AWS has shipped a significant enhancement to Amazon EKS Pod Identity with the introduction of session policies, enabling teams to apply dynamic, inline IAM permission scoping to Kubernetes workloads without creating additional IAM roles. Announced on March 24, 2026, this feature addresses one of the most common operational pain points in multi-tenant EKS clusters where workload permission requirements vary significantly.
The IAM Role Proliferation Problem
Before session policies, organizations running multi-tenant or multi-environment workloads on EKS faced a difficult architectural choice. To achieve different permission levels for pods running similar applications, teams either had to create separate IAM roles for each variation or grant overly broad permissions to shared roles. The first approach risks hitting the 5,000 IAM roles per account limit; the second violates the principle of least privilege.
Common scenarios exacerbating this problem included SaaS platforms where each tenant requires isolated access to specific resources, data processing workloads needing different S3 bucket or DynamoDB table permissions based on their function, and teams running multiple environments in the same cluster where pods need environment-scoped access without separate role proliferation.
How Session Policies Work
Session policies allow administrators to specify an inline IAM policy when creating or updating a Pod Identity association. These policies create an intersection with the IAM role’s permissions, restricting effective access to only what’s explicitly allowed in both policies. Organizations can maintain a smaller set of broader IAM roles while dynamically scoping permissions at the individual pod or namespace level.
For example, a pod associated with an IAM role having broad S3 permissions can be further restricted by a session policy allowing access only to specific bucket prefixes or objects matching tenant-specific patterns. This enables sophisticated access patterns like row-level security equivalents for object storage or environment-scoped DynamoDB access without managing dozens of nearly-identical IAM roles.
API Changes and Implementation
The enhancement introduces new optional parameters to the CreatePodIdentityAssociation and UpdatePodIdentityAssociation APIs. The policy parameter accepts an inline IAM policy document in JSON format, up to 2,048 characters. EKS validates the policy at API time, providing immediate feedback on formatting or syntax errors.
When using session policies with cross-account access patterns involving target roles, the session policy applies when assuming the target role through IAM role chaining. The source role only needs standard AssumeRole permission while the actual permission restrictions happen at the target role assumption point.
Important Constraints and Considerations
Session policies cannot be combined with session tags due to AWS STS policy size limits. When specifying a session policy, you must disable session tags using the disable-session-tags parameter. This tradeoff is usually acceptable for workloads where dynamic permission scoping matters more than tag-based access control.
Permission changes take effect after credential cache expiry, typically within 10-30 seconds. During this propagation window, pods continue to receive credentials with previous permissions, so plan updates accordingly and monitor CloudTrail for unauthorized access attempts during transitions.
Availability and Getting Started
Session policies for EKS Pod Identity are available in all AWS Commercial, GovCloud (US), and China Regions where EKS operates. The feature works with all supported Kubernetes versions. Existing Pod Identity associations can be updated in place to add session policies without application downtime.
Support is available through AWS CloudFormation, eksctl, AWS CLI, and the Amazon EKS API. Terraform AWS provider support is expected in the next minor release. This enhancement reinforces AWS’s commitment to practical, scalable authorization for multi-tenant Kubernetes environments.