diff --git a/knowledge base/cloud computing/aws/eks.md b/knowledge base/cloud computing/aws/eks.md
index a30d861..13bc7a3 100644
--- a/knowledge base/cloud computing/aws/eks.md
+++ b/knowledge base/cloud computing/aws/eks.md
@@ -1049,11 +1049,15 @@ Requirements:
- An existing EKS cluster (_duh!_).
- An existing IAM [OIDC provider][oidc providers] for the cluster.
- Alternatively, [Pod Identity] must be installed in the cluster and the role in the next step must be configured to
- use it.
+ Alternatively, one can use [Pod Identity] as long as (**_and_**)
+
+ - The add-on is installed in the cluster.
+ - The role in the next step is correctly configured for it.
+ - A Pod Identity Association is correctly configured for the Kubernetes service account.
+
- A dedicated IAM role for the load balancer controller.
-
+
Pulumi (OIDC)
```ts
@@ -1092,6 +1096,53 @@ Requirements:
+
+ Pulumi (Pod Identity)
+
+ ```ts
+ const loadBalancerController_serviceRole = new aws.iam.Role(
+ "loadBalancerControllerRole",
+ {
+ name: "EKSLoadBalancerControllerRole",
+ description: "Allows EKS' load balancer controller component to control ELBs on behalf of the user",
+
+ assumeRolePolicy: JSON.stringify({
+ Version: "2012-10-17",
+ Statement: [{
+ Effect: "Allow",
+ Principal: {
+ Service: "pods.eks.amazonaws.com",
+ },
+ Action: [
+ "sts:AssumeRole",
+ "sts:TagSession",
+ ],
+ }],
+ }),
+ },
+ );
+ new aws.iam.RolePolicy(
+ "loadBalancerControllerRole-allowRoleFunctions",
+ {
+ role: loadBalancerController_serviceRole,
+ name: "AllowRoleFunctions",
+ policy: fs.readFileSync("./elb-controller.policy.json", "utf8"),
+ },
+ );
+
+ new aws.eks.PodIdentityAssociation(
+ "loadBalancerControllerRole-to-k8s-aws-load-balancer-controller",
+ {
+ clusterName: cluster.name,
+ roleArn: loadBalancerController_serviceRole.arn,
+ serviceAccount: "aws-load-balancer-controller",
+ namespace: "kube-system",
+ },
+ );
+ ```
+
+
+
- Subnets **must** be configured _properly_.
Refer [Route application and HTTP traffic with Application Load Balancers].