add support to policy for pod-identity-association create and update (#8674)

kprahulraj · web-flow · commit e4907291f6a9 · 2026-02-13T11:08:55.000-08:00
diff --git a/go.mod b/go.mod
@@ -10,19 +10,19 @@ require (
 	github.com/aws/aws-sdk-go-v2 v1.41.1
 	github.com/aws/aws-sdk-go-v2/config v1.32.7
 	github.com/aws/aws-sdk-go-v2/credentials v1.19.7
-	github.com/aws/aws-sdk-go-v2/service/autoscaling v1.62.1
-	github.com/aws/aws-sdk-go-v2/service/cloudformation v1.71.1
-	github.com/aws/aws-sdk-go-v2/service/cloudtrail v1.55.1
-	github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.61.1
+	github.com/aws/aws-sdk-go-v2/service/autoscaling v1.64.0
+	github.com/aws/aws-sdk-go-v2/service/cloudformation v1.71.5
+	github.com/aws/aws-sdk-go-v2/service/cloudtrail v1.55.5
+	github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.63.1
 	github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider v1.57.7
-	github.com/aws/aws-sdk-go-v2/service/ec2 v1.275.0
-	github.com/aws/aws-sdk-go-v2/service/eks v1.77.0
-	github.com/aws/aws-sdk-go-v2/service/elasticloadbalancing v1.33.15
-	github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.54.2
-	github.com/aws/aws-sdk-go-v2/service/iam v1.52.2
+	github.com/aws/aws-sdk-go-v2/service/ec2 v1.286.0
+	github.com/aws/aws-sdk-go-v2/service/eks v1.79.0
+	github.com/aws/aws-sdk-go-v2/service/elasticloadbalancing v1.33.19
+	github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.54.6
+	github.com/aws/aws-sdk-go-v2/service/iam v1.53.2
 	github.com/aws/aws-sdk-go-v2/service/kms v1.47.1
-	github.com/aws/aws-sdk-go-v2/service/outposts v1.57.8
-	github.com/aws/aws-sdk-go-v2/service/ssm v1.67.4
+	github.com/aws/aws-sdk-go-v2/service/outposts v1.57.11
+	github.com/aws/aws-sdk-go-v2/service/ssm v1.67.8
 	github.com/aws/aws-sdk-go-v2/service/sts v1.41.6
 	github.com/aws/smithy-go v1.24.0
 	github.com/awslabs/amazon-eks-ami/nodeadm v0.0.0-20251001043626-89ce6578d960
@@ -133,7 +133,7 @@ require (
 	github.com/ashanbrown/forbidigo/v2 v2.3.0 // indirect
 	github.com/ashanbrown/makezero/v2 v2.1.0 // indirect
 	github.com/atotto/clipboard v0.1.4 // indirect
-	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.3 // indirect
+	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.4 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.17 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.17 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.17 // indirect
diff --git a/go.sum b/go.sum
@@ -110,8 +110,8 @@ github.com/aws/amazon-ec2-instance-selector/v3 v3.1.2 h1:F8GBspJo+RmR4rYyw75XywE
 github.com/aws/amazon-ec2-instance-selector/v3 v3.1.2/go.mod h1:wdlMRtz9G4IO6H1yZPsqfGBxR8E6B/bdxHlGkls4kGQ=
 github.com/aws/aws-sdk-go-v2 v1.41.1 h1:ABlyEARCDLN034NhxlRUSZr4l71mh+T5KAeGh6cerhU=
 github.com/aws/aws-sdk-go-v2 v1.41.1/go.mod h1:MayyLB8y+buD9hZqkCW3kX1AKq07Y5pXxtgB+rRFhz0=
-github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.3 h1:DHctwEM8P8iTXFxC/QK0MRjwEpWQeM9yzidCRjldUz0=
-github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.3/go.mod h1:xdCzcZEtnSTKVDOmUZs4l/j3pSV6rpo1WXl5ugNsL8Y=
+github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.4 h1:489krEF9xIGkOaaX3CE/Be2uWjiXrkCH6gUX+bZA/BU=
+github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.4/go.mod h1:IOAPF6oT9KCsceNTvvYMNHy0+kMF8akOjeDvPENWxp4=
