From 9b1e2da910985695f68614d6257f5853802bea87 Mon Sep 17 00:00:00 2001
From: Michele Cereda <cereda.michele@gmail.com>
Date: Fri, 6 Jun 2025 22:38:22 +0200
Subject: [PATCH] chore(eks): expand pod identity example

---
 knowledge base/cloud computing/aws/eks.md | 57 +++++++++++++++++++++--
 1 file changed, 54 insertions(+), 3 deletions(-)

diff --git a/knowledge base/cloud computing/aws/eks.md b/knowledge base/cloud computing/aws/eks.md
index a30d861..13bc7a3 100644
--- a/knowledge base/cloud computing/aws/eks.md	
+++ b/knowledge base/cloud computing/aws/eks.md	
@@ -1049,11 +1049,15 @@ Requirements:
 
 - An existing EKS cluster (_duh!_).
 - An existing IAM [OIDC provider][oidc providers] for the cluster.<br/>
-  Alternatively, [Pod Identity] must be installed in the cluster and the role in the next step must be configured to
-  use it.
+  Alternatively, one can use [Pod Identity] as long as (**_and_**)
+
+  - The add-on is installed in the cluster.
+  - The role in the next step is correctly configured for it.
+  - A Pod Identity Association is correctly configured for the Kubernetes service account.
+
 - A dedicated IAM role for the load balancer controller.
 
-  <details style="margin-bottom: 1em">
+  <details style="margin: 0 0 0 1rem">
     <summary>Pulumi (OIDC)</summary>
 
   ```ts
@@ -1092,6 +1096,53 @@ Requirements:
 
    </details>
 
+  <details style="margin: 0 0 1rem 1rem">
+    <summary>Pulumi (Pod Identity)</summary>
+
+  ```ts
+  const loadBalancerController_serviceRole = new aws.iam.Role(
+      "loadBalancerControllerRole",
+      {
+          name: "EKSLoadBalancerControllerRole",
+          description: "Allows EKS' load balancer controller component to control ELBs on behalf of the user",
+
+          assumeRolePolicy: JSON.stringify({
+              Version: "2012-10-17",
+              Statement: [{
+                  Effect: "Allow",
+                  Principal: {
+                      Service: "pods.eks.amazonaws.com",
+                  },
+                  Action: [
+                      "sts:AssumeRole",
+                      "sts:TagSession",
+                  ],
+              }],
+          }),
+      },
+  );
+  new aws.iam.RolePolicy(
+      "loadBalancerControllerRole-allowRoleFunctions",
+      {
+          role: loadBalancerController_serviceRole,
+          name: "AllowRoleFunctions",
+          policy: fs.readFileSync("./elb-controller.policy.json", "utf8"),
+      },
+  );
+
+  new aws.eks.PodIdentityAssociation(
+      "loadBalancerControllerRole-to-k8s-aws-load-balancer-controller",
+      {
+          clusterName: cluster.name,
+          roleArn: loadBalancerController_serviceRole.arn,
+          serviceAccount: "aws-load-balancer-controller",
+          namespace: "kube-system",
+      },
+  );
+  ```
+
+   </details>
+
 - Subnets **must** be configured _properly_.<br/>
   Refer [Route application and HTTP traffic with Application Load Balancers].