aws_sdk_eks/client/

create_access_entry.rs

// Code generated by software.amazon.smithy.rust.codegen.smithy-rs. DO NOT EDIT.
impl super::Client {
    /// Constructs a fluent builder for the [`CreateAccessEntry`](crate::operation::create_access_entry::builders::CreateAccessEntryFluentBuilder) operation.
    ///
    /// - The fluent builder is configurable:
    ///   - [`cluster_name(impl Into<String>)`](crate::operation::create_access_entry::builders::CreateAccessEntryFluentBuilder::cluster_name) / [`set_cluster_name(Option<String>)`](crate::operation::create_access_entry::builders::CreateAccessEntryFluentBuilder::set_cluster_name):<br>required: **true**<br><p>The name of your cluster.</p><br>
    ///   - [`principal_arn(impl Into<String>)`](crate::operation::create_access_entry::builders::CreateAccessEntryFluentBuilder::principal_arn) / [`set_principal_arn(Option<String>)`](crate::operation::create_access_entry::builders::CreateAccessEntryFluentBuilder::set_principal_arn):<br>required: **true**<br><p>The ARN of the IAM principal for the <code>AccessEntry</code>. You can specify one ARN for each access entry. You can't specify the same ARN in more than one access entry. This value can't be changed after access entry creation.</p> <p>The valid principals differ depending on the type of the access entry in the <code>type</code> field. For <code>STANDARD</code> access entries, you can use every IAM principal type. For nodes (<code>EC2</code> (for EKS Auto Mode), <code>EC2_LINUX</code>, <code>EC2_WINDOWS</code>, <code>FARGATE_LINUX</code>, and <code>HYBRID_LINUX</code>), the only valid ARN is IAM roles. You can't use the STS session principal type with access entries because this is a temporary principal for each session and not a permanent identity that can be assigned permissions.</p> <p><a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp">IAM best practices</a> recommend using IAM roles with temporary credentials, rather than IAM users with long-term credentials.</p><br>
    ///   - [`kubernetes_groups(impl Into<String>)`](crate::operation::create_access_entry::builders::CreateAccessEntryFluentBuilder::kubernetes_groups) / [`set_kubernetes_groups(Option<Vec::<String>>)`](crate::operation::create_access_entry::builders::CreateAccessEntryFluentBuilder::set_kubernetes_groups):<br>required: **false**<br><p>The value for <code>name</code> that you've specified for <code>kind: Group</code> as a <code>subject</code> in a Kubernetes <code>RoleBinding</code> or <code>ClusterRoleBinding</code> object. Amazon EKS doesn't confirm that the value for <code>name</code> exists in any bindings on your cluster. You can specify one or more names.</p> <p>Kubernetes authorizes the <code>principalArn</code> of the access entry to access any cluster objects that you've specified in a Kubernetes <code>Role</code> or <code>ClusterRole</code> object that is also specified in a binding's <code>roleRef</code>. For more information about creating Kubernetes <code>RoleBinding</code>, <code>ClusterRoleBinding</code>, <code>Role</code>, or <code>ClusterRole</code> objects, see <a href="https://kubernetes.io/docs/reference/access-authn-authz/rbac/">Using RBAC Authorization in the Kubernetes documentation</a>.</p> <p>If you want Amazon EKS to authorize the <code>principalArn</code> (instead of, or in addition to Kubernetes authorizing the <code>principalArn</code>), you can associate one or more access policies to the access entry using <code>AssociateAccessPolicy</code>. If you associate any access policies, the <code>principalARN</code> has all permissions assigned in the associated access policies and all permissions in any Kubernetes <code>Role</code> or <code>ClusterRole</code> objects that the group names are bound to.</p><br>
    ///   - [`tags(impl Into<String>, impl Into<String>)`](crate::operation::create_access_entry::builders::CreateAccessEntryFluentBuilder::tags) / [`set_tags(Option<HashMap::<String, String>>)`](crate::operation::create_access_entry::builders::CreateAccessEntryFluentBuilder::set_tags):<br>required: **false**<br><p>Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don't propagate to any other cluster or Amazon Web Services resources.</p><br>
    ///   - [`client_request_token(impl Into<String>)`](crate::operation::create_access_entry::builders::CreateAccessEntryFluentBuilder::client_request_token) / [`set_client_request_token(Option<String>)`](crate::operation::create_access_entry::builders::CreateAccessEntryFluentBuilder::set_client_request_token):<br>required: **false**<br><p>A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.</p><br>
    ///   - [`username(impl Into<String>)`](crate::operation::create_access_entry::builders::CreateAccessEntryFluentBuilder::username) / [`set_username(Option<String>)`](crate::operation::create_access_entry::builders::CreateAccessEntryFluentBuilder::set_username):<br>required: **false**<br><p>The username to authenticate to Kubernetes with. We recommend not specifying a username and letting Amazon EKS specify it for you. For more information about the value Amazon EKS specifies for you, or constraints before specifying your own username, see <a href="https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html#creating-access-entries">Creating access entries</a> in the <i>Amazon EKS User Guide</i>.</p><br>
    ///   - [`r#type(impl Into<String>)`](crate::operation::create_access_entry::builders::CreateAccessEntryFluentBuilder::type) / [`set_type(Option<String>)`](crate::operation::create_access_entry::builders::CreateAccessEntryFluentBuilder::set_type):<br>required: **false**<br><p>The type of the new access entry. Valid values are <code>STANDARD</code>, <code>FARGATE_LINUX</code>, <code>EC2_LINUX</code>, <code>EC2_WINDOWS</code>, <code>EC2</code> (for EKS Auto Mode), <code>HYBRID_LINUX</code>, and <code>HYPERPOD_LINUX</code>.</p> <p>If the <code>principalArn</code> is for an IAM role that's used for self-managed Amazon EC2 nodes, specify <code>EC2_LINUX</code> or <code>EC2_WINDOWS</code>. Amazon EKS grants the necessary permissions to the node for you. If the <code>principalArn</code> is for any other purpose, specify <code>STANDARD</code>. If you don't specify a value, Amazon EKS sets the value to <code>STANDARD</code>. If you have the access mode of the cluster set to <code>API_AND_CONFIG_MAP</code>, it's unnecessary to create access entries for IAM roles used with Fargate profiles or managed Amazon EC2 nodes, because Amazon EKS creates entries in the <code>aws-auth</code> <code>ConfigMap</code> for the roles. You can't change this value once you've created the access entry.</p> <p>If you set the value to <code>EC2_LINUX</code> or <code>EC2_WINDOWS</code>, you can't specify values for <code>kubernetesGroups</code>, or associate an <code>AccessPolicy</code> to the access entry.</p><br>
    /// - On success, responds with [`CreateAccessEntryOutput`](crate::operation::create_access_entry::CreateAccessEntryOutput) with field(s):
    ///   - [`access_entry(Option<AccessEntry>)`](crate::operation::create_access_entry::CreateAccessEntryOutput::access_entry): <p>An access entry allows an IAM principal (user or role) to access your cluster. Access entries can replace the need to maintain the <code>aws-auth</code> <code>ConfigMap</code> for authentication. For more information about access entries, see <a href="https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html">Access entries</a> in the <i>Amazon EKS User Guide</i>.</p>
    /// - On failure, responds with [`SdkError<CreateAccessEntryError>`](crate::operation::create_access_entry::CreateAccessEntryError)
    pub fn create_access_entry(&self) -> crate::operation::create_access_entry::builders::CreateAccessEntryFluentBuilder {
        crate::operation::create_access_entry::builders::CreateAccessEntryFluentBuilder::new(self.handle.clone())
    }
}