AWS eks documentation change
Summary
Added recommendation to use EKS Pod Identities over IRSA and clarified STS API quota usage differences
Security assessment
Promotes EKS Pod Identity as preferred method for credential management, which reduces STS API usage and potential throttling risks. While this improves operational reliability, there is no evidence of addressing a specific security vulnerability.
Diff
diff --git a/eks/latest/userguide/service-accounts.md b/eks/latest/userguide/service-accounts.md index 87e6893ee..c8d3b91d5 100644 --- a//eks/latest/userguide/service-accounts.md +++ b//eks/latest/userguide/service-accounts.md @@ -94,0 +95,4 @@ At a high level, both EKS Pod Identity and IRSA enables you to grant IAM permiss +###### Note + +AWS recommends using EKS Pod Identities to grant access to AWS resources to your pods whenever possible. For more information, see [Learn how EKS Pod Identity grants pods access to AWS services](./pod-identities.html). + @@ -99,0 +104 @@ Role scalability | EKS Pod Identity doesn’t require users to define trust rel +STS API Quota Usage | EKS Pod Identity simplifies delivery of AWS credentials to your pods, and does not require your code make calls with the AWS Security Token Service (STS) directly. The EKS service handles role assumption, and delivers credentials to applications written using the AWS SDK in your pods without your pods communicating with AWS STS or using STS API Quota. | In IRSA, applications written using the AWS SDK in your pods use tokens to call the `AssumeRoleWithWebIdentity` API on the AWS Security Token Service (STS). Depending on the logic of your code on the AWS SDK, it is possible for your code to make unneccesarry calls to AWS STS and receive throttling errors.