From 7a7c7ffef3cc8ad68f799d77b3f4f4ca2be89514 Mon Sep 17 00:00:00 2001
From: Tibi <110664232+TiberiuGC@users.noreply.github.com>
Date: Mon, 20 Nov 2023 11:51:12 +0200
Subject: [PATCH 1/9] Add documentation for pod identity associations

---
 examples/39-pod-identity-association.yaml     |  47 +++++
 userdocs/src/getting-started.md               |   2 +
 .../src/usage/pod-identity-associations.md    | 167 ++++++++++++++++++
 userdocs/theme/home.html                      |   1 +
 4 files changed, 217 insertions(+)
 create mode 100644 examples/39-pod-identity-association.yaml
 create mode 100644 userdocs/src/usage/pod-identity-associations.md

diff --git a/examples/39-pod-identity-association.yaml b/examples/39-pod-identity-association.yaml
new file mode 100644
index 0000000000..22523a750e
--- /dev/null
+++ b/examples/39-pod-identity-association.yaml
@@ -0,0 +1,47 @@
+# An example config for creating pod identity associations.
+---
+apiVersion: eksctl.io/v1alpha5
+kind: ClusterConfig
+
+metadata:
+  name: cluster-39
+  region: us-west-2
+
+managedNodeGroups:
+  - name: mng1
+
+iam:  
+  podIdentityAssociations: 
+  # roleARN is given, eksctl will only create the pod identity association 
+  - namespace: default
+    serviceAccountName: s3-reader
+    roleARN: arn:aws:iam::111122223333:role/role-1 
+
+  # roleARN is not given, eksctl will first create an IAM role with given roleName using:
+  # permissionPolicyARNs, wellKnownPolicies and permissionsBoundaryARN 
+  - namespace: dev
+    serviceAccountName: app-cache-access
+    roleName: pod-identity-role-app-cache
+    permissionPolicyARNs: ["arn:aws:iam::111122223333:policy/permission-policy-1", "arn:aws:iam::111122223333:policy/permission-policy-2"]
+    wellKnownPolicies:
+      autoScaler: true
+      externalDNS: true
+    permissionsBoundaryARN: arn:aws:iam::111122223333:policy/permission-boundary
+
+  # roleARN is not given, eksctl will first create an IAM role with automatically generated roleName,
+  # using the permissionPolicy inline document
+  - namespace: dev
+    serviceAccountName: nginx
+    permissionPolicy:
+      Version: "2012-10-17"
+      Statement:
+      - Effect: Allow
+        Action:
+        - "autoscaling:DescribeAutoScalingGroups"
+        - "autoscaling:DescribeAutoScalingInstances"
+        - "autoscaling:DescribeLaunchConfigurations"
+        - "autoscaling:DescribeTags"
+        - "autoscaling:SetDesiredCapacity"
+        - "autoscaling:TerminateInstanceInAutoScalingGroup"
+        - "ec2:DescribeLaunchTemplateVersions"
+        Resource: '*'
\ No newline at end of file
diff --git a/userdocs/src/getting-started.md b/userdocs/src/getting-started.md
index fefb363dfa..00966b5ce0 100644
--- a/userdocs/src/getting-started.md
+++ b/userdocs/src/getting-started.md
@@ -1,6 +1,8 @@
 # Getting started
 
 !!! tip "New for 2023"
+    `eksctl` now supportes configuring fine-grained permissions to EKS-running apps via [EKS Pod Identity Associations](/usage/pod-identity-as sociations)
+
     `eksctl` now supports [updating the subnets and security groups](/usage/cluster-subnets-security-groups) associated with the EKS control plane.
     
