diff --git a/examples/pulumi/aws eks cluster/index.ts b/examples/pulumi/aws eks cluster/index.ts
index 5472dcd..2a6c9ea 100644
--- a/examples/pulumi/aws eks cluster/index.ts
+++ b/examples/pulumi/aws eks cluster/index.ts
@@ -122,7 +122,7 @@ const cluster = new aws.eks.Cluster("cluster", {
const cluster_admin_accessEntry = new aws.eks.AccessEntry("cluster-admin-accessEntry", {
clusterName: cluster.name,
- principalArn: callerIdentity.then(callerIdentity => callerIdentity.arn),
+ principalArn: callerIdentity.then(callerIdentity => callerIdentity.arn), // only users or roles, no groups
kubernetesGroups: [
// No 'system:…', 'amazon:…', 'aws:…', 'eks:…' nor 'iam:…'.
// See reference page.
diff --git a/knowledge base/cloud computing/aws/README.md b/knowledge base/cloud computing/aws/README.md
index c8d3c05..bbf691c 100644
--- a/knowledge base/cloud computing/aws/README.md
+++ b/knowledge base/cloud computing/aws/README.md
@@ -23,18 +23,29 @@ _Namespaces_ are containers for metrics.
Metrics only exist in the region in which they are created.
-[Many AWS services][services that publish cloudwatch metrics] offer basic monitoring by publishing a default set of metrics to CloudWatch with no charge.
+[Many AWS services][services that publish cloudwatch metrics] offer basic monitoring by publishing a default set of
+metrics to CloudWatch with no charge.
This feature is automatically enabled by default when one starts using one of these services.
## Resource constraints
-| data type | component | summary | description | type | length | pattern | required |
+| Data type | Component | Summary | Description | Type | Length | Pattern | Required |
| --------- | --------- | ----------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | -------- | --------------------------------- | -------- |
-| tag | key | Required name of the tag | The string value can be Unicode characters and cannot be prefixed with "aws:".
The string can contain only the set of Unicode letters, digits, white-space, `_`,' `.`, `/`, `=`, `+`, `-`, `:`, `@` (Java regex: `^([\\p{L}\\p{Z}\\p{N}_.:/=+\\-]*)$`) | String | 1 to 128 | `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$` | Yes |
-| tag | value | The optional value of the tag | The string value can be Unicode characters. The string can contain only the set of Unicode letters, digits, white-space, `_`, `.`, `/`, `=`, `+`, `-`, `:`, `@` (Java regex: `^([\\p{L}\\p{Z}\\p{N}_.:/=+\\-]*)$"`) | String | 0 to 256 | `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$` | Yes |
+| Tag | Key | Required name of the tag | The string value can be Unicode characters and cannot be prefixed with "aws:".
The string can contain only the set of Unicode letters, digits, white-space, `_`,' `.`, `/`, `=`, `+`, `-`, `:`, `@` (Java regex: `^([\\p{L}\\p{Z}\\p{N}_.:/=+\\-]*)$`) | String | 1 to 128 | `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$` | Yes |
+| Tag | Value | The optional value of the tag | The string value can be Unicode characters. The string can contain only the set of Unicode letters, digits, white-space, `_`, `.`, `/`, `=`, `+`, `-`, `:`, `@` (Java regex: `^([\\p{L}\\p{Z}\\p{N}_.:/=+\\-]*)$"`, `[\p{L}\p{Z}\p{N}_.:\/=+\-@]*` on AWS) | String | 0 to 256 | `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$` | Yes |
## Access control
+| Entity | Description | Notes |
+| ------ | ------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------ |
+| User | Represents a human or a workload.
Defined by its name and credentials. | No permissions by default, need to be assigned to it |
+| Role | Defines a set of permissions for making requests to AWS services.
Defines what actions can be performed on which resources. | Can be assumed by AWS services, applications and users |
+
+To be able to assume roles:
+
+- Users, roles or services **must** have the permissions to assume the role they want to assume.
+- The role's trust relationship **should** allow the users, roles or services to assume it.
+
From [Using service-linked roles]:
> A _service role_ is an IAM role that a service assumes to perform actions on your behalf.
@@ -42,7 +53,8 @@ From [Using service-linked roles]:
>
> A _service-linked role_ is a type of service role that is linked to an AWS service.
> The service can assume the role to perform an action on your behalf.
-> Service-linked roles appear in your AWS account and are owned by the service. An IAM administrator can view, but not edit the permissions for service-linked roles.
+> Service-linked roles appear in your AWS account and are owned by the service. An IAM administrator can view, but not
+> edit the permissions for service-linked roles.
## Further readings
@@ -54,7 +66,9 @@ From [Using service-linked roles]:
### Sources
- [Constraints for tags][constraints tag]
-- [What is cloudWatch]
+- [What is CloudWatch]
+- [Introduction to AWS IAM AssumeRole]
+- [AWS JSON policy elements: Principal]
+[aws json policy elements: principal]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html
[best practices for tagging aws resources]: https://docs.aws.amazon.com/whitepapers/latest/tagging-best-practices/tagging-best-practices.html
[constraints tag]: https://docs.aws.amazon.com/directoryservice/latest/devguide/API_Tag.html
[services that publish cloudwatch metrics]: https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/aws-services-cloudwatch-metrics.html
[using service-linked roles]: https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html
[what is cloudwatch]: https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html
+
+
+[introduction to aws iam assumerole]: https://aws.plainenglish.io/introduction-to-aws-iam-assumerole-fbef3ce8e90b