diff --git a/README.md b/README.md index ea6c3c2..cad9e80 100644 --- a/README.md +++ b/README.md @@ -1,14 +1,16 @@ -## eks-pod-identity-agent +# Amazon EKS Pod Identity agent +An agent required by the [EKS Pod Identity feature](https://aws.amazon.com/blogs/containers/amazon-eks-pod-identity-a-new-way-for-applications-on-eks-to-obtain-iam-credentials/). -In your code, you can use the AWS SDKs to access AWS services. You write code to create a client for an AWS service with an SDK, and by default the SDK searches in a chain of locations for AWS Identity and Access Management credentials to use. After valid credentials are found, the search is stopped. For more information about the default locations used, see the Credential provider chain in the AWS SDKs and Tools Reference Guide. +## Amazon EKS Pod Identity agent +[EKS Pod Identity](https://aws.amazon.com/blogs/containers/amazon-eks-pod-identity-a-new-way-for-applications-on-eks-to-obtain-iam-credentials/) is a feature of Amazon EKS that simplifies the process for cluster administrators to configure Kubernetes applications with AWS IAM permissions. A prerequisite for using the Pod Identity feature is running the Pod Identity agent on the worker nodes. -EKS Pod Identities have been added to the Container credential provider which is searched in a step in the default credential chain. If your workloads currently use credentials that are earlier in the chain of credentials, those credentials will continue to be used even if you configure an EKS Pod Identity association for the same workload. This way you can safely migrate from other types of credentials by creating the association first, before removing the old credentials. +You can use AWS SDKs to receive temporary IAM permissions required to access various AWS services from your applications running on the EKS cluster. All AWS SDKs have a series of places (or sources) that they check in order to find valid credentials to use to make a request to an AWS service. After valid credentials are found, the search is stopped. This systematic search is called the default credential provider chain. For more information about the Credential provider chain, refer to the [AWS SDKs and Tools Reference Guide](https://docs.aws.amazon.com/sdkref/latest/guide/standardized-credentials.html#credentialProviderChain). -The container credentials provider provides temporary credentials from an agent that runs on each node. In Amazon EKS, the agent is the Amazon EKS Pod Identity Agent and on Amazon Elastic Container Service the agent is the amazon-ecs-agent. The SDKs use environment variables to locate the agent to connect to. +EKS Pod Identity has been added to the Container credential provider, which is searched as a step in the default credential provider chain. If your workloads currently use credentials that are earlier in the chain, then those credentials will continue to be used even if you configure an EKS Pod Identity association for the same workload. This way, you can safely migrate from other types of credentials by creating the association first, before removing the old credentials. -In contrast, IAM roles for service accounts provides a web identity token that the AWS SDK must exchange with AWS Security Token Service by using AssumeRoleWithWebIdentity. +The container credentials provider provides temporary credentials from an agent that runs on each worker node. In Amazon EKS, the agent is the EKS Pod Identity Agent and on Amazon Elastic Container Service (ECS) the agent is the amazon-ecs-agent. AWS SDKs use environment variables to locate the agent to connect to. -checking [EKS Pod Identity](https://docs.aws.amazon.com/eks/latest/userguide/pod-id-how-it-works.html) for more information. +Visit [EKS user guide](https://docs.aws.amazon.com/eks/latest/userguide/pod-id-how-it-works.html) to learn more about the Pod Identity feature. ## Building @@ -22,7 +24,7 @@ checking [EKS Pod Identity](https://docs.aws.amazon.com/eks/latest/userguide/pod ### Helm Install -checking README.md in `charts` for Helm installation. +Refer [README.md in `charts`](./charts/eks-pod-identity-agent/README.md) for Helm installation. ### Kubectl Install