 github.com/aws/aws-sdk-go-v2/config v1.32.7 h1:vxUyWGUwmkQ2g19n7JY/9YL8MfAIl7bTesIUykECXmY=
 github.com/aws/aws-sdk-go-v2/config v1.32.7/go.mod h1:2/Qm5vKUU/r7Y+zUk/Ptt2MDAEKAfUtKc1+3U1Mo3oY=
 github.com/aws/aws-sdk-go-v2/credentials v1.19.7 h1:tHK47VqqtJxOymRrNtUXN5SP/zUTvZKeLx4tH6PGQc8=
@@ -126,28 +126,28 @@ github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 h1:WKuaxf++XKWlHWu9ECbMlha8WOEG
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4/go.mod h1:ZWy7j6v1vWGmPReu0iSGvRiise4YI5SkR3OHKTZ6Wuc=
 github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.14 h1:ITi7qiDSv/mSGDSWNpZ4k4Ve0DQR6Ug2SJQ8zEHoDXg=
 github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.14/go.mod h1:k1xtME53H1b6YpZt74YmwlONMWf4ecM+lut1WQLAF/U=
-github.com/aws/aws-sdk-go-v2/service/autoscaling v1.62.1 h1:CsZyADhNxJU6AbqmieFia8ez9tO3HAPZKWMNZEvvdVM=
-github.com/aws/aws-sdk-go-v2/service/autoscaling v1.62.1/go.mod h1:6q/I1pH386VpPfB6FE62X/MOs6NW/oCsY9FXU33YXOU=
-github.com/aws/aws-sdk-go-v2/service/cloudformation v1.71.1 h1:YA9axGdmN8mAnG3uxredzWXFN/x1IiCbseFqU30ZXog=
-github.com/aws/aws-sdk-go-v2/service/cloudformation v1.71.1/go.mod h1:AIfiLeQfCO8suB3zxZp155Sv9KfiDhPyF+SSIRLEUYk=
-github.com/aws/aws-sdk-go-v2/service/cloudtrail v1.55.1 h1:fRFvc/mgSPujB9JrKuPt+HGnJE9I+nDwXMhEAwHI/GM=
-github.com/aws/aws-sdk-go-v2/service/cloudtrail v1.55.1/go.mod h1:XSNDmicqamWtX6yg5lisFAiFaf56PErQo/cMQvUQWX0=
-github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.61.1 h1:1Ci283hJE+S3XC4n5b2peV/wlcAo5rTVDb6j6JJ1aTo=
-github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.61.1/go.mod h1:WXcA3mYRgWVIzjD+kxzap0axltmt4zBVDZaRX0S86gk=
+github.com/aws/aws-sdk-go-v2/service/autoscaling v1.64.0 h1:s92jPptCu97RNwU1yF3jD4ahLZrQ0QkUIvrn464rQ2A=
+github.com/aws/aws-sdk-go-v2/service/autoscaling v1.64.0/go.mod h1:8O5Pj92iNpfw/Fa7WdHbn6YiEjDoVdutz+9PGRNoP3Y=
+github.com/aws/aws-sdk-go-v2/service/cloudformation v1.71.5 h1:UNllAzfiRvz9il9s0yHJkySMJbxWqEVDfyLdDblnuT4=
+github.com/aws/aws-sdk-go-v2/service/cloudformation v1.71.5/go.mod h1:d6XSvIZM3pSKyXNbezwYT3nAcJeUzsJIXtZMNuQ9K2k=
+github.com/aws/aws-sdk-go-v2/service/cloudtrail v1.55.5 h1:sSgqtZi6Kp4Pc1V4turyaux7xUXxC1JwbEF6MzTQ9oE=
+github.com/aws/aws-sdk-go-v2/service/cloudtrail v1.55.5/go.mod h1:zweZsRPub5YhgUjoMGOeRWuXOOORt6YFiA51hpmNB4c=
+github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.63.1 h1:l65dmgr7tO26EcHe6WMdseRnFLoJ2nqdkPz1nJdXfaw=
+github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.63.1/go.mod h1:wvnXh1w1pGS2UpEvPTKSjXYuxiXhuvob/IMaK2AWvek=
 github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider v1.57.7 h1:1LPBlVrceFenrbWOZBGu8KTmX8TTMpZfRxX0HCnSjz0=
 github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider v1.57.7/go.mod h1:l8KDrD4EZQwTuM69YK3LFZ4c9VbNHrzaQJjJsoIFqfo=
-github.com/aws/aws-sdk-go-v2/service/ec2 v1.275.0 h1:ymusjrsOjrcVBQNQXYFIQEHJIJ17/m+VoDSmWIMjGe0=
-github.com/aws/aws-sdk-go-v2/service/ec2 v1.275.0/go.mod h1:QrV+/GjhSrJh6MRRuTO6ZEg4M2I0nwPakf0lZHSrE1o=
-github.com/aws/aws-sdk-go-v2/service/eks v1.77.0 h1:Z5mTpmbJKU7jEM7xoXI5tO4Nm0JUZSgVSFkpYuu6Ic0=
-github.com/aws/aws-sdk-go-v2/service/eks v1.77.0/go.mod h1:Qg678m+87sCuJhcsZojenz8mblYG+Tq86V4m3hjVz0s=
