@aws-sdk/client-eks 3.825.0 → 3.828.0

package/dist-cjs/index.js

@@ -1323,10 +1323,12 @@ var se_CreatePodIdentityAssociationCommand = /* @__PURE__ */ __name(async (input
   body = JSON.stringify(
     (0, import_smithy_client.take)(input, {
       clientRequestToken: [true, (_) => _ ?? (0, import_uuid.v4)()],
+      disableSessionTags: [],
       namespace: [],
       roleArn: [],
       serviceAccount: [],
-      tags: /* @__PURE__ */ __name((_) => (0, import_smithy_client._json)(_), "tags")
+      tags: /* @__PURE__ */ __name((_) => (0, import_smithy_client._json)(_), "tags"),
+      targetRoleArn: []
     })
   );
   b.m("POST").h(headers).b(body);
@@ -1972,7 +1974,9 @@ var se_UpdatePodIdentityAssociationCommand = /* @__PURE__ */ __name(async (input
   body = JSON.stringify(
     (0, import_smithy_client.take)(input, {
       clientRequestToken: [true, (_) => _ ?? (0, import_uuid.v4)()],
-      roleArn: []
+      disableSessionTags: [],
+      roleArn: [],
+      targetRoleArn: []
     })
   );
   b.m("POST").h(headers).b(body);
@@ -3316,12 +3320,15 @@ var de_PodIdentityAssociation = /* @__PURE__ */ __name((output, context) => {
     associationId: import_smithy_client.expectString,
     clusterName: import_smithy_client.expectString,
     createdAt: /* @__PURE__ */ __name((_) => (0, import_smithy_client.expectNonNull)((0, import_smithy_client.parseEpochTimestamp)((0, import_smithy_client.expectNumber)(_))), "createdAt"),
+    disableSessionTags: import_smithy_client.expectBoolean,
+    externalId: import_smithy_client.expectString,
     modifiedAt: /* @__PURE__ */ __name((_) => (0, import_smithy_client.expectNonNull)((0, import_smithy_client.parseEpochTimestamp)((0, import_smithy_client.expectNumber)(_))), "modifiedAt"),
     namespace: import_smithy_client.expectString,
     ownerArn: import_smithy_client.expectString,
     roleArn: import_smithy_client.expectString,
     serviceAccount: import_smithy_client.expectString,
-    tags: import_smithy_client._json
+    tags: import_smithy_client._json,
+    targetRoleArn: import_smithy_client.expectString
   });
 }, "de_PodIdentityAssociation");
 var de_Update = /* @__PURE__ */ __name((output, context) => {

package/dist-es/protocols/Aws_restJson1.js

@@ -199,10 +199,12 @@ export const se_CreatePodIdentityAssociationCommand = async (input, context) =>
     let body;
     body = JSON.stringify(take(input, {
         clientRequestToken: [true, (_) => _ ?? generateIdempotencyToken()],
+        disableSessionTags: [],
         namespace: [],
         roleArn: [],
         serviceAccount: [],
         tags: (_) => _json(_),
+        targetRoleArn: [],
     }));
     b.m("POST").h(headers).b(body);
     return b.build();
@@ -822,7 +824,9 @@ export const se_UpdatePodIdentityAssociationCommand = async (input, context) =>
     let body;
     body = JSON.stringify(take(input, {
         clientRequestToken: [true, (_) => _ ?? generateIdempotencyToken()],
+        disableSessionTags: [],
         roleArn: [],
+        targetRoleArn: [],
     }));
     b.m("POST").h(headers).b(body);
     return b.build();
@@ -2177,12 +2181,15 @@ const de_PodIdentityAssociation = (output, context) => {
         associationId: __expectString,
         clusterName: __expectString,
         createdAt: (_) => __expectNonNull(__parseEpochTimestamp(__expectNumber(_))),
+        disableSessionTags: __expectBoolean,
+        externalId: __expectString,
         modifiedAt: (_) => __expectNonNull(__parseEpochTimestamp(__expectNumber(_))),
         namespace: __expectString,
         ownerArn: __expectString,
         roleArn: __expectString,
         serviceAccount: __expectString,
         tags: _json,
+        targetRoleArn: __expectString,
     });
 };
 const de_Update = (output, context) => {

package/dist-types/commands/CreateClusterCommand.d.ts

@@ -44,7 +44,9 @@ declare const CreateClusterCommand_base: {
  *          <p>You can use the <code>endpointPublicAccess</code> and
  *                 <code>endpointPrivateAccess</code> parameters to enable or disable public and
  *             private access to your cluster's Kubernetes API server endpoint. By default, public access is
- *             enabled, and private access is disabled. For more information, see <a href="https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html">Amazon EKS Cluster
+ *             enabled, and private access is disabled. The
+ *             endpoint domain name and IP address family depends on the value of the
+ *             <code>ipFamily</code> for the cluster. For more information, see <a href="https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html">Amazon EKS Cluster
  *                 Endpoint Access Control</a> in the <i>
  *                <i>Amazon EKS User Guide</i>
  *             </i>. </p>

