// Code generated by software.amazon.smithy.rust.codegen.smithy-rs. DO NOT EDIT.
pub use crate::operation::update_pod_identity_association::_update_pod_identity_association_input::UpdatePodIdentityAssociationInputBuilder;
pub use crate::operation::update_pod_identity_association::_update_pod_identity_association_output::UpdatePodIdentityAssociationOutputBuilder;
impl crate::operation::update_pod_identity_association::builders::UpdatePodIdentityAssociationInputBuilder {
/// Sends a request with this input using the given client.
pub async fn send_with(
self,
client: &crate::Client,
) -> ::std::result::Result<
crate::operation::update_pod_identity_association::UpdatePodIdentityAssociationOutput,
::aws_smithy_runtime_api::client::result::SdkError<
crate::operation::update_pod_identity_association::UpdatePodIdentityAssociationError,
::aws_smithy_runtime_api::client::orchestrator::HttpResponse,
>,
> {
let mut fluent_builder = client.update_pod_identity_association();
fluent_builder.inner = self;
fluent_builder.send().await
}
}
/// Fluent builder constructing a request to `UpdatePodIdentityAssociation`.
///
/// <p>Updates a EKS Pod Identity association. In an update, you can change the IAM role, the target IAM role, or <code>disableSessionTags</code>. You must change at least one of these in an update. An association can't be moved between clusters, namespaces, or service accounts. If you need to edit the namespace or service account, you need to delete the association and then create a new association with your desired settings.</p>
/// <p>Similar to Amazon Web Services IAM behavior, EKS Pod Identity associations are eventually consistent, and may take several seconds to be effective after the initial API call returns successfully. You must design your applications to account for these potential delays. We recommend that you don’t include association create/updates in the critical, high-availability code paths of your application. Instead, make changes in a separate initialization or setup routine that you run less frequently.</p>
/// <p>You can set a <i>target IAM role</i> in the same or a different account for advanced scenarios. With a target role, EKS Pod Identity automatically performs two role assumptions in sequence: first assuming the role in the association that is in this account, then using those credentials to assume the target IAM role. This process provides your Pod with temporary credentials that have the permissions defined in the target role, allowing secure access to resources in another Amazon Web Services account.</p>
#[derive(::std::clone::Clone, ::std::fmt::Debug)]
pub struct UpdatePodIdentityAssociationFluentBuilder {
handle: ::std::sync::Arc<crate::client::Handle>,
inner: crate::operation::update_pod_identity_association::builders::UpdatePodIdentityAssociationInputBuilder,
config_override: ::std::option::Option<crate::config::Builder>,
}
impl
crate::client::customize::internal::CustomizableSend<
crate::operation::update_pod_identity_association::UpdatePodIdentityAssociationOutput,
crate::operation::update_pod_identity_association::UpdatePodIdentityAssociationError,
> for UpdatePodIdentityAssociationFluentBuilder
{
fn send(
self,
config_override: crate::config::Builder,
) -> crate::client::customize::internal::BoxFuture<
crate::client::customize::internal::SendResult<
crate::operation::update_pod_identity_association::UpdatePodIdentityAssociationOutput,
crate::operation::update_pod_identity_association::UpdatePodIdentityAssociationError,
>,
> {
::std::boxed::Box::pin(async move { self.config_override(config_override).send().await })
}
}
impl UpdatePodIdentityAssociationFluentBuilder {
/// Creates a new `UpdatePodIdentityAssociationFluentBuilder`.
pub(crate) fn new(handle: ::std::sync::Arc<crate::client::Handle>) -> Self {
Self {
handle,
inner: ::std::default::Default::default(),
config_override: ::std::option::Option::None,
}
}
/// Access the UpdatePodIdentityAssociation as a reference.
pub fn as_input(&self) -> &crate::operation::update_pod_identity_association::builders::UpdatePodIdentityAssociationInputBuilder {
&self.inner
}
/// Sends the request and returns the response.
///
/// If an error occurs, an `SdkError` will be returned with additional details that
/// can be matched against.