     `eksctl` now supports creating fully private clusters on [AWS Outposts](/usage/outposts).
diff --git a/userdocs/src/usage/pod-identity-associations.md b/userdocs/src/usage/pod-identity-associations.md
new file mode 100644
index 0000000000..c509b20b8a
--- /dev/null
+++ b/userdocs/src/usage/pod-identity-associations.md
@@ -0,0 +1,167 @@
+# EKS Pod Identity Associations
+
+## Introduction
+
+AWS EKS has introduced an enhanced mechanism for cluster administrators to configure Kubernetes applications to receive IAM permissions required to connect with AWS services outside of the cluster. As before, this mechanism, called Pod Identity Association, leverages IRSA, however, it makes it configurable directly through EKS API, eliminating the need for using IAM API altogether. 
+
+As a result, IAM roles no longer need to reference an [OIDC provider](/usage/iamserviceaccounts/#how-it-works) and hence won't be tied to a single cluster anymore. This means, IAM roles can now be used across multiple EKS clusters without the need to update the role trust policy each time a new cluster is created. This in turn, eliminates the need for role duplication and simplifies the process of automating IRSA altogether.
+
+## Prerequisites
+
+Creating pod identity associations requires the `eks-pod-identity-agent` addon pre-installed on the cluster. This addon can [be created using `eksctl`](/usage/addons/#creating-addons) in the same fashion it is used for creating any other supported addon.
+
+Additionally, if using a pre-existing IAM role when creating a pod identity association, the user must configure the role to trust the newly introduced EKS service principal (`eks-pods.amazonaws.com`). An example IAM trust policy can be found below:
+
+```
+{
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+  			"Effect": "Allow",
+			"Action": [
+				"sts:AssumeRole",
+				"sts:TagSession"
+			],
+			"Principal": {
+	    		"Service": [
+	      			"eks-pods.amazonaws.com"
+				]
+	  		},
+		}
+	]
+}
+```
+
+If instead the user does not provide the ARN of an existing role to the create command, `eksctl` will create one behind the scenes and configure the above trust policy.
+
+## Creating Pod Identity Associations
+
+For manipulating pod identity associations, `eksctl` has added a new field under `iam.podIdentityAssociations`, e.g.
+
+```yaml
+iam:  
+  podIdentityAssociations: 
+  - namespace: <string> #required
+    serviceAccountName: <string> #required
+    roleARN: <string> #required if none of permissionPolicyARNs, permissionPolicy and wellKnownPolicies is specified. Also, cannot be used together with any of the three other referenced fields.
+    roleName: <string> #optional, generated automatically if not provided, ignored if roleARN is provided
+    permissionPolicy: {} #optional
+    permissionPolicyARNs: [] #optional
+    wellKnownPolicies: {} #optional
+    permissionsBoundaryARN: <string> #optional
+    tags: {} #optional
+```
+
+For a complete example, refer to [pod-identity-associations.yaml](https://github.com/eksctl-io/eksctl/blob/main/examples/38-cluster-subnets-sgs.yaml).
+
+???+ note
+    Apart from `permissionPolicy` which is used as an inline policy document, all other fields have a CLI flag counterpart.
+
+Creating pod identity associations can be achieved in the following ways. During cluster creation, by specifying the desired pod identity associations as part of the config file and running:
+
+```
+eksctl create cluster -f config.yaml
+```
+
+Post cluster creation, using either a config file e.g.
+
+```
+eksctl create podidentityassociation -f config.yaml
+```
+
+OR using CLI flags e.g.
+
+```
+eksctl create podidentityassociation \
+    --cluster my-cluster \
+    --namespace default \
+    --service-account-name s3-reader \
+    --permission-policy-arns="arn:aws:iam::111122223333:policy/permission-policy-1, arn:aws:iam::111122223333:policy/permission-policy-2"
+    --well-known-policies="autoScaler,externalDNS" \
+    --permissions-boundary-arn arn:aws:iam::111122223333:policy/boundary-policy
+``` 
+```
+
+
+
+???+ note
+    Only a single IAM role can be associated to a service account at a time. Therefore, trying to create a second pod identity associations for the same service account will result in an error.
+
+## Fetching Pod Identity Associations
+
+The user can retrieve all pod identity associations for a certain cluster by running one of the following:
+
+```
+eksctl get podidentityassociation -f config.yaml
+```
+
+OR
+
+```
+eksctl get podidentityassociation --cluster my-cluster
+```
+
+Additionaly, to retrieve only the pod identity associations withing a given namespace, use the `--namespace` flag, e.g.
+
+```
+eksctl get podidentityassociation --cluster my-cluster --namespace default
+```
+
+And finally, to retrieve a single association, corresponding to a certain K8s service account, also include the `--service-account-name` to the command above, i.e.
+
+```
+eksctl get podidentityassociation --cluster my-cluster --namespace default --service-account-name s3-reader
+```
+
+## Updating Pod Identity Associations
+
+To update the IAM role of one or more pod identity associations, either pass the new `roleARN(s)` to the config file e.g.
+
+```yaml
+podIdentityAssociations:
+    - namespace: default
+      serviceAccountName: s3-reader
+      roleARN: new-role-arn-1
+    - namespace: dev
+      serviceAccountName: app-cache-access
+      roleARN: new-role-arn-2
+```
+
+and run:
+
+```
+eksctl update podidentityassociation -f config.yaml
+```
+
+OR (to update a single association) pass the new `--role-arn` via CLI flags:
+
+```
+eksctl update podidentityassociation --cluster my-cluster --namespace default --service-account-name s3-reader --role-arn new-role-arn
+```
+
+## Deleting Pod Identity Associations
+
+To delete one or more pod identity associations, either pass `namespace(s)` and `serviceAccountName(s)` to the config file e.g.
+
+```yaml
+podIdentityAssociations:
+    - namespace: default
+      serviceAccountName: s3-reader
+    - namespace: dev
+      serviceAccountName: app-cache-access
+```
+
+and run:
+
+```
+eksctl delete podidentityassociation -f config.yaml
+```
+
+OR (to delete a single association) pass the `--namespace` and `--service-account-name` via CLI flags:
+
+```
+eksctl delete podidentityassociation --cluster my-cluster --namespace default --service-account-name s3-reader 
+```
+
+## Further references
+
diff --git a/userdocs/theme/home.html b/userdocs/theme/home.html
index c7e990f079..920ad86b06 100644
--- a/userdocs/theme/home.html
+++ b/userdocs/theme/home.html
@@ -541,6 +541,7 @@ <h2><code>eksctl create cluster</code></h2>
                         <a href="/usage/outposts" tabindex="-1" title="Usage Outposts"><img src="assets/images/outposts.png" alt="Usage Outposts" loading="lazy"></a>
                         <figcaption class="md-typeset">
                             <h2>New for {{ build_date_utc.strftime('%Y') }}</h2>
+                            <p>Configuring fine-grained permissions to EKS-running apps via <a href="/usage/pod-identity-association">EKS Pod Identity Associations</a>.</p>
                             <p>Creating fully private clusters on <a href="/usage/outposts">AWS Outposts</a>.</p> 
                             <p>Supported Regions - Zurich (<code>eu-central-2</code>), 
                                     Spain (<code>eu-south-2</code>), 

