AWS cli documentation change
Summary
Added new optional '--policy' parameter to enforce additional IAM restrictions for pod identity associations. Includes important considerations about session tags and target role permissions.
Security assessment
The change introduces documentation for a new security feature allowing granular permission control through policy intersection. It explicitly enables least privilege access but doesn't address any specific vulnerability.
Diff
diff --git a/cli/latest/reference/eks/create-pod-identity-association.md b/cli/latest/reference/eks/create-pod-identity-association.md index 935a4e545..fa416c906 100644 --- a//cli/latest/reference/eks/create-pod-identity-association.md +++ b//cli/latest/reference/eks/create-pod-identity-association.md @@ -15 +15 @@ - * [AWS CLI 2.33.18 Command Reference](../../index.html) » + * [AWS CLI 2.33.21 Command Reference](../../index.html) » @@ -85,0 +86 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/eks-20 + [--policy <value>] @@ -200,0 +202,11 @@ JSON Syntax: +`--policy` (string) + +> An optional IAM policy in JSON format (as an escaped string) that applies additional restrictions to this pod identity association beyond the IAM policies attached to the IAM role. This policy is applied as the intersection of the role’s policies and this policy, allowing you to reduce the permissions that applications in the pods can use. Use this policy to enforce least privilege access while still leveraging a shared IAM role across multiple applications. +> +>> **Important considerations** +> +> * **Session tags:** When using this policy, `disableSessionTags` must be set to `true` . +> * **Target role permissions:** If you specify both a `TargetRoleArn` and a policy, the policy restrictions apply only to the target role’s permissions, not to the initial role used for assuming the target role. +> + + @@ -476,0 +489,4 @@ association -> (structure) +> +> policy -> (string) +> +>> An optional IAM policy in JSON format (as an escaped string) that applies additional restrictions to this pod identity association beyond the IAM policies attached to the IAM role. This policy is applied as the intersection of the role’s policies and this policy, allowing you to reduce the permissions that applications in the pods can use. Use this policy to enforce least privilege access while still leveraging a shared IAM role across multiple applications. @@ -488 +504 @@ association -> (structure) - * [AWS CLI 2.33.18 Command Reference](../../index.html) » + * [AWS CLI 2.33.21 Command Reference](../../index.html) »