///
/// By default, any retryable failures will be retried twice. Retry behavior
/// is configurable with the [RetryConfig](aws_smithy_types::retry::RetryConfig), which can be
/// set when configuring the client.
pub async fn send(
self,
) -> ::std::result::Result<
crate::operation::update_pod_identity_association::UpdatePodIdentityAssociationOutput,
::aws_smithy_runtime_api::client::result::SdkError<
crate::operation::update_pod_identity_association::UpdatePodIdentityAssociationError,
::aws_smithy_runtime_api::client::orchestrator::HttpResponse,
>,
> {
let input = self
.inner
.build()
.map_err(::aws_smithy_runtime_api::client::result::SdkError::construction_failure)?;
let runtime_plugins = crate::operation::update_pod_identity_association::UpdatePodIdentityAssociation::operation_runtime_plugins(
self.handle.runtime_plugins.clone(),
&self.handle.conf,
self.config_override,
);
crate::operation::update_pod_identity_association::UpdatePodIdentityAssociation::orchestrate(&runtime_plugins, input).await
}
/// Consumes this builder, creating a customizable operation that can be modified before being sent.
pub fn customize(
self,
) -> crate::client::customize::CustomizableOperation<
crate::operation::update_pod_identity_association::UpdatePodIdentityAssociationOutput,
crate::operation::update_pod_identity_association::UpdatePodIdentityAssociationError,
Self,
> {
crate::client::customize::CustomizableOperation::new(self)
}
pub(crate) fn config_override(mut self, config_override: impl ::std::convert::Into<crate::config::Builder>) -> Self {
self.set_config_override(::std::option::Option::Some(config_override.into()));
self
}
pub(crate) fn set_config_override(&mut self, config_override: ::std::option::Option<crate::config::Builder>) -> &mut Self {
self.config_override = config_override;
self
}
/// <p>The name of the cluster that you want to update the association in.</p>
pub fn cluster_name(mut self, input: impl ::std::convert::Into<::std::string::String>) -> Self {
self.inner = self.inner.cluster_name(input.into());
self
}
/// <p>The name of the cluster that you want to update the association in.</p>
pub fn set_cluster_name(mut self, input: ::std::option::Option<::std::string::String>) -> Self {
self.inner = self.inner.set_cluster_name(input);
self
}
/// <p>The name of the cluster that you want to update the association in.</p>
pub fn get_cluster_name(&self) -> &::std::option::Option<::std::string::String> {
self.inner.get_cluster_name()
}
/// <p>The ID of the association to be updated.</p>
pub fn association_id(mut self, input: impl ::std::convert::Into<::std::string::String>) -> Self {
self.inner = self.inner.association_id(input.into());
self
}
/// <p>The ID of the association to be updated.</p>
pub fn set_association_id(mut self, input: ::std::option::Option<::std::string::String>) -> Self {
self.inner = self.inner.set_association_id(input);
self
}
/// <p>The ID of the association to be updated.</p>
pub fn get_association_id(&self) -> &::std::option::Option<::std::string::String> {
self.inner.get_association_id()
}
/// <p>The new IAM role to change in the association.</p>
pub fn role_arn(mut self, input: impl ::std::convert::Into<::std::string::String>) -> Self {
self.inner = self.inner.role_arn(input.into());
self
}
/// <p>The new IAM role to change in the association.</p>
pub fn set_role_arn(mut self, input: ::std::option::Option<::std::string::String>) -> Self {
self.inner = self.inner.set_role_arn(input);
self
}
/// <p>The new IAM role to change in the association.</p>
pub fn get_role_arn(&self) -> &::std::option::Option<::std::string::String> {
self.inner.get_role_arn()
}
/// <p>A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.</p>
pub fn client_request_token(mut self, input: impl ::std::convert::Into<::std::string::String>) -> Self {
self.inner = self.inner.client_request_token(input.into());
self
}
/// <p>A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.</p>
pub fn set_client_request_token(mut self, input: ::std::option::Option<::std::string::String>) -> Self {
self.inner = self.inner.set_client_request_token(input);
self
}
/// <p>A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.</p>
pub fn get_client_request_token(&self) -> &::std::option::Option<::std::string::String> {
self.inner.get_client_request_token()
}
/// <p>Disable the automatic sessions tags that are appended by EKS Pod Identity.</p>
/// <p>EKS Pod Identity adds a pre-defined set of session tags when it assumes the role. You can use these tags to author a single role that can work across resources by allowing access to Amazon Web Services resources based on matching tags. By default, EKS Pod Identity attaches six tags, including tags for cluster name, namespace, and service account name. For the list of tags added by EKS Pod Identity, see <a href="https://docs.aws.amazon.com/eks/latest/userguide/pod-id-abac.html#pod-id-abac-tags">List of session tags added by EKS Pod Identity</a> in the <i>Amazon EKS User Guide</i>.</p>
