# My pod wants to access AWS resources - pod-identity assoc 


## Pod identity association

```
# install the addon into the cluster
eksctl create addon --cluster quick-cluster --name eks-pod-identity-agent

kubectl create serviceaccount sa-buckets-man

# aws eks create-pod-identity-association \
#  --cluster-name quick-cluster \
#  --namespace default \
#  --service-account sa-buckets-man \
#  --role-arn arn:aws:iam::414514743156:role/pods-s3-reader

# currently blocked by SCP

eksctl create podidentityassociation \
    --cluster quick-cluster \
    --namespace default \
    --service-account-name sa-buckets-man \
    --permission-policy-arns="arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess" 

# while we wait go into the console and look at cloudformation and the role created



kubectl run -ti --rm buckets-test \
  --image=amazon/aws-cli \
  --overrides='{ "spec": { "serviceAccount": "sa-buckets-man" }  }' \
  --command bash

# from inside the pod container
aws s3api list-buckets

```

Where does pod identities get its credentials from

```
curl -H "Authorization: $(cat $AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE)"  http://169.254.170.23/v1/credentials
```