp.association.external_id #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/eks-2017-11-01/CreatePodIdentityAssociation AWS API Documentation
     #
@@ -2504,6 +2573,9 @@ module Aws::EKS
     #   resp.association.created_at #=> Time
     #   resp.association.modified_at #=> Time
     #   resp.association.owner_arn #=> String
+    #   resp.association.disable_session_tags #=> Boolean
+    #   resp.association.target_role_arn #=> String
+    #   resp.association.external_id #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/eks-2017-11-01/DeletePodIdentityAssociation AWS API Documentation
     #
@@ -3420,6 +3492,9 @@ module Aws::EKS
     #   resp.association.created_at #=> Time
     #   resp.association.modified_at #=> Time
     #   resp.association.owner_arn #=> String
+    #   resp.association.disable_session_tags #=> Boolean
+    #   resp.association.target_role_arn #=> String
+    #   resp.association.external_id #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/eks-2017-11-01/DescribePodIdentityAssociation AWS API Documentation
     #
@@ -4782,13 +4857,13 @@ module Aws::EKS
     #   `DescribeAddonConfiguration`.
     #
     # @option params [Array<Types::AddonPodIdentityAssociations>] :pod_identity_associations
-    #   An array of Pod Identity Assocations to be updated. Each EKS Pod
-    #   Identity association maps a Kubernetes service account to an IAM Role.
-    #   If this value is left blank, no change. If an empty array is provided,
-    #   existing Pod Identity Assocations owned by the Addon are deleted.
+    #   An array of EKS Pod Identity associations to be updated. Each
+    #   association maps a Kubernetes service account to an IAM role. If this
+    #   value is left blank, no change. If an empty array is provided,
+    #   existing associations owned by the add-on are deleted.
     #
     #   For more information, see [Attach an IAM Role to an Amazon EKS add-on
-    #   using Pod Identity][1] in the *Amazon EKS User Guide*.
+    #   using EKS Pod Identity][1] in the *Amazon EKS User Guide*.
     #
     #
     #
@@ -4862,8 +4937,8 @@ module Aws::EKS
     # * You can also use this API operation to enable or disable public and
     #   private access to your cluster's Kubernetes API server endpoint. By
     #   default, public access is enabled, and private access is disabled.
-    #   For more information, see [Amazon EKS cluster endpoint access
-    #   control][3] in the <i> <i>Amazon EKS User Guide</i> </i>.
+    #   For more information, see [ Cluster API server endpoint][3] in the
+    #   <i> <i>Amazon EKS User Guide</i> </i>.
     #
     # * You can also use this API operation to choose different subnets and
     #   security groups for the cluster. You must specify at least two
@@ -5464,11 +5539,31 @@ module Aws::EKS
       req.send_request(options)
     end
 