From 78023db00202e5009d7477391c0d722ac246424f Mon Sep 17 00:00:00 2001
From: Tibi <110664232+TiberiuGC@users.noreply.github.com>
Date: Mon, 20 Nov 2023 15:51:21 +0200
Subject: [PATCH 2/9] add more details to how pod identity agent addon works

---
 examples/39-pod-identity-association.yaml       | 3 +++
 userdocs/src/usage/pod-identity-associations.md | 8 ++++++--
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/examples/39-pod-identity-association.yaml b/examples/39-pod-identity-association.yaml
index 22523a750e..e5d5d36634 100644
--- a/examples/39-pod-identity-association.yaml
+++ b/examples/39-pod-identity-association.yaml
@@ -10,6 +10,9 @@ metadata:
 managedNodeGroups:
   - name: mng1
 
+addons:
+  name: eks-pod-identity-agent
+
 iam:  
   podIdentityAssociations: 
   # roleARN is given, eksctl will only create the pod identity association 
diff --git a/userdocs/src/usage/pod-identity-associations.md b/userdocs/src/usage/pod-identity-associations.md
index c509b20b8a..daa32bdb5a 100644
--- a/userdocs/src/usage/pod-identity-associations.md
+++ b/userdocs/src/usage/pod-identity-associations.md
@@ -8,7 +8,11 @@ As a result, IAM roles no longer need to reference an [OIDC provider](/usage/iam
 