package/dist-types/commands/CreatePodIdentityAssociationCommand.d.ts

@@ -29,15 +29,27 @@ declare const CreatePodIdentityAssociationCommand_base: {
 /**
  * <p>Creates an EKS Pod Identity association between a service account in an Amazon EKS cluster and an IAM role
  *             with <i>EKS Pod Identity</i>. Use EKS Pod Identity to give temporary IAM credentials to
- *             pods and the credentials are rotated automatically.</p>
+ *             Pods and the credentials are rotated automatically.</p>
  *          <p>Amazon EKS Pod Identity associations provide the ability to manage credentials for your applications, similar to the way that Amazon EC2 instance profiles provide credentials to Amazon EC2 instances.</p>
- *          <p>If a pod uses a service account that has an association, Amazon EKS sets environment variables
- *             in the containers of the pod. The environment variables configure the Amazon Web Services SDKs,
+ *          <p>If a Pod uses a service account that has an association, Amazon EKS sets environment variables
+ *             in the containers of the Pod. The environment variables configure the Amazon Web Services SDKs,
  *             including the Command Line Interface, to use the EKS Pod Identity credentials.</p>
- *          <p>Pod Identity is a simpler method than <i>IAM roles for service
+ *          <p>EKS Pod Identity is a simpler method than <i>IAM roles for service
  *                 accounts</i>, as this method doesn't use OIDC identity providers.
- *             Additionally, you can configure a role for Pod Identity once, and reuse it across
+ *             Additionally, you can configure a role for EKS Pod Identity once, and reuse it across
  *             clusters.</p>
+ *          <p>Similar to Amazon Web Services IAM behavior, EKS Pod Identity associations are eventually consistent,
+ *             and may take several seconds to be effective after the initial API call returns
+ *             successfully. You must design your applications to account for these potential delays.
+ *             We recommend that you don’t include association create/updates in the
+ *             critical, high-availability code paths of your application. Instead, make changes in a
+ *             separate initialization or setup routine that you run less frequently.</p>
+ *          <p>You can set a <i>target IAM role</i> in the same or a different
+ *             account for advanced scenarios. With a target role, EKS Pod Identity automatically performs two
+ *             role assumptions in sequence: first assuming the role in the association that is in this
+ *             account, then using those credentials to assume the target IAM role. This process
+ *             provides your Pod with temporary credentials that have the permissions defined in the
+ *             target role, allowing secure access to resources in another Amazon Web Services account.</p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript
@@ -53,6 +65,8 @@ declare const CreatePodIdentityAssociationCommand_base: {
  *   tags: { // TagMap
  *     "<keys>": "STRING_VALUE",
  *   },
+ *   disableSessionTags: true || false,
+ *   targetRoleArn: "STRING_VALUE",
  * };
  * const command = new CreatePodIdentityAssociationCommand(input);
  * const response = await client.send(command);
@@ -70,6 +84,9 @@ declare const CreatePodIdentityAssociationCommand_base: {
  * //     createdAt: new Date("TIMESTAMP"),
  * //     modifiedAt: new Date("TIMESTAMP"),
  * //     ownerArn: "STRING_VALUE",
+ * //     disableSessionTags: true || false,
+ * //     targetRoleArn: "STRING_VALUE",
+ * //     externalId: "STRING_VALUE",
  * //   },
  * // };
  *

package/dist-types/commands/DeletePodIdentityAssociationCommand.d.ts

@@ -55,6 +55,9 @@ declare const DeletePodIdentityAssociationCommand_base: {
  * //     createdAt: new Date("TIMESTAMP"),
  * //     modifiedAt: new Date("TIMESTAMP"),
  * //     ownerArn: "STRING_VALUE",
+ * //     disableSessionTags: true || false,
+ * //     targetRoleArn: "STRING_VALUE",
+ * //     externalId: "STRING_VALUE",
  * //   },
  * // };
  *

package/dist-types/commands/DescribePodIdentityAssociationCommand.d.ts

@@ -58,6 +58,9 @@ declare const DescribePodIdentityAssociationCommand_base: {
  * //     createdAt: new Date("TIMESTAMP"),
  * //     modifiedAt: new Date("TIMESTAMP"),
  * //     ownerArn: "STRING_VALUE",
+ * //     disableSessionTags: true || false,
+ * //     targetRoleArn: "STRING_VALUE",
+ * //     externalId: "STRING_VALUE",
  * //   },
  * // };
  *

package/dist-types/commands/UpdateClusterConfigCommand.d.ts

@@ -47,8 +47,8 @@ declare const UpdateClusterConfigCommand_base: {
  *             <li>
  *                <p>You can also use this API operation to enable or disable public and private
  *                     access to your cluster's Kubernetes API server endpoint. By default, public access is
- *                     enabled, and private access is disabled. For more information, see <a href="https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html">Amazon EKS
- *                         cluster endpoint access control</a> in the
+ *                     enabled, and private access is disabled. For more information, see <a href="https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html">
+ *                         Cluster API server endpoint</a> in the
  *                         <i>
  *                      <i>Amazon EKS User Guide</i>
  *                   </i>.</p>