-    # Updates a EKS Pod Identity association. Only the IAM role can be
-    # changed; an association can't be moved between clusters, namespaces,
-    # or service accounts. If you need to edit the namespace or service
-    # account, you need to delete the association and then create a new
-    # association with your desired settings.
+    # Updates a EKS Pod Identity association. In an update, you can change
+    # the IAM role, the target IAM role, or `disableSessionTags`. You must
+    # change at least one of these in an update. An association can't be
+    # moved between clusters, namespaces, or service accounts. If you need
+    # to edit the namespace or service account, you need to delete the
+    # association and then create a new association with your desired
+    # settings.
+    #
+    # Similar to Amazon Web Services IAM behavior, EKS Pod Identity
+    # associations are eventually consistent, and may take several seconds
+    # to be effective after the initial API call returns successfully. You
+    # must design your applications to account for these potential delays.
+    # We recommend that you don’t include association create/updates in the
+    # critical, high-availability code paths of your application. Instead,
+    # make changes in a separate initialization or setup routine that you
+    # run less frequently.
+    #
+    # You can set a *target IAM role* in the same or a different account for
+    # advanced scenarios. With a target role, EKS Pod Identity automatically
+    # performs two role assumptions in sequence: first assuming the role in
+    # the association that is in this account, then using those credentials
+    # to assume the target IAM role. This process provides your Pod with
+    # temporary credentials that have the permissions defined in the target
+    # role, allowing secure access to resources in another Amazon Web
+    # Services account.
     #
     # @option params [required, String] :cluster_name
     #   The name of the cluster that you want to update the association in.
@@ -5477,7 +5572,7 @@ module Aws::EKS
     #   The ID of the association to be updated.
     #
     # @option params [String] :role_arn
-    #   The new IAM role to change the
+    #   The new IAM role to change in the association.
     #
     # @option params [String] :client_request_token
     #   A unique, case-sensitive identifier that you provide to ensure the
@@ -5486,6 +5581,51 @@ module Aws::EKS
     #   **A suitable default value is auto-generated.** You should normally
     #   not need to pass this option.**
     #
+    # @option params [Boolean] :disable_session_tags
+    #   Disable the automatic sessions tags that are appended by EKS Pod
+    #   Identity.
+    #
+    #   EKS Pod Identity adds a pre-defined set of session tags when it
+    #   assumes the role. You can use these tags to author a single role that
+    #   can work across resources by allowing access to Amazon Web Services
+    #   resources based on matching tags. By default, EKS Pod Identity
+    #   attaches six tags, including tags for cluster name, namespace, and
+    #   service account name. For the list of tags added by EKS Pod Identity,
+    #   see [List of session tags added by EKS Pod Identity][1] in the *Amazon
+    #   EKS User Guide*.
+    #
+    #   Amazon Web Services compresses inline session policies, managed policy
+    #   ARNs, and session tags into a packed binary format that has a separate
+    #   limit. If you receive a `PackedPolicyTooLarge` error indicating the
+    #   packed binary format has exceeded the size limit, you can attempt to
+    #   reduce the size by disabling the session tags added by EKS Pod
+    #   Identity.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/eks/latest/userguide/pod-id-abac.html#pod-id-abac-tags
+    #
+    # @option params [String] :target_role_arn
+    #   The Amazon Resource Name (ARN) of the target IAM role to associate
+    #   with the service account. This role is assumed by using the EKS Pod
+    #   Identity association role, then the credentials for this role are
+    #   injected into the Pod.
+    #
+    #   When you run applications on Amazon EKS, your application might need
+    #   to access Amazon Web Services resources from a different role that
+    #   exists in the same or different Amazon Web Services account. For
+    #   example, your application running in “Account A” might need to access
+    #   resources, such as buckets in “Account B” or within “Account A”
+    #   itself. You can create a association to access Amazon Web Services
+    #   resources in “Account B” by creating two IAM roles: a role in “Account
+    #   A” and a role in “Account B” (which can be the same or different
+    #   account), each with the necessary trust and permission policies. After
+    #   you provide these roles in the *IAM role* and *Target IAM role*
+    #   fields, EKS will perform role chaining to ensure your application gets
+    #   the required permissions. This means Role A will assume Role B,
+    #   allowing your Pods to securely access resources like S3 buckets in the
+    #   target account.
+    #
     # @return [Types::UpdatePodIdentityAssociationResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::UpdatePodIdentityAssociationResponse#association #association} => Types::PodIdentityAssociation
@@ -5497,6 +5637,8 @@ module Aws::EKS
     #     association_id: "String", # required
     #     role_arn: "String",
     #     client_request_token: "String",
+    #     disable_session_tags: false,
+    #     target_role_arn: "String",
     #   })
     #
     # @example Response structure
@@ -5512,6 +5654,9 @@ module Aws::EKS
     #   resp.association.created_at #=> Time
     #   resp.association.modified_at #=> Time
     #   resp.association.owner_arn #=> String
+    #   resp.association.disable_session_tags #=> Boolean
+    #   resp.association.target_role_arn #=> String
+    #   resp.association.external_id #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/eks-2017-11-01/UpdatePodIdentityAssociation AWS API Documentation
     #
@@ -5540,7 +5685,7 @@ module Aws::EKS
         tracer: tracer
       )
       context[:gem_name] = 'aws-sdk-eks'
-      context[:gem_version] = '1.138.0'
+      context[:gem_version] = '1.139.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-eks/client_api.rb

@@ -697,6 +697,8 @@ module Aws::EKS
     CreatePodIdentityAssociationRequest.add_member(:role_arn, Shapes::ShapeRef.new(shape: String, required: true, location_name: "roleArn"))
     CreatePodIdentityAssociationRequest.add_member(:client_request_token, Shapes::ShapeRef.new(shape: String, location_name: "clientRequestToken", metadata: {"idempotencyToken" => true}))
     CreatePodIdentityAssociationRequest.add_member(:tags, Shapes::ShapeRef.new(shape: TagMap, location_name: "tags"))
+    CreatePodIdentityAssociationRequest.add_member(:disable_session_tags, Shapes::ShapeRef.new(shape: BoxedBoolean, location_name: "disableSessionTags"))
+    CreatePodIdentityAssociationRequest.add_member(:target_role_arn, Shapes::ShapeRef.new(shape: String, location_name: "targetRoleArn"))
     CreatePodIdentityAssociationRequest.struct_class = Types::CreatePodIdentityAssociationRequest
 