 ## Prerequisites
 
-Creating pod identity associations requires the `eks-pod-identity-agent` addon pre-installed on the cluster. This addon can [be created using `eksctl`](/usage/addons/#creating-addons) in the same fashion it is used for creating any other supported addon.
+Behind the scenes, the implementation of pod identity associations is running an agent as a daemonset on the worker nodes. To run the pre-requisite agent on the cluster, EKS provides a new add-on called EKS Pod Identity Agent. Therefore, creating pod identity associations (with `eksctl`) requires the `eks-pod-identity-agent` addon pre-installed on the cluster. This addon can be [created using `eksctl`](/usage/addons/#creating-addons) in the same fashion any other supported addon is, e.g.
+
+```
+eksctl create addon --cluster my-cluster --name eks-pod-identity-agent
+```
 
 Additionally, if using a pre-existing IAM role when creating a pod identity association, the user must configure the role to trust the newly introduced EKS service principal (`eks-pods.amazonaws.com`). An example IAM trust policy can be found below:
 
@@ -78,7 +82,7 @@ eksctl create podidentityassociation \
     --service-account-name s3-reader \
     --permission-policy-arns="arn:aws:iam::111122223333:policy/permission-policy-1, arn:aws:iam::111122223333:policy/permission-policy-2"
     --well-known-policies="autoScaler,externalDNS" \
-    --permissions-boundary-arn arn:aws:iam::111122223333:policy/boundary-policy
+    --permissions-boundary-arn arn:aws:iam::111122223333:policy/permissions-boundary
 ``` 
 ```
 

From c5f90b88d754d066e8a3402125fc5a904c7c9663 Mon Sep 17 00:00:00 2001
From: Tibi <110664232+TiberiuGC@users.noreply.github.com>
Date: Mon, 20 Nov 2023 15:58:09 +0200
Subject: [PATCH 3/9] remove unnecessary empty lines

---
 userdocs/src/usage/pod-identity-associations.md | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/userdocs/src/usage/pod-identity-associations.md b/userdocs/src/usage/pod-identity-associations.md
index daa32bdb5a..ace91c19d1 100644
--- a/userdocs/src/usage/pod-identity-associations.md
+++ b/userdocs/src/usage/pod-identity-associations.md
@@ -86,8 +86,6 @@ eksctl create podidentityassociation \
 ``` 
 ```
 
-
-
 ???+ note
     Only a single IAM role can be associated to a service account at a time. Therefore, trying to create a second pod identity associations for the same service account will result in an error.
 
@@ -169,3 +167,4 @@ eksctl delete podidentityassociation --cluster my-cluster --namespace default --
 
 ## Further references
 
+TBD AWS Official Docs
\ No newline at end of file

From 6b1a7361f7b4ad694db4c980a33ef2026d3ac0b0 Mon Sep 17 00:00:00 2001
From: Tibi <110664232+TiberiuGC@users.noreply.github.com>
Date: Fri, 24 Nov 2023 11:18:45 +0200
Subject: [PATCH 4/9] refactor as per PR suggestions

---
 examples/39-pod-identity-association.yaml     |  4 +-
 userdocs/src/getting-started.md               |  2 +-
 .../src/usage/pod-identity-associations.md    | 53 +++++++++----------
 userdocs/theme/home.html                      |  2 +-
 4 files changed, 31 insertions(+), 30 deletions(-)

diff --git a/examples/39-pod-identity-association.yaml b/examples/39-pod-identity-association.yaml
index e5d5d36634..65bbceca3d 100644
--- a/examples/39-pod-identity-association.yaml
+++ b/examples/39-pod-identity-association.yaml
@@ -11,7 +11,9 @@ managedNodeGroups:
   - name: mng1
 
 addons:
-  name: eks-pod-identity-agent
+  - name: eks-pod-identity-agent # required for `iam.podIdentityAssociations`
+    tags:
+      team: eks
 
 iam:  
   podIdentityAssociations: 
diff --git a/userdocs/src/getting-started.md b/userdocs/src/getting-started.md
index 00966b5ce0..b6eb765939 100644
--- a/userdocs/src/getting-started.md
+++ b/userdocs/src/getting-started.md
@@ -1,7 +1,7 @@
 # Getting started
 
 !!! tip "New for 2023"
-    `eksctl` now supportes configuring fine-grained permissions to EKS-running apps via [EKS Pod Identity Associations](/usage/pod-identity-as sociations)
+    `eksctl` now supports configuring fine-grained permissions to EKS running apps via [EKS Pod Identity Associations](/usage/pod-identity-associations)
 