package/dist-types/commands/UpdatePodIdentityAssociationCommand.d.ts

@@ -27,10 +27,23 @@ declare const UpdatePodIdentityAssociationCommand_base: {
     getEndpointParameterInstructions(): import("@smithy/middleware-endpoint").EndpointParameterInstructions;
 };
 /**
- * <p>Updates a EKS Pod Identity association. Only the IAM role can be changed; an association can't be moved
+ * <p>Updates a EKS Pod Identity association. In an update, you can change the IAM role, the target IAM role, or <code>disableSessionTags</code>.
+ *             You must change at least one of these in an update. An association can't be moved
  *             between clusters, namespaces, or service accounts. If you need to edit the namespace
  *             or service account, you need to delete the association and then create a new
  *             association with your desired settings.</p>
+ *          <p>Similar to Amazon Web Services IAM behavior, EKS Pod Identity associations are eventually consistent,
+ *             and may take several seconds to be effective after the initial API call returns
+ *             successfully. You must design your applications to account for these potential delays.
+ *             We recommend that you don’t include association create/updates in the
+ *             critical, high-availability code paths of your application. Instead, make changes in a
+ *             separate initialization or setup routine that you run less frequently.</p>
+ *          <p>You can set a <i>target IAM role</i> in the same or a different
+ *             account for advanced scenarios. With a target role, EKS Pod Identity automatically performs two
+ *             role assumptions in sequence: first assuming the role in the association that is in this
+ *             account, then using those credentials to assume the target IAM role. This process
+ *             provides your Pod with temporary credentials that have the permissions defined in the
+ *             target role, allowing secure access to resources in another Amazon Web Services account.</p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript
@@ -42,6 +55,8 @@ declare const UpdatePodIdentityAssociationCommand_base: {
  *   associationId: "STRING_VALUE", // required
  *   roleArn: "STRING_VALUE",
  *   clientRequestToken: "STRING_VALUE",
+ *   disableSessionTags: true || false,
+ *   targetRoleArn: "STRING_VALUE",
  * };
  * const command = new UpdatePodIdentityAssociationCommand(input);
  * const response = await client.send(command);
@@ -59,6 +74,9 @@ declare const UpdatePodIdentityAssociationCommand_base: {
  * //     createdAt: new Date("TIMESTAMP"),
  * //     modifiedAt: new Date("TIMESTAMP"),
  * //     ownerArn: "STRING_VALUE",
+ * //     disableSessionTags: true || false,
+ * //     targetRoleArn: "STRING_VALUE",
+ * //     externalId: "STRING_VALUE",
  * //   },
  * // };
  *