     CreatePodIdentityAssociationResponse.add_member(:association, Shapes::ShapeRef.new(shape: PodIdentityAssociation, location_name: "association"))
@@ -1299,6 +1301,9 @@ module Aws::EKS
     PodIdentityAssociation.add_member(:created_at, Shapes::ShapeRef.new(shape: Timestamp, location_name: "createdAt"))
     PodIdentityAssociation.add_member(:modified_at, Shapes::ShapeRef.new(shape: Timestamp, location_name: "modifiedAt"))
     PodIdentityAssociation.add_member(:owner_arn, Shapes::ShapeRef.new(shape: String, location_name: "ownerArn"))
+    PodIdentityAssociation.add_member(:disable_session_tags, Shapes::ShapeRef.new(shape: BoxedBoolean, location_name: "disableSessionTags"))
+    PodIdentityAssociation.add_member(:target_role_arn, Shapes::ShapeRef.new(shape: String, location_name: "targetRoleArn"))
+    PodIdentityAssociation.add_member(:external_id, Shapes::ShapeRef.new(shape: String, location_name: "externalId"))
     PodIdentityAssociation.struct_class = Types::PodIdentityAssociation
 
     PodIdentityAssociationSummaries.member = Shapes::ShapeRef.new(shape: PodIdentityAssociationSummary)
@@ -1524,6 +1529,8 @@ module Aws::EKS
     UpdatePodIdentityAssociationRequest.add_member(:association_id, Shapes::ShapeRef.new(shape: String, required: true, location: "uri", location_name: "associationId"))
     UpdatePodIdentityAssociationRequest.add_member(:role_arn, Shapes::ShapeRef.new(shape: String, location_name: "roleArn"))
     UpdatePodIdentityAssociationRequest.add_member(:client_request_token, Shapes::ShapeRef.new(shape: String, location_name: "clientRequestToken", metadata: {"idempotencyToken" => true}))
+    UpdatePodIdentityAssociationRequest.add_member(:disable_session_tags, Shapes::ShapeRef.new(shape: BoxedBoolean, location_name: "disableSessionTags"))
+    UpdatePodIdentityAssociationRequest.add_member(:target_role_arn, Shapes::ShapeRef.new(shape: String, location_name: "targetRoleArn"))
     UpdatePodIdentityAssociationRequest.struct_class = Types::UpdatePodIdentityAssociationRequest
 
     UpdatePodIdentityAssociationResponse.add_member(:association, Shapes::ShapeRef.new(shape: PodIdentityAssociation, location_name: "association"))

data/lib/aws-sdk-eks/types.rb

@@ -252,12 +252,12 @@ module Aws::EKS
     #   @return [String]
     #
     # @!attribute [rw] pod_identity_associations
-    #   An array of Pod Identity Assocations owned by the Addon. Each EKS
-    #   Pod Identity association maps a role to a service account in a
-    #   namespace in the cluster.
+    #   An array of EKS Pod Identity associations owned by the add-on. Each
+    #   association maps a role to a service account in a namespace in the
+    #   cluster.
     #
     #   For more information, see [Attach an IAM Role to an Amazon EKS
-    #   add-on using Pod Identity][1] in the *Amazon EKS User Guide*.
+    #   add-on using EKS Pod Identity][1] in the *Amazon EKS User Guide*.
     #
     #
     #
@@ -388,13 +388,13 @@ module Aws::EKS
       include Aws::Structure
     end
 
-    # A type of Pod Identity Association owned by an Amazon EKS Add-on.
+    # A type of EKS Pod Identity association owned by an Amazon EKS add-on.
     #
-    # Each EKS Pod Identity Association maps a role to a service account in
-    # a namespace in the cluster.
+    # Each association maps a role to a service account in a namespace in
+    # the cluster.
     #
     # For more information, see [Attach an IAM Role to an Amazon EKS add-on
-    # using Pod Identity][1] in the *Amazon EKS User Guide*.
+    # using EKS Pod Identity][1] in the *Amazon EKS User Guide*.
     #
     #
     #
@@ -417,14 +417,14 @@ module Aws::EKS
       include Aws::Structure
     end
 