     `eksctl` now supports [updating the subnets and security groups](/usage/cluster-subnets-security-groups) associated with the EKS control plane.
     
diff --git a/userdocs/src/usage/pod-identity-associations.md b/userdocs/src/usage/pod-identity-associations.md
index ace91c19d1..e6728ae7e0 100644
--- a/userdocs/src/usage/pod-identity-associations.md
+++ b/userdocs/src/usage/pod-identity-associations.md
@@ -14,29 +14,27 @@ Behind the scenes, the implementation of pod identity associations is running an
 eksctl create addon --cluster my-cluster --name eks-pod-identity-agent
 ```
 
-Additionally, if using a pre-existing IAM role when creating a pod identity association, the user must configure the role to trust the newly introduced EKS service principal (`eks-pods.amazonaws.com`). An example IAM trust policy can be found below:
+Additionally, if using a pre-existing IAM role when creating a pod identity association, you must configure the role to trust the newly introduced EKS service principal (`pods.eks.amazonaws.com`). An example IAM trust policy can be found below:
 
-```
+```json
 {
-	"Version": "2012-10-17",
-	"Statement": [
-		{
-  			"Effect": "Allow",
-			"Action": [
-				"sts:AssumeRole",
-				"sts:TagSession"
-			],
-			"Principal": {
-	    		"Service": [
-	      			"eks-pods.amazonaws.com"
-				]
-	  		},
-		}
-	]
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Principal": {
+                "Service": "pods.eks.amazonaws.com"
+            },
+            "Action": [
+                "sts:AssumeRole",
+                "sts:TagSession"
+            ]
+        }
+    ]
 }
 ```
 
-If instead the user does not provide the ARN of an existing role to the create command, `eksctl` will create one behind the scenes and configure the above trust policy.
+If instead you do not provide the ARN of an existing role to the create command, `eksctl` will create one behind the scenes and configure the above trust policy.
 
 ## Creating Pod Identity Associations
 
@@ -75,23 +73,22 @@ eksctl create podidentityassociation -f config.yaml
 
 OR using CLI flags e.g.
 
-```
+```bash
 eksctl create podidentityassociation \
     --cluster my-cluster \
     --namespace default \
     --service-account-name s3-reader \
-    --permission-policy-arns="arn:aws:iam::111122223333:policy/permission-policy-1, arn:aws:iam::111122223333:policy/permission-policy-2"
+    --permission-policy-arns="arn:aws:iam::111122223333:policy/permission-policy-1, arn:aws:iam::111122223333:policy/permission-policy-2" \
     --well-known-policies="autoScaler,externalDNS" \
     --permissions-boundary-arn arn:aws:iam::111122223333:policy/permissions-boundary
-``` 
 ```
 
 ???+ note
-    Only a single IAM role can be associated to a service account at a time. Therefore, trying to create a second pod identity associations for the same service account will result in an error.
+    Only a single IAM role can be associated with a service account at a time. Therefore, trying to create a second pod identity association for the same service account will result in an error.
 
 ## Fetching Pod Identity Associations
 
-The user can retrieve all pod identity associations for a certain cluster by running one of the following:
+To retrieve all pod identity associations for a certain cluster, run one of the following commands:
 
 ```
 eksctl get podidentityassociation -f config.yaml
@@ -103,13 +100,13 @@ OR
 eksctl get podidentityassociation --cluster my-cluster
 ```
 
-Additionaly, to retrieve only the pod identity associations withing a given namespace, use the `--namespace` flag, e.g.
+Additionally, to retrieve only the pod identity associations within a given namespace, use the `--namespace` flag, e.g.
 
 ```
 eksctl get podidentityassociation --cluster my-cluster --namespace default
 ```
 
-And finally, to retrieve a single association, corresponding to a certain K8s service account, also include the `--service-account-name` to the command above, i.e.
+Finally, to retrieve a single association, corresponding to a certain K8s service account, also include the `--service-account-name` to the command above, i.e.
 