package/dist-types/models/models_0.d.ts

@@ -334,10 +334,10 @@ export interface Addon {
      */
     configurationValues?: string | undefined;
     /**
-     * <p>An array of Pod Identity Assocations owned by the Addon. Each EKS Pod Identity
-     *             association maps a role to a service account in a namespace in the cluster.</p>
+     * <p>An array of EKS Pod Identity associations owned by the add-on. Each association maps a role to a service
+     *             account in a namespace in the cluster.</p>
      *          <p>For more information, see <a href="https://docs.aws.amazon.com/eks/latest/userguide/add-ons-iam.html">Attach an IAM Role to an Amazon EKS add-on
-     *                 using Pod Identity</a> in the <i>Amazon EKS User Guide</i>.</p>
+     *                 using EKS Pod Identity</a> in the <i>Amazon EKS User Guide</i>.</p>
      * @public
      */
     podIdentityAssociations?: string[] | undefined;
@@ -396,7 +396,7 @@ export interface AddonVersionInfo {
      */
     architecture?: string[] | undefined;
     /**
-     * <p>Indicates the compute type of the addon version.</p>
+     * <p>Indicates the compute type of the add-on version.</p>
      * @public
      */
     computeTypes?: string[] | undefined;
@@ -411,7 +411,7 @@ export interface AddonVersionInfo {
      */
     requiresConfiguration?: boolean | undefined;
     /**
-     * <p>Indicates if the Addon requires IAM Permissions to operate, such as networking
+     * <p>Indicates if the add-on requires IAM Permissions to operate, such as networking
      *             permissions.</p>
      * @public
      */
@@ -455,11 +455,11 @@ export interface AddonInfo {
     marketplaceInformation?: MarketplaceInformation | undefined;
 }
 /**
- * <p>A type of Pod Identity Association owned by an Amazon EKS Add-on.</p>
- *          <p>Each EKS Pod Identity Association maps a role to a service account in a namespace in
+ * <p>A type of EKS Pod Identity association owned by an Amazon EKS add-on.</p>
+ *          <p>Each association maps a role to a service account in a namespace in
  *             the cluster.</p>
  *          <p>For more information, see <a href="https://docs.aws.amazon.com/eks/latest/userguide/add-ons-iam.html">Attach an IAM Role to an Amazon EKS add-on
- *                 using Pod Identity</a> in the <i>Amazon EKS User Guide</i>.</p>
+ *                 using EKS Pod Identity</a> in the <i>Amazon EKS User Guide</i>.</p>
  * @public
  */
 export interface AddonPodIdentityAssociations {
@@ -475,17 +475,17 @@ export interface AddonPodIdentityAssociations {
     roleArn: string | undefined;
 }
 /**
- * <p>Information about how to configure IAM for an Addon.</p>
+ * <p>Information about how to configure IAM for an add-on.</p>
  * @public
  */
 export interface AddonPodIdentityConfiguration {
     /**
-     * <p>The Kubernetes Service Account name used by the addon.</p>
+     * <p>The Kubernetes Service Account name used by the add-on.</p>
      * @public
      */
     serviceAccount?: string | undefined;
     /**
-     * <p>A suggested IAM Policy for the addon.</p>
+     * <p>A suggested IAM Policy for the add-on.</p>
      * @public
      */
     recommendedManagedPolicies?: string[] | undefined;
@@ -1467,10 +1467,10 @@ export interface CreateAddonRequest {
      */
     configurationValues?: string | undefined;
     /**
-     * <p>An array of Pod Identity Assocations to be created. Each EKS Pod Identity association
-     *             maps a Kubernetes service account to an IAM Role.</p>
+     * <p>An array of EKS Pod Identity associations to be created. Each association maps a Kubernetes service account to
+     *             an IAM role.</p>
      *          <p>For more information, see <a href="https://docs.aws.amazon.com/eks/latest/userguide/add-ons-iam.html">Attach an IAM Role to an Amazon EKS add-on
-     *                 using Pod Identity</a> in the <i>Amazon EKS User Guide</i>.</p>
+     *                 using EKS Pod Identity</a> in the <i>Amazon EKS User Guide</i>.</p>
      * @public
      */
     podIdentityAssociations?: AddonPodIdentityAssociations[] | undefined;
@@ -1725,7 +1725,7 @@ export interface OutpostConfigRequest {
  *          <ul>
  *             <li>
  *                <p>Each block must be within an <code>IPv4</code> RFC-1918 network range. Minimum
- *                     allowed size is /24, maximum allowed size is /8. Publicly-routable addresses
+ *                     allowed size is /32, maximum allowed size is /8. Publicly-routable addresses
  *                     aren't supported.</p>
  *             </li>
  *             <li>
@@ -1764,7 +1764,7 @@ export interface RemoteNodeNetwork {
      *          <ul>
      *             <li>
      *                <p>Each block must be within an <code>IPv4</code> RFC-1918 network range. Minimum
-     *                     allowed size is /24, maximum allowed size is /8. Publicly-routable addresses
+     *                     allowed size is /32, maximum allowed size is /8. Publicly-routable addresses
      *                     aren't supported.</p>
      *             </li>
      *             <li>
@@ -1805,7 +1805,7 @@ export interface RemoteNodeNetwork {
  *          <ul>
  *             <li>
  *                <p>Each block must be within an <code>IPv4</code> RFC-1918 network range. Minimum
- *                     allowed size is /24, maximum allowed size is /8. Publicly-routable addresses
+ *                     allowed size is /32, maximum allowed size is /8. Publicly-routable addresses
  *                     aren't supported.</p>
  *             </li>
  *             <li>
@@ -1827,7 +1827,7 @@ export interface RemotePodNetwork {
      *          <ul>
      *             <li>
      *                <p>Each block must be within an <code>IPv4</code> RFC-1918 network range. Minimum
-     *                     allowed size is /24, maximum allowed size is /8. Publicly-routable addresses
+     *                     allowed size is /32, maximum allowed size is /8. Publicly-routable addresses
      *                     aren't supported.</p>
      *             </li>
      *             <li>
@@ -1855,7 +1855,7 @@ export interface RemoteNetworkConfigRequest {
      *          <ul>
      *             <li>
      *                <p>Each block must be within an <code>IPv4</code> RFC-1918 network range. Minimum
-     *                     allowed size is /24, maximum allowed size is /8. Publicly-routable addresses
+     *                     allowed size is /32, maximum allowed size is /8. Publicly-routable addresses
      *                     aren't supported.</p>
      *             </li>
      *             <li>
@@ -1896,7 +1896,7 @@ export interface RemoteNetworkConfigRequest {
      *          <ul>
      *             <li>
      *                <p>Each block must be within an <code>IPv4</code> RFC-1918 network range. Minimum
-     *                     allowed size is /24, maximum allowed size is /8. Publicly-routable addresses
+     *                     allowed size is /32, maximum allowed size is /8. Publicly-routable addresses
