AWS Security ChangesHomeSearch

AWS cli documentation change

Service: cli · 2026-02-13 · Documentation low

File: cli/latest/reference/eks/update-pod-identity-association.md

Summary

Added new optional '--policy' parameter to modify IAM restrictions for existing pod identity associations.

Security assessment

Documents ability to update security policies for enforcement of least privilege, but doesn't fix any identified vulnerability.

Diff

diff --git a/cli/latest/reference/eks/update-pod-identity-association.md b/cli/latest/reference/eks/update-pod-identity-association.md
index f04f09601..147e7f070 100644
--- a//cli/latest/reference/eks/update-pod-identity-association.md
+++ b//cli/latest/reference/eks/update-pod-identity-association.md
@@ -15 +15 @@
-  * [AWS CLI 2.33.18 Command Reference](../../index.html) »
+  * [AWS CLI 2.33.21 Command Reference](../../index.html) »
@@ -77,0 +78 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/eks-20
+    [--policy <value>]
@@ -131,0 +133,11 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/eks-20
+`--policy` (string)
+
+> An optional IAM policy in JSON format (as an escaped string) that applies additional restrictions to this pod identity association beyond the IAM policies attached to the IAM role. This policy is applied as the intersection of the role’s policies and this policy, allowing you to reduce the permissions that applications in the pods can use. Use this policy to enforce least privilege access while still leveraging a shared IAM role across multiple applications.
+>
+>> **Important considerations**
+> 
+>   * **Session tags:** When using this policy, `disableSessionTags` must be set to `true` .
+>   * **Target role permissions:** If you specify both a `TargetRoleArn` and a policy, the policy restrictions apply only to the target role’s permissions, not to the initial role used for assuming the target role.
+> 
+
+
@@ -371,0 +384,4 @@ association -> (structure)
+> 
+> policy -> (string)
+>
+>> An optional IAM policy in JSON format (as an escaped string) that applies additional restrictions to this pod identity association beyond the IAM policies attached to the IAM role. This policy is applied as the intersection of the role’s policies and this policy, allowing you to reduce the permissions that applications in the pods can use. Use this policy to enforce least privilege access while still leveraging a shared IAM role across multiple applications.
@@ -383 +399 @@ association -> (structure)
-  * [AWS CLI 2.33.18 Command Reference](../../index.html) »
+  * [AWS CLI 2.33.21 Command Reference](../../index.html) »