-    # Information about how to configure IAM for an Addon.
+    # Information about how to configure IAM for an add-on.
     #
     # @!attribute [rw] service_account
-    #   The Kubernetes Service Account name used by the addon.
+    #   The Kubernetes Service Account name used by the add-on.
     #   @return [String]
     #
     # @!attribute [rw] recommended_managed_policies
-    #   A suggested IAM Policy for the addon.
+    #   A suggested IAM Policy for the add-on.
     #   @return [Array<String>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/eks-2017-11-01/AddonPodIdentityConfiguration AWS API Documentation
@@ -447,7 +447,7 @@ module Aws::EKS
     #   @return [Array<String>]
     #
     # @!attribute [rw] compute_types
-    #   Indicates the compute type of the addon version.
+    #   Indicates the compute type of the add-on version.
     #   @return [Array<String>]
     #
     # @!attribute [rw] compatibilities
@@ -459,7 +459,7 @@ module Aws::EKS
     #   @return [Boolean]
     #
     # @!attribute [rw] requires_iam_permissions
-    #   Indicates if the Addon requires IAM Permissions to operate, such as
+    #   Indicates if the add-on requires IAM Permissions to operate, such as
     #   networking permissions.
     #   @return [Boolean]
     #
@@ -1525,12 +1525,11 @@ module Aws::EKS
     #   @return [String]
     #
     # @!attribute [rw] pod_identity_associations
-    #   An array of Pod Identity Assocations to be created. Each EKS Pod
-    #   Identity association maps a Kubernetes service account to an IAM
-    #   Role.
+    #   An array of EKS Pod Identity associations to be created. Each
+    #   association maps a Kubernetes service account to an IAM role.
     #
     #   For more information, see [Attach an IAM Role to an Amazon EKS
-    #   add-on using Pod Identity][1] in the *Amazon EKS User Guide*.
+    #   add-on using EKS Pod Identity][1] in the *Amazon EKS User Guide*.
     #
     #
     #
@@ -1680,8 +1679,8 @@ module Aws::EKS
     #   If you set this value to `False` when creating a cluster, the
     #   default networking add-ons will not be installed.
     #
-    #   The default networking addons include vpc-cni, coredns, and
-    #   kube-proxy.
+    #   The default networking add-ons include `vpc-cni`, `coredns`, and
+    #   `kube-proxy`.
     #
     #   Use this option when you plan to install third-party alternative
     #   add-ons or self-manage the default networking add-ons.
@@ -2169,13 +2168,14 @@ module Aws::EKS
     end
 