      *                     aren't supported.</p>
      *             </li>
      *             <li>
@@ -1936,9 +1936,10 @@ export interface VpcConfigRequest {
      * <p>Set this value to <code>false</code> to disable public access to your cluster's Kubernetes
      *             API server endpoint. If you disable public access, your cluster's Kubernetes API server can
      *             only receive requests from within the cluster VPC. The default value for this parameter
-     *             is <code>true</code>, which enables public access for your Kubernetes API server. For more
-     *             information, see <a href="https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html">Amazon EKS cluster endpoint access control</a> in the
-     *                 <i>
+     *             is <code>true</code>, which enables public access for your Kubernetes API server. The
+     *             endpoint domain name and IP address family depends on the value of the
+     *                 <code>ipFamily</code> for the cluster. For more information, see <a href="https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html">Cluster API
+     *                 server endpoint</a> in the <i>
      *                <i>Amazon EKS User Guide</i>
      *             </i>.</p>
      * @public
@@ -1951,8 +1952,8 @@ export interface VpcConfigRequest {
      *                 <code>false</code>, which disables private access for your Kubernetes API server. If you
      *             disable private access and you have nodes or Fargate pods in the cluster, then
      *             ensure that <code>publicAccessCidrs</code> includes the necessary CIDR blocks for
-     *             communication with the nodes or Fargate pods. For more information, see <a href="https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html">Amazon EKS cluster
-     *                 endpoint access control</a> in the <i>
+     *             communication with the nodes or Fargate pods. For more information, see <a href="https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html">Cluster
+     *                 API server endpoint</a> in the <i>
      *                <i>Amazon EKS User Guide</i>
      *             </i>.</p>
      * @public
@@ -1961,12 +1962,17 @@ export interface VpcConfigRequest {
     /**
      * <p>The CIDR blocks that are allowed access to your cluster's public Kubernetes API server
      *             endpoint. Communication to the endpoint from addresses outside of the CIDR blocks that
-     *             you specify is denied. The default value is <code>0.0.0.0/0</code>. If you've disabled
-     *             private endpoint access, make sure that you specify the necessary CIDR blocks for every
-     *             node and Fargate <code>Pod</code> in the cluster. For more information, see <a href="https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html">Amazon EKS cluster
-     *                 endpoint access control</a> in the <i>
+     *             you specify is denied. The default value is <code>0.0.0.0/0</code> and additionally
+     *                 <code>::/0</code> for dual-stack `IPv6` clusters. If you've disabled private
+     *             endpoint access, make sure that you specify the necessary CIDR blocks for every node and
+     *             Fargate <code>Pod</code> in the cluster. For more information, see <a href="https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html">Cluster
+     *                 API server endpoint</a> in the <i>
      *                <i>Amazon EKS User Guide</i>
      *             </i>.</p>
+     *          <p>Note that the public endpoints are dual-stack for only <code>IPv6</code> clusters that
+     *             are made after October 2024. You can't add <code>IPv6</code> CIDR blocks to
+     *                 <code>IPv4</code> clusters or <code>IPv6</code> clusters that were made before
+     *             October 2024.</p>
      * @public
      */
     publicAccessCidrs?: string[] | undefined;
@@ -2140,7 +2146,8 @@ export interface CreateClusterRequest {
     /**
      * <p>If you set this value to <code>False</code> when creating a cluster, the default
      *             networking add-ons will not be installed.</p>
-     *          <p>The default networking addons include vpc-cni, coredns, and kube-proxy.</p>
+     *          <p>The default networking add-ons include <code>vpc-cni</code>, <code>coredns</code>, and
+     *                 <code>kube-proxy</code>.</p>
      *          <p>Use this option when you plan to install third-party alternative add-ons or
      *             self-manage the default networking add-ons.</p>
      * @public
@@ -2489,9 +2496,8 @@ export interface VpcConfigResponse {
      *             internet. If this value is disabled and you have nodes or Fargate pods in the
      *             cluster, then ensure that <code>publicAccessCidrs</code> includes the necessary CIDR
      *             blocks for communication with the nodes or Fargate pods. For more information, see
-     *                 <a href="https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html">Amazon EKS
-     *                 cluster endpoint access control</a> in the
-     *             <i>
+     *                 <a href="https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html">Cluster
+     *                 API server endpoint</a> in the <i>
      *                <i>Amazon EKS User Guide</i>
      *             </i>.</p>
      * @public
@@ -2499,7 +2505,18 @@ export interface VpcConfigResponse {
     endpointPrivateAccess?: boolean | undefined;
     /**
      * <p>The CIDR blocks that are allowed access to your cluster's public Kubernetes API server
-     *             endpoint.</p>
+     *             endpoint. Communication to the endpoint from addresses outside of the CIDR blocks that
+     *             you specify is denied. The default value is <code>0.0.0.0/0</code> and additionally
+     *             <code>::/0</code> for dual-stack `IPv6` clusters. If you've disabled private
+     *             endpoint access, make sure that you specify the necessary CIDR blocks for every node and
+     *             Fargate <code>Pod</code> in the cluster. For more information, see <a href="https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html">Cluster
+     *                 API server endpoint</a> in the <i>
+     *                <i>Amazon EKS User Guide</i>
+     *             </i>.</p>
+     *          <p>Note that the public endpoints are dual-stack for only <code>IPv6</code> clusters that
+     *             are made after October 2024. You can't add <code>IPv6</code> CIDR blocks to
+     *             <code>IPv4</code> clusters or <code>IPv6</code> clusters that were made before
+     *             October 2024.</p>
      * @public
      */
     publicAccessCidrs?: string[] | undefined;
@@ -3960,13 +3977,13 @@ export interface CreateNodegroupResponse {
  */
 export interface CreatePodIdentityAssociationRequest {
     /**
-     * <p>The name of the cluster to create the association in.</p>
+     * <p>The name of the cluster to create the EKS Pod Identity association in.</p>