/// <p>Amazon Web Services compresses inline session policies, managed policy ARNs, and session tags into a packed binary format that has a separate limit. If you receive a <code>PackedPolicyTooLarge</code> error indicating the packed binary format has exceeded the size limit, you can attempt to reduce the size by disabling the session tags added by EKS Pod Identity.</p>
pub fn disable_session_tags(mut self, input: bool) -> Self {
self.inner = self.inner.disable_session_tags(input);
self
}
/// <p>Disable the automatic sessions tags that are appended by EKS Pod Identity.</p>
/// <p>EKS Pod Identity adds a pre-defined set of session tags when it assumes the role. You can use these tags to author a single role that can work across resources by allowing access to Amazon Web Services resources based on matching tags. By default, EKS Pod Identity attaches six tags, including tags for cluster name, namespace, and service account name. For the list of tags added by EKS Pod Identity, see <a href="https://docs.aws.amazon.com/eks/latest/userguide/pod-id-abac.html#pod-id-abac-tags">List of session tags added by EKS Pod Identity</a> in the <i>Amazon EKS User Guide</i>.</p>
/// <p>Amazon Web Services compresses inline session policies, managed policy ARNs, and session tags into a packed binary format that has a separate limit. If you receive a <code>PackedPolicyTooLarge</code> error indicating the packed binary format has exceeded the size limit, you can attempt to reduce the size by disabling the session tags added by EKS Pod Identity.</p>
pub fn set_disable_session_tags(mut self, input: ::std::option::Option<bool>) -> Self {
self.inner = self.inner.set_disable_session_tags(input);
self
}
/// <p>Disable the automatic sessions tags that are appended by EKS Pod Identity.</p>
/// <p>EKS Pod Identity adds a pre-defined set of session tags when it assumes the role. You can use these tags to author a single role that can work across resources by allowing access to Amazon Web Services resources based on matching tags. By default, EKS Pod Identity attaches six tags, including tags for cluster name, namespace, and service account name. For the list of tags added by EKS Pod Identity, see <a href="https://docs.aws.amazon.com/eks/latest/userguide/pod-id-abac.html#pod-id-abac-tags">List of session tags added by EKS Pod Identity</a> in the <i>Amazon EKS User Guide</i>.</p>
/// <p>Amazon Web Services compresses inline session policies, managed policy ARNs, and session tags into a packed binary format that has a separate limit. If you receive a <code>PackedPolicyTooLarge</code> error indicating the packed binary format has exceeded the size limit, you can attempt to reduce the size by disabling the session tags added by EKS Pod Identity.</p>
pub fn get_disable_session_tags(&self) -> &::std::option::Option<bool> {
self.inner.get_disable_session_tags()
}
/// <p>The Amazon Resource Name (ARN) of the target IAM role to associate with the service account. This role is assumed by using the EKS Pod Identity association role, then the credentials for this role are injected into the Pod.</p>
/// <p>When you run applications on Amazon EKS, your application might need to access Amazon Web Services resources from a different role that exists in the same or different Amazon Web Services account. For example, your application running in “Account A” might need to access resources, such as buckets in “Account B” or within “Account A” itself. You can create a association to access Amazon Web Services resources in “Account B” by creating two IAM roles: a role in “Account A” and a role in “Account B” (which can be the same or different account), each with the necessary trust and permission policies. After you provide these roles in the <i>IAM role</i> and <i>Target IAM role</i> fields, EKS will perform role chaining to ensure your application gets the required permissions. This means Role A will assume Role B, allowing your Pods to securely access resources like S3 buckets in the target account.</p>
pub fn target_role_arn(mut self, input: impl ::std::convert::Into<::std::string::String>) -> Self {
self.inner = self.inner.target_role_arn(input.into());
self
}
/// <p>The Amazon Resource Name (ARN) of the target IAM role to associate with the service account. This role is assumed by using the EKS Pod Identity association role, then the credentials for this role are injected into the Pod.</p>
/// <p>When you run applications on Amazon EKS, your application might need to access Amazon Web Services resources from a different role that exists in the same or different Amazon Web Services account. For example, your application running in “Account A” might need to access resources, such as buckets in “Account B” or within “Account A” itself. You can create a association to access Amazon Web Services resources in “Account B” by creating two IAM roles: a role in “Account A” and a role in “Account B” (which can be the same or different account), each with the necessary trust and permission policies. After you provide these roles in the <i>IAM role</i> and <i>Target IAM role</i> fields, EKS will perform role chaining to ensure your application gets the required permissions. This means Role A will assume Role B, allowing your Pods to securely access resources like S3 buckets in the target account.</p>
