Amazon EKS Pod Identity Session Policies

EKS Pod Identity session policies are the first practical answer AWS has given to “how do I keep pod permissions narrow without creating a dozen roles?” The answer is simple: keep the role, and scope the session.

That sounds small, but it changes the maintenance model. Instead of minting one IAM role per variation, you attach a session policy during the Pod Identity association and let IAM compute the intersection. AWS also makes one thing very explicit: if you use a session policy, you must disable session tags.

Permission Table

Policy Flow

flowchart LR
  Pod[Kubernetes pod] --> Assoc[Pod Identity association]
  Assoc --> Role[IAM role]
  Assoc --> Session[Session policy]
  Role --> Eff[Effective permissions]
  Session --> Eff
  Eff --> AWS[AWS services]

Why It Matters

The advantage here is scale. A lot of teams had already accepted that Pod Identity was the right identity primitive, but then they kept creating policy variants just to stop one namespace from doing too much. Session policies let you keep the role inventory small and push the variability into the association.

The sharp edge is the intersection rule. Session policies cannot add privileges. They only remove them. That is what makes them safe, but it is also why they are not a substitute for sane base-role design.

Related reading

• EKS RBAC and identity boundaries
• IAM roles and policy design
• IAM Identity Center and workforce access
• permission boundaries for least privilege

Sources

• AWS Containers Blog: Session policies for Amazon EKS Pod Identity
• Amazon EKS identity and access management best practices