      * @public
      */
     clusterName: string | undefined;
     /**
-     * <p>The name of the Kubernetes namespace inside the cluster to create the association in. The
-     *             service account and the pods that use the service account must be in this
+     * <p>The name of the Kubernetes namespace inside the cluster to create the EKS Pod Identity association in. The
+     *             service account and the Pods that use the service account must be in this
      *             namespace.</p>
      * @public
      */
@@ -3980,7 +3997,7 @@ export interface CreatePodIdentityAssociationRequest {
     /**
      * <p>The Amazon Resource Name (ARN) of the IAM role to associate with the service account. The EKS Pod Identity
      *             agent manages credentials to assume this role for applications in the containers in the
-     *             pods that use this service account.</p>
+     *             Pods that use this service account.</p>
      * @public
      */
     roleArn: string | undefined;
@@ -4028,6 +4045,40 @@ export interface CreatePodIdentityAssociationRequest {
      * @public
      */
     tags?: Record<string, string> | undefined;
+    /**
+     * <p>Disable the automatic sessions tags that are appended by EKS Pod Identity.</p>
+     *          <p>EKS Pod Identity adds a pre-defined set of session tags when it assumes the role. You
+     *             can use these tags to author a single role that can work across resources by allowing
+     *             access to Amazon Web Services resources based on matching tags. By default, EKS Pod Identity attaches
+     *             six tags, including tags for cluster name, namespace, and service account name. For the
+     *             list of tags added by EKS Pod Identity, see <a href="https://docs.aws.amazon.com/eks/latest/userguide/pod-id-abac.html#pod-id-abac-tags">List of session tags
+     *                 added by EKS Pod Identity</a> in the <i>Amazon EKS User Guide</i>.</p>
+     *          <p>Amazon Web Services compresses inline session policies, managed policy ARNs, and session tags into a
+     *             packed binary format that has a separate limit. If you receive a
+     *                 <code>PackedPolicyTooLarge</code> error indicating the packed binary format has
+     *             exceeded the size limit, you can attempt to reduce the size by disabling the session
+     *             tags added by EKS Pod Identity.</p>
+     * @public
+     */
+    disableSessionTags?: boolean | undefined;
+    /**
+     * <p>The Amazon Resource Name (ARN) of the target IAM role to associate with the service account. This role
+     *             is assumed by using the EKS Pod Identity association role, then the credentials for this
+     *             role are injected into the Pod.</p>
+     *          <p>When you run applications on Amazon EKS, your application might need to access Amazon Web Services
+     *             resources from a different role that exists in the same or different Amazon Web Services account. For
+     *             example, your application running in “Account A” might need to access resources, such as
+     *             Amazon S3 buckets in “Account B” or within “Account A” itself. You can create a association
+     *             to access Amazon Web Services resources in “Account B” by creating two IAM roles: a role in “Account
+     *             A” and a role in “Account B” (which can be the same or different account), each with the
+     *             necessary trust and permission policies. After you provide these roles in the
+     *                 <i>IAM role</i> and <i>Target IAM role</i> fields, EKS
+     *             will perform role chaining to ensure your application gets the required permissions.
+     *             This means Role A will assume Role B, allowing your Pods to securely access resources
+     *             like S3 buckets in the target account.</p>
+     * @public
+     */
+    targetRoleArn?: string | undefined;
 }
 /**
  * <p>Amazon EKS Pod Identity associations provide the ability to manage credentials for your applications, similar to the way that Amazon EC2 instance profiles provide credentials to Amazon EC2 instances.</p>
@@ -4041,7 +4092,7 @@ export interface PodIdentityAssociation {
     clusterName?: string | undefined;
     /**
      * <p>The name of the Kubernetes namespace inside the cluster to create the association in. The
-     *             service account and the pods that use the service account must be in this
+     *             service account and the Pods that use the service account must be in this
      *             namespace.</p>
      * @public
      */
@@ -4055,7 +4106,7 @@ export interface PodIdentityAssociation {
     /**
      * <p>The Amazon Resource Name (ARN) of the IAM role to associate with the service account. The EKS Pod Identity
      *             agent manages credentials to assume this role for applications in the containers in the
-     *             pods that use this service account.</p>
+     *             Pods that use this service account.</p>
      * @public
      */
     roleArn?: string | undefined;
@@ -4113,15 +4164,47 @@ export interface PodIdentityAssociation {
      */
     createdAt?: Date | undefined;
     /**
-     * <p>The most recent timestamp that the association was modified at</p>
+     * <p>The most recent timestamp that the association was modified at.</p>
      * @public
      */
     modifiedAt?: Date | undefined;
     /**
-     * <p>If defined, the Pod Identity Association is owned by an Amazon EKS Addon.</p>
+     * <p>If defined, the EKS Pod Identity association is owned by an Amazon EKS add-on.</p>
      * @public
      */
     ownerArn?: string | undefined;
+    /**
+     * <p>The state of the automatic sessions tags. The value of <i>true</i>
+     *             disables these tags.</p>
+     *          <p>EKS Pod Identity adds a pre-defined set of session tags when it assumes the role. You
+     *             can use these tags to author a single role that can work across resources by allowing
+     *             access to Amazon Web Services resources based on matching tags. By default, EKS Pod Identity attaches
+     *             six tags, including tags for cluster name, namespace, and service account name. For the
+     *             list of tags added by EKS Pod Identity, see <a href="https://docs.aws.amazon.com/eks/latest/userguide/pod-id-abac.html#pod-id-abac-tags">List of session tags
+     *                 added by EKS Pod Identity</a> in the <i>Amazon EKS User Guide</i>.</p>
+     * @public
+     */
+    disableSessionTags?: boolean | undefined;
+    /**
+     * <p>The Amazon Resource Name (ARN) of the target IAM role to associate with the service account. This
+     *             role is assumed by using the EKS Pod Identity association role, then the credentials for this
+     *             role are injected into the Pod.</p>
+     * @public
+     */
+    targetRoleArn?: string | undefined;
+    /**
