AWS Security ChangesHomeSearch

AWS eks documentation change

Service: eks · 2025-06-13 · Documentation low

File: eks/latest/userguide/pod-id-abac.md

Summary

Restructured documentation to add 'Sample policy with tags' section, added 'Enable or disable session tags' section with instructions for disabling tags to resolve PackedPolicyTooLarge errors, and updated ABAC explanation wording.

Security assessment

The changes document security-related ABAC features and session tag management but do not address a specific security vulnerability. The PackedPolicyTooLarge mitigation is operational guidance rather than a security fix.

Diff

diff --git a/eks/latest/userguide/pod-id-abac.md b/eks/latest/userguide/pod-id-abac.md
index 6821c5b30..98e895c69 100644
--- a//eks/latest/userguide/pod-id-abac.md
+++ b//eks/latest/userguide/pod-id-abac.md
@@ -5 +5 @@
-List of session tags added by EKS Pod IdentityCross-account tagsCustom tags
+Sample policy with tagsEnable or disable session tagsCross-account tagsCustom tags
@@ -13 +13 @@ To contribute to this user guide, choose the **Edit this page on GitHub** link t
-Attribute-based access control (ABAC) grants rights to users through policies which combine attributes together. EKS Pod Identity attaches tags to the temporary credentials to each Pod with attributes such as cluster name, namespace, and service account name. These role session tags enable administrators to author a single role that can work across service accounts by allowing access to AWS resources based on matching tags. By adding support for role session tags, customers can enforce tighter security boundaries between clusters, and workloads within clusters, while reusing the same IAM roles and IAM policies.
+Attribute-based access control (ABAC) grants rights to users through policies which combine attributes together. EKS Pod Identity attaches tags to the temporary credentials to each Pod with attributes such as cluster name, namespace, and service account name. These role session tags enable administrators to author a single role that can work across service accounts by allowing access to AWS resources based on matching tags. By adding support for role session tags, you can enforce tighter security boundaries between clusters, and workloads within clusters, while reusing the same IAM roles and IAM policies.
@@ -15 +15,3 @@ Attribute-based access control (ABAC) grants rights to users through policies wh
-For example, the following policy allows the `s3:GetObject` action if the object is tagged with the name of the EKS cluster.
+## Sample policy with tags
+
+Below is an IAM policy example that grants `s3:GetObject` permissions when the corresponding object is tagged with the EKS cluster name.
@@ -44 +46,3 @@ For example, the following policy allows the `s3:GetObject` action if the object
-## List of session tags added by EKS Pod Identity
+## Enable or disable session tags
+
+EKS Pod Identity adds a pre-defined set of session tags when it assumes the role. These session tags enable administrators to author a single role that can work across resources by allowing access to AWS resources based on matching tags.
@@ -46 +50,3 @@ For example, the following policy allows the `s3:GetObject` action if the object
-The following list contains all of the keys for tags that are added to the `AssumeRole` request made by Amazon EKS. To use these tags in policies, use `${aws:PrincipalTag/` followed by the key, for example `${aws:PrincipalTag/kubernetes-namespace}`.
+### Enable session tags
+
+Session tags are automatically enabled with EKS Pod Identity—​no action is required on your part. By default, EKS Pod Identity attaches a set of predefined tags to your session. To reference these tags in policies, use the syntax `${aws:PrincipalTag/` followed by the tag key. For example, `${aws:PrincipalTag/kubernetes-namespace}`.
@@ -62,0 +69,19 @@ The following list contains all of the keys for tags that are added to the `Assu
+### Disable session tags
+
+AWS compresses inline session policies, managed policy ARNs, and session tags into a packed binary format that has a separate limit. If you receive a `PackedPolicyTooLarge` error indicating the packed binary format has exceeded the size limit, you can attempt to reduce the size by disabling the session tags added by EKS Pod Identity. To disable these session tags, follow these steps:
+
+  1. Open the [Amazon EKS console](https://console.aws.amazon.com/eks/home#/clusters).
+
+  2. In the left navigation pane, select **Clusters** , and then select the name of the cluster that you want to modify.
+
+  3. Choose the **Access** tab.
+
+  4. In the **Pod Identity associations** , choose the association ID you would like to modify in **Association ID** , then choose **Edit**.
+
+  5. Under **Session tags** , choose **Disable session tags**.
+
+  6. Choose **Save changes**.
+
+
+
+