 ```
 eksctl get podidentityassociation --cluster my-cluster --namespace default --service-account-name s3-reader
@@ -120,7 +117,8 @@ eksctl get podidentityassociation --cluster my-cluster --namespace default --ser
 To update the IAM role of one or more pod identity associations, either pass the new `roleARN(s)` to the config file e.g.
 
 ```yaml
-podIdentityAssociations:
+iam:
+  podIdentityAssociations:
     - namespace: default
       serviceAccountName: s3-reader
       roleARN: new-role-arn-1
@@ -146,7 +144,8 @@ eksctl update podidentityassociation --cluster my-cluster --namespace default --
 To delete one or more pod identity associations, either pass `namespace(s)` and `serviceAccountName(s)` to the config file e.g.
 
 ```yaml
-podIdentityAssociations:
+iam:
+  podIdentityAssociations:
     - namespace: default
       serviceAccountName: s3-reader
     - namespace: dev
diff --git a/userdocs/theme/home.html b/userdocs/theme/home.html
index 920ad86b06..aa2d553503 100644
--- a/userdocs/theme/home.html
+++ b/userdocs/theme/home.html
@@ -541,7 +541,7 @@ <h2><code>eksctl create cluster</code></h2>
                         <a href="/usage/outposts" tabindex="-1" title="Usage Outposts"><img src="assets/images/outposts.png" alt="Usage Outposts" loading="lazy"></a>
                         <figcaption class="md-typeset">
                             <h2>New for {{ build_date_utc.strftime('%Y') }}</h2>
-                            <p>Configuring fine-grained permissions to EKS-running apps via <a href="/usage/pod-identity-association">EKS Pod Identity Associations</a>.</p>
+                            <p>Configuring fine-grained permissions to EKS running apps via <a href="/usage/pod-identity-association">EKS Pod Identity Associations</a>.</p>
                             <p>Creating fully private clusters on <a href="/usage/outposts">AWS Outposts</a>.</p> 
                             <p>Supported Regions - Zurich (<code>eu-central-2</code>), 
                                     Spain (<code>eu-south-2</code>), 

From 774edbaca4856fbded27f6f21184fcada5d21c43 Mon Sep 17 00:00:00 2001
From: Tibi <110664232+TiberiuGC@users.noreply.github.com>
Date: Mon, 27 Nov 2023 08:12:13 +0200
Subject: [PATCH 5/9] add references to official AWS docs

---
 userdocs/src/usage/pod-identity-associations.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/userdocs/src/usage/pod-identity-associations.md b/userdocs/src/usage/pod-identity-associations.md
index e6728ae7e0..3deb58799e 100644
--- a/userdocs/src/usage/pod-identity-associations.md
+++ b/userdocs/src/usage/pod-identity-associations.md
@@ -166,4 +166,5 @@ eksctl delete podidentityassociation --cluster my-cluster --namespace default --
 
 ## Further references
 
-TBD AWS Official Docs
\ No newline at end of file
+[Official AWS Blog Post](https://aws.amazon.com/blogs/aws/amazon-eks-pod-identity-simplifies-iam-permissions-for-applications-on-amazon-eks-clusters/)
+[Official AWS userdocs](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html)
\ No newline at end of file

From 5bdbf5d8600cc2a5b7d3e98cdd11168c0b8d95c8 Mon Sep 17 00:00:00 2001
From: Tibi <110664232+TiberiuGC@users.noreply.github.com>
Date: Mon, 27 Nov 2023 13:26:05 +0200
Subject: [PATCH 6/9] generate docs

---
 userdocs/mkdocs.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/userdocs/mkdocs.yml b/userdocs/mkdocs.yml
index 6ce84d4a44..5578b255a7 100644
--- a/userdocs/mkdocs.yml
+++ b/userdocs/mkdocs.yml
@@ -187,6 +187,7 @@ nav:
       - usage/iam-policies.md
       - usage/iam-identity-mappings.md
       - usage/iamserviceaccounts.md
+      - usage/pod-identity-associations.md
     - usage/dry-run.md
     - usage/schema.md
     - usage/eksctl-anywhere.md

From 366cc3f85a2d570fd37def0e9cc365571bdf1a54 Mon Sep 17 00:00:00 2001
From: Tibi <110664232+TiberiuGC@users.noreply.github.com>
Date: Mon, 27 Nov 2023 15:56:56 +0200
Subject: [PATCH 7/9] rephrase intro