+     * <p>The unique identifier for this EKS Pod Identity association for a target IAM role. You put this value
+     *             in the trust policy of the target role, in a <code>Condition</code> to match the
+     *                 <code>sts.ExternalId</code>. This ensures that the target role can only be assumed
+     *             by this association. This prevents the <i>confused deputy problem</i>. For
+     *             more information about the confused deputy problem, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html">The confused deputy
+     *             problem</a> in the <i>IAM User Guide</i>.</p>
+     *          <p>If you want to use the same target role with multiple associations or
+     *             other roles, use independent statements in the trust policy to allow
+     *             <code>sts:AssumeRole</code> access from each role.</p>
+     * @public
+     */
+    externalId?: string | undefined;
 }
 /**
  * @public
@@ -4419,8 +4502,8 @@ export interface DescribeAddonConfigurationResponse {
      */
     configurationSchema?: string | undefined;
     /**
-     * <p>The Kubernetes service account name used by the addon, and any suggested IAM policies.
-     *             Use this information to create an IAM Role for the Addon.</p>
+     * <p>The Kubernetes service account name used by the add-on, and any suggested IAM policies.
+     *             Use this information to create an IAM Role for the add-on.</p>
      * @public
      */
     podIdentityConfiguration?: AddonPodIdentityConfiguration[] | undefined;
@@ -5978,7 +6061,7 @@ export interface PodIdentityAssociationSummary {
     clusterName?: string | undefined;
     /**
      * <p>The name of the Kubernetes namespace inside the cluster to create the association in. The
-     *             service account and the pods that use the service account must be in this
+     *             service account and the Pods that use the service account must be in this
      *             namespace.</p>
      * @public
      */
@@ -6000,7 +6083,7 @@ export interface PodIdentityAssociationSummary {
      */
     associationId?: string | undefined;
     /**
-     * <p>If defined, the Pod Identity Association is owned by an Amazon EKS Addon.</p>
+     * <p>If defined, the association is owned by an Amazon EKS add-on.</p>
      * @public
      */
     ownerArn?: string | undefined;
@@ -6426,12 +6509,12 @@ export interface UpdateAddonRequest {
      */
     configurationValues?: string | undefined;
     /**
-     * <p>An array of Pod Identity Assocations to be updated. Each EKS Pod Identity association
-     *             maps a Kubernetes service account to an IAM Role. If this value is left blank, no change.
-     *             If an empty array is provided, existing Pod Identity Assocations owned by the Addon are
+     * <p>An array of EKS Pod Identity associations to be updated. Each association
+     *             maps a Kubernetes service account to an IAM role. If this value is left blank, no change.
+     *             If an empty array is provided, existing associations owned by the add-on are
      *             deleted.</p>
      *          <p>For more information, see <a href="https://docs.aws.amazon.com/eks/latest/userguide/add-ons-iam.html">Attach an IAM Role to an Amazon EKS add-on
-     *                 using Pod Identity</a> in the <i>Amazon EKS User Guide</i>.</p>
+     *                 using EKS Pod Identity</a> in the <i>Amazon EKS User Guide</i>.</p>
      * @public
      */
     podIdentityAssociations?: AddonPodIdentityAssociations[] | undefined;
@@ -6826,7 +6909,7 @@ export interface UpdatePodIdentityAssociationRequest {
      */
     associationId: string | undefined;
     /**
-     * <p>The new IAM role to change the </p>
+     * <p>The new IAM role to change in the association.</p>
      * @public
      */
     roleArn?: string | undefined;
@@ -6836,13 +6919,45 @@ export interface UpdatePodIdentityAssociationRequest {
      * @public
      */
     clientRequestToken?: string | undefined;
+    /**
+     * <p>Disable the automatic sessions tags that are appended by EKS Pod Identity.</p>
+     *          <p>EKS Pod Identity adds a pre-defined set of session tags when it assumes the role. You
+     *             can use these tags to author a single role that can work across resources by allowing
+     *             access to Amazon Web Services resources based on matching tags. By default, EKS Pod Identity attaches
+     *             six tags, including tags for cluster name, namespace, and service account name. For the
+     *             list of tags added by EKS Pod Identity, see <a href="https://docs.aws.amazon.com/eks/latest/userguide/pod-id-abac.html#pod-id-abac-tags">List of session tags
+     *                 added by EKS Pod Identity</a> in the <i>Amazon EKS User Guide</i>.</p>
+     *          <p>Amazon Web Services compresses inline session policies, managed policy ARNs, and session tags into a
+     *             packed binary format that has a separate limit. If you receive a <code>PackedPolicyTooLarge</code> error
+     *             indicating the packed binary format has exceeded the size limit, you can attempt to reduce
+     *             the size by disabling the session tags added by EKS Pod Identity.</p>
+     * @public
+     */
+    disableSessionTags?: boolean | undefined;
+    /**
+     * <p>The Amazon Resource Name (ARN) of the target IAM role to associate with the service account. This
+     *             role is assumed by using the EKS Pod Identity association role, then the credentials for this
+     *             role are injected into the Pod.</p>
+     *          <p>When you run applications on Amazon EKS, your application might need to access Amazon Web Services
+     *             resources from a different role that exists in the same or different Amazon Web Services account. For
+     *             example, your application running in “Account A” might need to access resources, such as
+     *             buckets in “Account B” or within “Account A” itself. You can create a association to
+     *             access Amazon Web Services resources in “Account B” by creating two IAM roles: a role in “Account A”
+     *             and a role in “Account B” (which can be the same or different account), each with the
+     *             necessary trust and permission policies. After you provide these roles in the <i>IAM role</i>
+     *             and <i>Target IAM role</i> fields, EKS will perform role chaining to ensure your application
+     *             gets the required permissions. This means Role A will assume Role B, allowing your Pods
+     *             to securely access resources like S3 buckets in the target account.</p>
+     * @public
+     */
+    targetRoleArn?: string | undefined;
 }
 /**
  * @public
  */
 export interface UpdatePodIdentityAssociationResponse {
     /**
-     * <p>The full description of the EKS Pod Identity association that was updated.</p>
+     * <p>The full description of the association that was updated.</p>
      * @public
      */
     association?: PodIdentityAssociation | undefined;