     # @!attribute [rw] cluster_name
-    #   The name of the cluster to create the association in.
+    #   The name of the cluster to create the EKS Pod Identity association
+    #   in.
     #   @return [String]
     #
     # @!attribute [rw] namespace
     #   The name of the Kubernetes namespace inside the cluster to create
-    #   the association in. The service account and the pods that use the
-    #   service account must be in this namespace.
+    #   the EKS Pod Identity association in. The service account and the
+    #   Pods that use the service account must be in this namespace.
     #   @return [String]
     #
     # @!attribute [rw] service_account
@@ -2186,7 +2186,7 @@ module Aws::EKS
     # @!attribute [rw] role_arn
     #   The Amazon Resource Name (ARN) of the IAM role to associate with the
     #   service account. The EKS Pod Identity agent manages credentials to
-    #   assume this role for applications in the containers in the pods that
+    #   assume this role for applications in the containers in the Pods that
     #   use this service account.
     #   @return [String]
     #
@@ -2230,6 +2230,53 @@ module Aws::EKS
     #     against your tags per resource limit.
     #   @return [Hash<String,String>]
     #
+    # @!attribute [rw] disable_session_tags
+    #   Disable the automatic sessions tags that are appended by EKS Pod
+    #   Identity.
+    #
+    #   EKS Pod Identity adds a pre-defined set of session tags when it
+    #   assumes the role. You can use these tags to author a single role
+    #   that can work across resources by allowing access to Amazon Web
+    #   Services resources based on matching tags. By default, EKS Pod
+    #   Identity attaches six tags, including tags for cluster name,
+    #   namespace, and service account name. For the list of tags added by
+    #   EKS Pod Identity, see [List of session tags added by EKS Pod
+    #   Identity][1] in the *Amazon EKS User Guide*.
+    #
+    #   Amazon Web Services compresses inline session policies, managed
+    #   policy ARNs, and session tags into a packed binary format that has a
+    #   separate limit. If you receive a `PackedPolicyTooLarge` error
+    #   indicating the packed binary format has exceeded the size limit, you
+    #   can attempt to reduce the size by disabling the session tags added
+    #   by EKS Pod Identity.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/eks/latest/userguide/pod-id-abac.html#pod-id-abac-tags
+    #   @return [Boolean]
+    #
+    # @!attribute [rw] target_role_arn
+    #   The Amazon Resource Name (ARN) of the target IAM role to associate
+    #   with the service account. This role is assumed by using the EKS Pod
+    #   Identity association role, then the credentials for this role are
+    #   injected into the Pod.
+    #
+    #   When you run applications on Amazon EKS, your application might need
+    #   to access Amazon Web Services resources from a different role that
+    #   exists in the same or different Amazon Web Services account. For
+    #   example, your application running in “Account A” might need to
+    #   access resources, such as Amazon S3 buckets in “Account B” or within
+    #   “Account A” itself. You can create a association to access Amazon
+    #   Web Services resources in “Account B” by creating two IAM roles: a
+    #   role in “Account A” and a role in “Account B” (which can be the same
+    #   or different account), each with the necessary trust and permission
+    #   policies. After you provide these roles in the *IAM role* and
+    #   *Target IAM role* fields, EKS will perform role chaining to ensure
+    #   your application gets the required permissions. This means Role A
+    #   will assume Role B, allowing your Pods to securely access resources
+    #   like S3 buckets in the target account.
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/eks-2017-11-01/CreatePodIdentityAssociationRequest AWS API Documentation
     #
     class CreatePodIdentityAssociationRequest < Struct.new(
@@ -2238,7 +2285,9 @@ module Aws::EKS
       :service_account,
       :role_arn,
       :client_request_token,
-      :tags)
+      :tags,
+      :disable_session_tags,
+      :target_role_arn)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -2593,9 +2642,9 @@ module Aws::EKS
     #   @return [String]
     #
     # @!attribute [rw] pod_identity_configuration
-    #   The Kubernetes service account name used by the addon, and any
+    #   The Kubernetes service account name used by the add-on, and any
     #   suggested IAM policies. Use this information to create an IAM Role
-    #   for the Addon.
+    #   for the add-on.
     #   @return [Array<Types::AddonPodIdentityConfiguration>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/eks-2017-11-01/DescribeAddonConfigurationResponse AWS API Documentation
@@ -5672,7 +5721,7 @@ module Aws::EKS
     #
     # @!attribute [rw] namespace
     #   The name of the Kubernetes namespace inside the cluster to create
-    #   the association in. The service account and the pods that use the
+    #   the association in. The service account and the Pods that use the
     #   service account must be in this namespace.
     #   @return [String]
     #
@@ -5684,7 +5733,7 @@ module Aws::EKS
     # @!attribute [rw] role_arn
     #   The Amazon Resource Name (ARN) of the IAM role to associate with the
     #   service account. The EKS Pod Identity agent manages credentials to
-    #   assume this role for applications in the containers in the pods that
+    #   assume this role for applications in the containers in the Pods that
     #   use this service account.
     #   @return [String]
     #
@@ -5733,12 +5782,55 @@ module Aws::EKS
     #   @return [Time]
     #
     # @!attribute [rw] modified_at
-    #   The most recent timestamp that the association was modified at
+    #   The most recent timestamp that the association was modified at.
     #   @return [Time]
     #
     # @!attribute [rw] owner_arn
-    #   If defined, the Pod Identity Association is owned by an Amazon EKS
-    #   Addon.
+    #   If defined, the EKS Pod Identity association is owned by an Amazon
+    #   EKS add-on.
+    #   @return [String]
+    #
+    # @!attribute [rw] disable_session_tags
+    #   The state of the automatic sessions tags. The value of *true*
+    #   disables these tags.
+    #
+    #   EKS Pod Identity adds a pre-defined set of session tags when it
+    #   assumes the role. You can use these tags to author a single role
+    #   that can work across resources by allowing access to Amazon Web
+    #   Services resources based on matching tags. By default, EKS Pod
+    #   Identity attaches six tags, including tags for cluster name,
+    #   namespace, and service account name. For the list of tags added by
+    #   EKS Pod Identity, see [List of session tags added by EKS Pod
+    #   Identity][1] in the *Amazon EKS User Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/eks/latest/userguide/pod-id-abac.html#pod-id-abac-tags
+    #   @return [Boolean]
+    #
+    # @!attribute [rw] target_role_arn
+    #   The Amazon Resource Name (ARN) of the target IAM role to associate
+    #   with the service account. This role is assumed by using the EKS Pod
+    #   Identity association role, then the credentials for this role are
+    #   injected into the Pod.
+    #   @return [String]
+    #
+    # @!attribute [rw] external_id
+    #   The unique identifier for this EKS Pod Identity association for a
+    #   target IAM role. You put this value in the trust policy of the
+    #   target role, in a `Condition` to match the `sts.ExternalId`. This
+    #   ensures that the target role can only be assumed by this
+    #   association. This prevents the *confused deputy problem*. For more
+    #   information about the confused deputy problem, see [The confused
+    #   deputy problem][1] in the *IAM User Guide*.
+    #
+    #   If you want to use the same target role with multiple associations
+    #   or other roles, use independent statements in the trust policy to