pub fn set_target_role_arn(mut self, input: ::std::option::Option<::std::string::String>) -> Self {
self.inner = self.inner.set_target_role_arn(input);
self
}
/// <p>The Amazon Resource Name (ARN) of the target IAM role to associate with the service account. This role is assumed by using the EKS Pod Identity association role, then the credentials for this role are injected into the Pod.</p>
/// <p>When you run applications on Amazon EKS, your application might need to access Amazon Web Services resources from a different role that exists in the same or different Amazon Web Services account. For example, your application running in “Account A” might need to access resources, such as buckets in “Account B” or within “Account A” itself. You can create a association to access Amazon Web Services resources in “Account B” by creating two IAM roles: a role in “Account A” and a role in “Account B” (which can be the same or different account), each with the necessary trust and permission policies. After you provide these roles in the <i>IAM role</i> and <i>Target IAM role</i> fields, EKS will perform role chaining to ensure your application gets the required permissions. This means Role A will assume Role B, allowing your Pods to securely access resources like S3 buckets in the target account.</p>
pub fn get_target_role_arn(&self) -> &::std::option::Option<::std::string::String> {
self.inner.get_target_role_arn()
}
/// <p>An optional IAM policy in JSON format (as an escaped string) that applies additional restrictions to this pod identity association beyond the IAM policies attached to the IAM role. This policy is applied as the intersection of the role's policies and this policy, allowing you to reduce the permissions that applications in the pods can use. Use this policy to enforce least privilege access while still leveraging a shared IAM role across multiple applications.</p>
/// <p><b>Important considerations</b></p>
/// <ul>
/// <li>
/// <p><b>Session tags:</b> When using this policy, <code>disableSessionTags</code> must be set to <code>true</code>.</p></li>
/// <li>
/// <p><b>Target role permissions:</b> If you specify both a <code>TargetRoleArn</code> and a policy, the policy restrictions apply only to the target role's permissions, not to the initial role used for assuming the target role.</p></li>
/// </ul>
pub fn policy(mut self, input: impl ::std::convert::Into<::std::string::String>) -> Self {
self.inner = self.inner.policy(input.into());
self
}
/// <p>An optional IAM policy in JSON format (as an escaped string) that applies additional restrictions to this pod identity association beyond the IAM policies attached to the IAM role. This policy is applied as the intersection of the role's policies and this policy, allowing you to reduce the permissions that applications in the pods can use. Use this policy to enforce least privilege access while still leveraging a shared IAM role across multiple applications.</p>
/// <p><b>Important considerations</b></p>
/// <ul>
/// <li>
/// <p><b>Session tags:</b> When using this policy, <code>disableSessionTags</code> must be set to <code>true</code>.</p></li>
/// <li>
/// <p><b>Target role permissions:</b> If you specify both a <code>TargetRoleArn</code> and a policy, the policy restrictions apply only to the target role's permissions, not to the initial role used for assuming the target role.</p></li>
/// </ul>
pub fn set_policy(mut self, input: ::std::option::Option<::std::string::String>) -> Self {
self.inner = self.inner.set_policy(input);
self
}
/// <p>An optional IAM policy in JSON format (as an escaped string) that applies additional restrictions to this pod identity association beyond the IAM policies attached to the IAM role. This policy is applied as the intersection of the role's policies and this policy, allowing you to reduce the permissions that applications in the pods can use. Use this policy to enforce least privilege access while still leveraging a shared IAM role across multiple applications.</p>
/// <p><b>Important considerations</b></p>
/// <ul>
/// <li>
/// <p><b>Session tags:</b> When using this policy, <code>disableSessionTags</code> must be set to <code>true</code>.</p></li>
/// <li>
/// <p><b>Target role permissions:</b> If you specify both a <code>TargetRoleArn</code> and a policy, the policy restrictions apply only to the target role's permissions, not to the initial role used for assuming the target role.</p></li>
/// </ul>
pub fn get_policy(&self) -> &::std::option::Option<::std::string::String> {
self.inner.get_policy()
}
}