Co-authored-by: Himangini <its_himangini@yahoo.com>
---
 userdocs/src/usage/pod-identity-associations.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/userdocs/src/usage/pod-identity-associations.md b/userdocs/src/usage/pod-identity-associations.md
index 3deb58799e..1cf6ff51c1 100644
--- a/userdocs/src/usage/pod-identity-associations.md
+++ b/userdocs/src/usage/pod-identity-associations.md
@@ -2,7 +2,7 @@
 
 ## Introduction
 
-AWS EKS has introduced an enhanced mechanism for cluster administrators to configure Kubernetes applications to receive IAM permissions required to connect with AWS services outside of the cluster. As before, this mechanism, called Pod Identity Association, leverages IRSA, however, it makes it configurable directly through EKS API, eliminating the need for using IAM API altogether. 
+AWS EKS has introduced a new enhanced mechanism called Pod Identity Association for cluster administrators to configure Kubernetes applications to receive IAM permissions required to connect with AWS services outside of the cluster. Pod Identity Association leverages IRSA however, it makes it configurable directly through EKS API, eliminating the need for using IAM API altogether. 
 
 As a result, IAM roles no longer need to reference an [OIDC provider](/usage/iamserviceaccounts/#how-it-works) and hence won't be tied to a single cluster anymore. This means, IAM roles can now be used across multiple EKS clusters without the need to update the role trust policy each time a new cluster is created. This in turn, eliminates the need for role duplication and simplifies the process of automating IRSA altogether.
 

From 8a373f74bf140f6afa812299d45466926ce3f31c Mon Sep 17 00:00:00 2001
From: Tibi <110664232+TiberiuGC@users.noreply.github.com>
Date: Mon, 27 Nov 2023 15:57:07 +0200
Subject: [PATCH 8/9] rephrase news section

Co-authored-by: Himangini <its_himangini@yahoo.com>
---
 userdocs/theme/home.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/userdocs/theme/home.html b/userdocs/theme/home.html
index aa2d553503..3c8790cdfd 100644
--- a/userdocs/theme/home.html
+++ b/userdocs/theme/home.html
@@ -541,7 +541,7 @@ <h2><code>eksctl create cluster</code></h2>
                         <a href="/usage/outposts" tabindex="-1" title="Usage Outposts"><img src="assets/images/outposts.png" alt="Usage Outposts" loading="lazy"></a>
                         <figcaption class="md-typeset">
                             <h2>New for {{ build_date_utc.strftime('%Y') }}</h2>
-                            <p>Configuring fine-grained permissions to EKS running apps via <a href="/usage/pod-identity-association">EKS Pod Identity Associations</a>.</p>
+                            <p>Configuring fine-grained permissions to EKS running apps via <a href="/usage/pod-identity-associations">EKS Pod Identity Associations</a>.</p>
                             <p>Creating fully private clusters on <a href="/usage/outposts">AWS Outposts</a>.</p> 
                             <p>Supported Regions - Zurich (<code>eu-central-2</code>), 
                                     Spain (<code>eu-south-2</code>), 

From e365a89db24ed3739a5d8ac9c655576bf222926e Mon Sep 17 00:00:00 2001
From: Tibi <110664232+TiberiuGC@users.noreply.github.com>
Date: Mon, 27 Nov 2023 16:02:34 +0200
Subject: [PATCH 9/9] add newline between docs links

---
 userdocs/src/usage/pod-identity-associations.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/userdocs/src/usage/pod-identity-associations.md b/userdocs/src/usage/pod-identity-associations.md
index 1cf6ff51c1..e0ccd99423 100644
--- a/userdocs/src/usage/pod-identity-associations.md
+++ b/userdocs/src/usage/pod-identity-associations.md
@@ -167,4 +167,5 @@ eksctl delete podidentityassociation --cluster my-cluster --namespace default --
 ## Further references
 
 [Official AWS Blog Post](https://aws.amazon.com/blogs/aws/amazon-eks-pod-identity-simplifies-iam-permissions-for-applications-on-amazon-eks-clusters/)
+
 [Official AWS userdocs](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html)
\ No newline at end of file