+    #   allow `sts:AssumeRole` access from each role.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/eks-2017-11-01/PodIdentityAssociation AWS API Documentation
@@ -5753,7 +5845,10 @@ module Aws::EKS
       :tags,
       :created_at,
       :modified_at,
-      :owner_arn)
+      :owner_arn,
+      :disable_session_tags,
+      :target_role_arn,
+      :external_id)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -5782,7 +5877,7 @@ module Aws::EKS
     #
     # @!attribute [rw] namespace
     #   The name of the Kubernetes namespace inside the cluster to create
-    #   the association in. The service account and the pods that use the
+    #   the association in. The service account and the Pods that use the
     #   service account must be in this namespace.
     #   @return [String]
     #
@@ -5800,8 +5895,7 @@ module Aws::EKS
     #   @return [String]
     #
     # @!attribute [rw] owner_arn
-    #   If defined, the Pod Identity Association is owned by an Amazon EKS
-    #   Addon.
+    #   If defined, the association is owned by an Amazon EKS add-on.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/eks-2017-11-01/PodIdentityAssociationSummary AWS API Documentation
@@ -5946,7 +6040,7 @@ module Aws::EKS
     #   It must satisfy the following requirements:
     #
     #   * Each block must be within an `IPv4` RFC-1918 network range.
-    #     Minimum allowed size is /24, maximum allowed size is /8.
+    #     Minimum allowed size is /32, maximum allowed size is /8.
     #     Publicly-routable addresses aren't supported.
     #
     #   * Each block cannot overlap with the range of the VPC CIDR blocks
@@ -5984,7 +6078,7 @@ module Aws::EKS
     #   It must satisfy the following requirements:
     #
     #   * Each block must be within an `IPv4` RFC-1918 network range.
-    #     Minimum allowed size is /24, maximum allowed size is /8.
+    #     Minimum allowed size is /32, maximum allowed size is /8.
     #     Publicly-routable addresses aren't supported.
     #
     #   * Each block cannot overlap with the range of the VPC CIDR blocks
@@ -6034,7 +6128,7 @@ module Aws::EKS
     # It must satisfy the following requirements:
     #
     # * Each block must be within an `IPv4` RFC-1918 network range. Minimum
-    #   allowed size is /24, maximum allowed size is /8. Publicly-routable
+    #   allowed size is /32, maximum allowed size is /8. Publicly-routable
     #   addresses aren't supported.
     #
     # * Each block cannot overlap with the range of the VPC CIDR blocks for
@@ -6067,7 +6161,7 @@ module Aws::EKS
     #   It must satisfy the following requirements:
     #
     #   * Each block must be within an `IPv4` RFC-1918 network range.
-    #     Minimum allowed size is /24, maximum allowed size is /8.
+    #     Minimum allowed size is /32, maximum allowed size is /8.
     #     Publicly-routable addresses aren't supported.
     #
     #   * Each block cannot overlap with the range of the VPC CIDR blocks
@@ -6112,7 +6206,7 @@ module Aws::EKS
     # It must satisfy the following requirements:
     #
     # * Each block must be within an `IPv4` RFC-1918 network range. Minimum
-    #   allowed size is /24, maximum allowed size is /8. Publicly-routable
+    #   allowed size is /32, maximum allowed size is /8. Publicly-routable
     #   addresses aren't supported.
     #
     # * Each block cannot overlap with the range of the VPC CIDR blocks for
@@ -6133,7 +6227,7 @@ module Aws::EKS
     #   It must satisfy the following requirements:
     #
     #   * Each block must be within an `IPv4` RFC-1918 network range.
-    #     Minimum allowed size is /24, maximum allowed size is /8.
+    #     Minimum allowed size is /32, maximum allowed size is /8.
     #     Publicly-routable addresses aren't supported.
     #
     #   * Each block cannot overlap with the range of the VPC CIDR blocks
@@ -6686,14 +6780,13 @@ module Aws::EKS
     #   @return [String]
     #
     # @!attribute [rw] pod_identity_associations
-    #   An array of Pod Identity Assocations to be updated. Each EKS Pod
-    #   Identity association maps a Kubernetes service account to an IAM
-    #   Role. If this value is left blank, no change. If an empty array is
-    #   provided, existing Pod Identity Assocations owned by the Addon are
-    #   deleted.
+    #   An array of EKS Pod Identity associations to be updated. Each
+    #   association maps a Kubernetes service account to an IAM role. If
+    #   this value is left blank, no change. If an empty array is provided,
+    #   existing associations owned by the add-on are deleted.
     #
     #   For more information, see [Attach an IAM Role to an Amazon EKS
-    #   add-on using Pod Identity][1] in the *Amazon EKS User Guide*.
+    #   add-on using EKS Pod Identity][1] in the *Amazon EKS User Guide*.
     #
     #
     #
@@ -7149,7 +7242,7 @@ module Aws::EKS
     #   @return [String]
     #
     # @!attribute [rw] role_arn
-    #   The new IAM role to change the
+    #   The new IAM role to change in the association.
     #   @return [String]
     #
     # @!attribute [rw] client_request_token
@@ -7160,20 +7253,68 @@ module Aws::EKS
     #   not need to pass this option.
     #   @return [String]
     #
+    # @!attribute [rw] disable_session_tags
+    #   Disable the automatic sessions tags that are appended by EKS Pod
+    #   Identity.
+    #
+    #   EKS Pod Identity adds a pre-defined set of session tags when it
+    #   assumes the role. You can use these tags to author a single role
+    #   that can work across resources by allowing access to Amazon Web
+    #   Services resources based on matching tags. By default, EKS Pod
+    #   Identity attaches six tags, including tags for cluster name,
+    #   namespace, and service account name. For the list of tags added by
+    #   EKS Pod Identity, see [List of session tags added by EKS Pod
+    #   Identity][1] in the *Amazon EKS User Guide*.
+    #
+    #   Amazon Web Services compresses inline session policies, managed
+    #   policy ARNs, and session tags into a packed binary format that has a
+    #   separate limit. If you receive a `PackedPolicyTooLarge` error
+    #   indicating the packed binary format has exceeded the size limit, you
+    #   can attempt to reduce the size by disabling the session tags added
+    #   by EKS Pod Identity.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/eks/latest/userguide/pod-id-abac.html#pod-id-abac-tags
+    #   @return [Boolean]
+    #
+    # @!attribute [rw] target_role_arn
+    #   The Amazon Resource Name (ARN) of the target IAM role to associate
+    #   with the service account. This role is assumed by using the EKS Pod
+    #   Identity association role, then the credentials for this role are
+    #   injected into the Pod.
+    #
+    #   When you run applications on Amazon EKS, your application might need
+    #   to access Amazon Web Services resources from a different role that
+    #   exists in the same or different Amazon Web Services account. For
+    #   example, your application running in “Account A” might need to
+    #   access resources, such as buckets in “Account B” or within “Account
+    #   A” itself. You can create a association to access Amazon Web
+    #   Services resources in “Account B” by creating two IAM roles: a role
+    #   in “Account A” and a role in “Account B” (which can be the same or
+    #   different account), each with the necessary trust and permission
+    #   policies. After you provide these roles in the *IAM role* and
+    #   *Target IAM role* fields, EKS will perform role chaining to ensure
+    #   your application gets the required permissions. This means Role A
+    #   will assume Role B, allowing your Pods to securely access resources
+    #   like S3 buckets in the target account.
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/eks-2017-11-01/UpdatePodIdentityAssociationRequest AWS API Documentation
     #
     class UpdatePodIdentityAssociationRequest < Struct.new(
       :cluster_name,
       :association_id,
       :role_arn,
-      :client_request_token)
+      :client_request_token,
+      :disable_session_tags,
+      :target_role_arn)
       SENSITIVE = []
       include Aws::Structure
     end
 
