AWS Security ChangesHomeSearch

AWS eks documentation change

Service: eks · 2026-01-25 · Documentation low

File: eks/latest/userguide/ack-troubleshooting.md

Summary

Updated example commands and added sts:TagSession permission requirement

Security assessment

Formatting improvements to examples and permission updates to match changes in other files. No security vulnerabilities addressed.

Diff

diff --git a/eks/latest/userguide/ack-troubleshooting.md b/eks/latest/userguide/ack-troubleshooting.md
index da25c901d..a59bd8fcb 100644
--- a//eks/latest/userguide/ack-troubleshooting.md
+++ b//eks/latest/userguide/ack-troubleshooting.md
@@ -84,2 +84,2 @@ You can view capability health and status issues in the EKS console or using the
-    aws iam list-attached-role-policies --role-name <replaceable>my-ack-capability-role</replaceable>
-    aws iam list-role-policies --role-name <replaceable>my-ack-capability-role</replaceable>
+    aws iam list-attached-role-policies --role-name my-ack-capability-role
+    aws iam list-role-policies --role-name my-ack-capability-role
@@ -88 +88,2 @@ You can view capability health and status issues in the EKS console or using the
-    aws iam get-role-policy --role-name <replaceable>my-ack-capability-role</replaceable> --policy-name <replaceable>policy-name</replaceable>
+    aws iam get-role-policy --role-name my-ack-capability-role --policy-name policy-name
+          
@@ -114 +115 @@ If resources aren’t being created in a target AWS account when using IAM Role
-    aws iam get-role --role-name <replaceable>cross-account-ack-role</replaceable> --query 'Role.AssumeRolePolicyDocument'
+    aws iam get-role --role-name cross-account-ack-role --query 'Role.AssumeRolePolicyDocument'
@@ -133 +134 @@ IAMRoleSelectors are cluster-scoped resources but target specific namespaces. En
-    kubectl get bucket <replaceable>my-cross-account-bucket</replaceable> -n <replaceable>production</replaceable>
+    kubectl get bucket my-cross-account-bucket -n production
@@ -139 +140 @@ IAMRoleSelectors are cluster-scoped resources but target specific namespaces. En
-    kubectl get iamroleselector <replaceable>my-selector</replaceable> -o jsonpath='{.spec.namespaceSelector}'
+    kubectl get iamroleselector my-selector -o jsonpath='{.spec.namespaceSelector}'
@@ -147 +148 @@ Verify that the IAMRoleSelector was successfully matched to your resource by che
-    kubectl get bucket <replaceable>my-cross-account-bucket</replaceable> -n <replaceable>production</replaceable> -o jsonpath='{.status.conditions[?(@.type=="ACK.IAMRoleSelected")]}'
+    kubectl get bucket my-cross-account-bucket -n production -o jsonpath='{.status.conditions[?(@.type=="ACK.IAMRoleSelected")]}'
@@ -153 +154 @@ If the condition is `False` or missing, the IAMRoleSelector’s namespace select
-The Capability Role needs `sts:AssumeRole` permission for the target account role:
+The Capability Role needs `sts:AssumeRole` and `sts:TagSession` permissions for the target account role:
@@ -161 +162 @@ The Capability Role needs `sts:AssumeRole` permission for the target account rol
-          "Action": "sts:AssumeRole",
+          "Action": ["sts:AssumeRole", "sts:TagSession"],