package/dist-types/ts3.4/models/models_0.d.ts

@@ -931,6 +931,8 @@ export interface CreatePodIdentityAssociationRequest {
   roleArn: string | undefined;
   clientRequestToken?: string | undefined;
   tags?: Record<string, string> | undefined;
+  disableSessionTags?: boolean | undefined;
+  targetRoleArn?: string | undefined;
 }
 export interface PodIdentityAssociation {
   clusterName?: string | undefined;
@@ -943,6 +945,9 @@ export interface PodIdentityAssociation {
   createdAt?: Date | undefined;
   modifiedAt?: Date | undefined;
   ownerArn?: string | undefined;
+  disableSessionTags?: boolean | undefined;
+  targetRoleArn?: string | undefined;
+  externalId?: string | undefined;
 }
 export interface CreatePodIdentityAssociationResponse {
   association?: PodIdentityAssociation | undefined;
@@ -1542,6 +1547,8 @@ export interface UpdatePodIdentityAssociationRequest {
   associationId: string | undefined;
   roleArn?: string | undefined;
   clientRequestToken?: string | undefined;
+  disableSessionTags?: boolean | undefined;
+  targetRoleArn?: string | undefined;
 }
 export interface UpdatePodIdentityAssociationResponse {
   association?: PodIdentityAssociation | undefined;

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@aws-sdk/client-eks",
   "description": "AWS SDK for JavaScript Eks Client for Node.js, Browser and React Native",
-  "version": "3.825.0",
+  "version": "3.828.0",
   "scripts": {
     "build": "concurrently 'yarn:build:cjs' 'yarn:build:es' 'yarn:build:types'",
     "build:cjs": "node ../../scripts/compilation/inline client-eks",
@@ -20,38 +20,38 @@
   "dependencies": {
     "@aws-crypto/sha256-browser": "5.2.0",
     "@aws-crypto/sha256-js": "5.2.0",
-    "@aws-sdk/core": "3.825.0",
-    "@aws-sdk/credential-provider-node": "3.825.0",
+    "@aws-sdk/core": "3.826.0",
+    "@aws-sdk/credential-provider-node": "3.828.0",
     "@aws-sdk/middleware-host-header": "3.821.0",
     "@aws-sdk/middleware-logger": "3.821.0",
     "@aws-sdk/middleware-recursion-detection": "3.821.0",
-    "@aws-sdk/middleware-user-agent": "3.825.0",
+    "@aws-sdk/middleware-user-agent": "3.828.0",
     "@aws-sdk/region-config-resolver": "3.821.0",
     "@aws-sdk/types": "3.821.0",
-    "@aws-sdk/util-endpoints": "3.821.0",
+    "@aws-sdk/util-endpoints": "3.828.0",
     "@aws-sdk/util-user-agent-browser": "3.821.0",
-    "@aws-sdk/util-user-agent-node": "3.825.0",
+    "@aws-sdk/util-user-agent-node": "3.828.0",
     "@smithy/config-resolver": "^4.1.4",
-    "@smithy/core": "^3.5.2",
+    "@smithy/core": "^3.5.3",
     "@smithy/fetch-http-handler": "^5.0.4",
     "@smithy/hash-node": "^4.0.4",
     "@smithy/invalid-dependency": "^4.0.4",
     "@smithy/middleware-content-length": "^4.0.4",
-    "@smithy/middleware-endpoint": "^4.1.10",
-    "@smithy/middleware-retry": "^4.1.11",
+    "@smithy/middleware-endpoint": "^4.1.11",
+    "@smithy/middleware-retry": "^4.1.12",
     "@smithy/middleware-serde": "^4.0.8",
     "@smithy/middleware-stack": "^4.0.4",
     "@smithy/node-config-provider": "^4.1.3",
     "@smithy/node-http-handler": "^4.0.6",
     "@smithy/protocol-http": "^5.1.2",
-    "@smithy/smithy-client": "^4.4.2",
+    "@smithy/smithy-client": "^4.4.3",
     "@smithy/types": "^4.3.1",
     "@smithy/url-parser": "^4.0.4",
     "@smithy/util-base64": "^4.0.0",
     "@smithy/util-body-length-browser": "^4.0.0",
     "@smithy/util-body-length-node": "^4.0.0",
-    "@smithy/util-defaults-mode-browser": "^4.0.18",
-    "@smithy/util-defaults-mode-node": "^4.0.18",
+    "@smithy/util-defaults-mode-browser": "^4.0.19",
+    "@smithy/util-defaults-mode-node": "^4.0.19",
     "@smithy/util-endpoints": "^3.0.6",
     "@smithy/util-middleware": "^4.0.4",
     "@smithy/util-retry": "^4.0.5",