     # @!attribute [rw] association
-    #   The full description of the EKS Pod Identity association that was
-    #   updated.
+    #   The full description of the association that was updated.
     #   @return [Types::PodIdentityAssociation]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/eks-2017-11-01/UpdatePodIdentityAssociationResponse AWS API Documentation
@@ -7303,8 +7444,10 @@ module Aws::EKS
     #   access, your cluster's Kubernetes API server can only receive
     #   requests from within the cluster VPC. The default value for this
     #   parameter is `true`, which enables public access for your Kubernetes
-    #   API server. For more information, see [Amazon EKS cluster endpoint
-    #   access control][1] in the <i> <i>Amazon EKS User Guide</i> </i>.
+    #   API server. The endpoint domain name and IP address family depends
+    #   on the value of the `ipFamily` for the cluster. For more
+    #   information, see [Cluster API server endpoint][1] in the <i>
+    #   <i>Amazon EKS User Guide</i> </i>.
     #
     #
     #
@@ -7320,8 +7463,8 @@ module Aws::EKS
     #   server. If you disable private access and you have nodes or Fargate
     #   pods in the cluster, then ensure that `publicAccessCidrs` includes
     #   the necessary CIDR blocks for communication with the nodes or
-    #   Fargate pods. For more information, see [Amazon EKS cluster endpoint
-    #   access control][1] in the <i> <i>Amazon EKS User Guide</i> </i>.
+    #   Fargate pods. For more information, see [Cluster API server
+    #   endpoint][1] in the <i> <i>Amazon EKS User Guide</i> </i>.
     #
     #
     #
@@ -7332,11 +7475,16 @@ module Aws::EKS
     #   The CIDR blocks that are allowed access to your cluster's public
     #   Kubernetes API server endpoint. Communication to the endpoint from
     #   addresses outside of the CIDR blocks that you specify is denied. The
-    #   default value is `0.0.0.0/0`. If you've disabled private endpoint
-    #   access, make sure that you specify the necessary CIDR blocks for
-    #   every node and Fargate `Pod` in the cluster. For more information,
-    #   see [Amazon EKS cluster endpoint access control][1] in the <i>
-    #   <i>Amazon EKS User Guide</i> </i>.
+    #   default value is `0.0.0.0/0` and additionally `::/0` for dual-stack
+    #   `IPv6` clusters. If you've disabled private endpoint access, make
+    #   sure that you specify the necessary CIDR blocks for every node and
+    #   Fargate `Pod` in the cluster. For more information, see [Cluster API
+    #   server endpoint][1] in the <i> <i>Amazon EKS User Guide</i> </i>.
+    #
+    #   Note that the public endpoints are dual-stack for only `IPv6`
+    #   clusters that are made after October 2024. You can't add `IPv6`
+    #   CIDR blocks to `IPv4` clusters or `IPv6` clusters that were made
+    #   before October 2024.
     #
     #
     #
@@ -7390,9 +7538,8 @@ module Aws::EKS
     #   the internet. If this value is disabled and you have nodes or
     #   Fargate pods in the cluster, then ensure that `publicAccessCidrs`
     #   includes the necessary CIDR blocks for communication with the nodes
-    #   or Fargate pods. For more information, see [Amazon EKS cluster
-    #   endpoint access control][1] in the <i> <i>Amazon EKS User Guide</i>
-    #   </i>.
+    #   or Fargate pods. For more information, see [Cluster API server
+    #   endpoint][1] in the <i> <i>Amazon EKS User Guide</i> </i>.
     #
     #
     #
@@ -7401,7 +7548,22 @@ module Aws::EKS
     #
     # @!attribute [rw] public_access_cidrs
     #   The CIDR blocks that are allowed access to your cluster's public
-    #   Kubernetes API server endpoint.
+    #   Kubernetes API server endpoint. Communication to the endpoint from
+    #   addresses outside of the CIDR blocks that you specify is denied. The
+    #   default value is `0.0.0.0/0` and additionally `::/0` for dual-stack
+    #   `IPv6` clusters. If you've disabled private endpoint access, make
+    #   sure that you specify the necessary CIDR blocks for every node and
+    #   Fargate `Pod` in the cluster. For more information, see [Cluster API
+    #   server endpoint][1] in the <i> <i>Amazon EKS User Guide</i> </i>.
+    #
+    #   Note that the public endpoints are dual-stack for only `IPv6`
+    #   clusters that are made after October 2024. You can't add `IPv6`
+    #   CIDR blocks to `IPv4` clusters or `IPv6` clusters that were made
+    #   before October 2024.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html
     #   @return [Array<String>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/eks-2017-11-01/VpcConfigResponse AWS API Documentation

