Skip to content

feat(eks): add targetRoleArn support for EKS Pod Identity associations #35234

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

feat(eks): add targetRoleArn support for EKS Pod Identity associations #35234

wants to merge 6 commits into from

Conversation

@pahud
Copy link
Contributor

@pahud pahud commented Aug 14, 2025
edited
Loading

Issue # (if applicable)

Closes #35219

Reason for this change

EKS Pod Identity supports a targetRoleArn parameter that enables role chaining scenarios, particularly for cross-account access patterns. This feature was missing from the CDK construct, limiting users who need to access AWS resources in different accounts or implement complex role assumption chains.

Description of changes

Core Implementation:

  • Previously, the options for a ServiceAccount were spread across multiple interface declarations, which was likely an oversight. This pull request consolidates them into a single, coherent interface and adds the new targetRole property.
  • Updated the Pod Identity association creation logic in ServiceAccount construct to include targetRole when specified
  • The implementation extracts the role ARN from the IRole object and passes it to the AWS::EKS::PodIdentityAssociation CloudFormation resource

Design Decisions:

  • Made targetRole optional to maintain backward compatibility
  • Used iam.IRole interface for better type safety and consistency with CDK patterns
  • Allows both imported roles (via Role.fromRoleArn()) and newly created roles
  • Maintained existing behavior when targetRole is not specified

Alternatives Considered:

  • Using raw ARN string: Rejected in favor of type-safe IRole interface for better developer experience
  • Adding separate method for target role associations: Rejected to keep API simple and consistent

Describe any new or updated permissions being added

No new CDK permissions are required. The feature uses existing EKS Pod Identity functionality.

When users specify a targetRole, they need to ensure:

  • The target role trusts the service account role (configured by the user)
  • The service account role has permission to assume the target role (handled automatically by EKS)

Description of how you validated changes

Unit Tests:

  • Added comprehensive tests in service-account.test.ts covering:
    • Basic targetRole functionality with both created and imported roles
    • CloudFormation template generation with targetRole
    • Backward compatibility (no targetRole specified)
    • Integration with different identity types
    • Type safety validation

Integration Tests:

  • Created integ.eks-pod-identity-target-role.ts that:
    • Deploys actual EKS cluster with Pod Identity association using targetRole
    • Validates CloudFormation resource creation
    • Calls EKS API to verify targetRoleArn is correctly set and returned
    • Confirms end-to-end functionality

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@pahud
feat(eks): add targetRoleArn support for EKS Pod Identity associations
1576c60 
Add support for the targetRoleArn parameter in EKS Pod Identity associations,
enabling role chaining scenarios and cross-account access patterns.

- Add targetRoleArn property to ServiceAccountOptions interface
- Update Pod Identity association creation to include targetRoleArn when specified
- Add comprehensive unit tests covering targetRoleArn functionality
- Add integration test to validate targetRoleArn behavior with EKS API
- Update README with Service Account documentation and targetRoleArn usage examples

When targetRoleArn is specified, EKS creates a service account role that can
assume the target role, useful for cross-account access or role chaining
within the same account.
@aws-cdk-automation aws-cdk-automation requested a review from a team August 14, 2025 00:28
@github-actions github-actions bot added effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2 labels Aug 14, 2025
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Aug 14, 2025
@pahud pahud marked this pull request as ready for review August 14, 2025 02:56
@github-actions github-actions bot mentioned this pull request Sep 1, 2025
Closed
@aws-cdk-automation aws-cdk-automation added pr/needs-further-review PR requires additional review from our team specialists due to the scope or complexity of changes. pr/needs-maintainer-review This PR needs a review from a Core Team Member labels Oct 2, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

contribution/core This is a PR that came from AWS. effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2 pr/needs-further-review PR requires additional review from our team specialists due to the scope or complexity of changes. pr/needs-maintainer-review This PR needs a review from a Core Team Member

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

eks: Configuring target role for Pod Identity

2 participants

@pahud @aws-cdk-automation