data/lib/aws-sdk-eks.rb

@@ -55,7 +55,7 @@ module Aws::EKS
   autoload :EndpointProvider, 'aws-sdk-eks/endpoint_provider'
   autoload :Endpoints, 'aws-sdk-eks/endpoints'
 
-  GEM_VERSION = '1.138.0'
+  GEM_VERSION = '1.139.0'
 
 end
 

data/sig/client.rbs

@@ -362,7 +362,9 @@ module Aws
                                              service_account: ::String,
                                              role_arn: ::String,
                                              ?client_request_token: ::String,
-                                             ?tags: Hash[::String, ::String]
+                                             ?tags: Hash[::String, ::String],
+                                             ?disable_session_tags: bool,
+                                             ?target_role_arn: ::String
                                            ) -> _CreatePodIdentityAssociationResponseSuccess
                                          | (Hash[Symbol, untyped] params, ?Hash[Symbol, untyped] options) -> _CreatePodIdentityAssociationResponseSuccess
 
@@ -1052,7 +1054,9 @@ module Aws
                                              cluster_name: ::String,
                                              association_id: ::String,
                                              ?role_arn: ::String,
-                                             ?client_request_token: ::String
+                                             ?client_request_token: ::String,
+                                             ?disable_session_tags: bool,
+                                             ?target_role_arn: ::String
                                            ) -> _UpdatePodIdentityAssociationResponseSuccess
                                          | (Hash[Symbol, untyped] params, ?Hash[Symbol, untyped] options) -> _UpdatePodIdentityAssociationResponseSuccess
 

data/sig/types.rbs

@@ -433,6 +433,8 @@ module Aws::EKS
       attr_accessor role_arn: ::String
       attr_accessor client_request_token: ::String
       attr_accessor tags: ::Hash[::String, ::String]
+      attr_accessor disable_session_tags: bool
+      attr_accessor target_role_arn: ::String
       SENSITIVE: []
     end
 
@@ -1230,6 +1232,9 @@ module Aws::EKS
       attr_accessor created_at: ::Time
       attr_accessor modified_at: ::Time
       attr_accessor owner_arn: ::String
+      attr_accessor disable_session_tags: bool
+      attr_accessor target_role_arn: ::String
+      attr_accessor external_id: ::String
       SENSITIVE: []
     end
 
@@ -1524,6 +1529,8 @@ module Aws::EKS
       attr_accessor association_id: ::String
       attr_accessor role_arn: ::String
       attr_accessor client_request_token: ::String
+      attr_accessor disable_session_tags: bool
+      attr_accessor target_role_arn: ::String
       SENSITIVE: []
     end
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: aws-sdk-eks
 version: !ruby/object:Gem::Version
-  version: 1.138.0
+  version: 1.139.0
 platform: ruby
 authors:
 - Amazon Web Services