-github.com/aws/aws-sdk-go-v2/service/elasticloadbalancing v1.33.15 h1:dJtNm4/eMx8nczyN3P4iAARXMj2rAvOJnj608zCqCmw=
-github.com/aws/aws-sdk-go-v2/service/elasticloadbalancing v1.33.15/go.mod h1:QEbuU4eh8HGdv4uvld0Jth+KW8L0lOSYlyPcW6+JJo8=
-github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.54.2 h1:xJkfrBzq4b4JxnxwNNzjUKmbQj1hPa4uUikSeXQFBYk=
-github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.54.2/go.mod h1:DpGMmFhQwV/HH9zugLT5Ovf9HMKdQ+6ejfJybqEC9i4=
+github.com/aws/aws-sdk-go-v2/service/ec2 v1.286.0 h1:GgLc+o2oD2sXxlEwGUCCWz/1v3Wa8dN9RRebcIFXeOo=
+github.com/aws/aws-sdk-go-v2/service/ec2 v1.286.0/go.mod h1:Uy+C+Sc58jozdoL1McQr8bDsEvNFx+/nBY+vpO1HVUY=
+github.com/aws/aws-sdk-go-v2/service/eks v1.79.0 h1:NJv9h+Fmg1bmAAnoH2cWsywcX3gNyn2sbhsn6VvgHNk=
+github.com/aws/aws-sdk-go-v2/service/eks v1.79.0/go.mod h1:Qg678m+87sCuJhcsZojenz8mblYG+Tq86V4m3hjVz0s=
+github.com/aws/aws-sdk-go-v2/service/elasticloadbalancing v1.33.19 h1:ybEda2mkkX2o8NadXZBtcO9tgmW9cTQgeVSjypNsAy0=
+github.com/aws/aws-sdk-go-v2/service/elasticloadbalancing v1.33.19/go.mod h1:RiMytGvN4azx4yLM0Kn3bX/XO9dLxj+eG72Smy+vNzI=
+github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.54.6 h1:fQR1aeZKaiPkNPya0JMy2nhsoqoSgIWc3/QTiTiL1K0=
+github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.54.6/go.mod h1:oJRLDix51wqBDlP9dv+blFkvvf7HESolQz5cdhdmV4A=
 github.com/aws/aws-sdk-go-v2/service/eventbridge v1.39.3 h1:T6L7fsONflMeXuvsT8qZ247hA8ShBB0jF9yUEhW4JqI=
 github.com/aws/aws-sdk-go-v2/service/eventbridge v1.39.3/go.mod h1:sIrUII6Z+hAVAgcpmsc2e9HvEr++m/v8aBPT7s4ZYUk=
-github.com/aws/aws-sdk-go-v2/service/iam v1.52.2 h1:li0ooCUfHIivHn8nB3LstP6HgdNefwu5gnXE4MLVz/U=
-github.com/aws/aws-sdk-go-v2/service/iam v1.52.2/go.mod h1:PuHz5kGh1jtsNpjezdYhRp7xgn6DzCNJJfQt7O7U9Aw=
+github.com/aws/aws-sdk-go-v2/service/iam v1.53.2 h1:62G6btFUwAa5uR5iPlnlNVAM0zJSLbWgDfKOfUC7oW4=
+github.com/aws/aws-sdk-go-v2/service/iam v1.53.2/go.mod h1:av9clChrbZbJ5E21msSsiT2oghl2BJHfQGhCkXmhyu8=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.4 h1:0ryTNEdJbzUCEWkVXEXoqlXV72J5keC1GvILMOuD00E=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.4/go.mod h1:HQ4qwNZh32C3CBeO6iJLQlgtMzqeG17ziAA/3KDJFow=
 github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.5 h1:Hjkh7kE6D81PgrHlE/m9gx+4TyyeLHuY8xJs7yXN5C4=
@@ -158,8 +158,8 @@ github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.14 h1:FzQE21lNtUor0
 github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.14/go.mod h1:s1ydyWG9pm3ZwmmYN21HKyG9WzAZhYVW85wMHs5FV6w=
 github.com/aws/aws-sdk-go-v2/service/kms v1.47.1 h1:6+C0RoGF4HJQALrsecOXN7cm/l5rgNHCw2xbcvFgpH4=
 github.com/aws/aws-sdk-go-v2/service/kms v1.47.1/go.mod h1:VJcNH6BLr+3VJwinRKdotLOMglHO8mIKlD3ea5c7hbw=
-github.com/aws/aws-sdk-go-v2/service/outposts v1.57.8 h1:zB9Q/dG0NkURC5E1g4qL/lsUp7aOqilfb7Ru9EOigDU=
-github.com/aws/aws-sdk-go-v2/service/outposts v1.57.8/go.mod h1:3osURGv9q/2wxP1qYnB15GWYgr6w2AbQkSxYtE6vTaY=
+github.com/aws/aws-sdk-go-v2/service/outposts v1.57.11 h1:pTBv1tqYHwSFkXSxpXrfAY83kBIec5YtVEZJaXcu7es=
+github.com/aws/aws-sdk-go-v2/service/outposts v1.57.11/go.mod h1:TcrxIboCEZ2fBS0g66qoDvJ4+MfRGf8Xnf6iDR84nAo=
 github.com/aws/aws-sdk-go-v2/service/pricing v1.34.3 h1:vAv0hi3SWcc8cotkWRP4mPkmRbp/XqWKFyPW4Nwpzv0=
 github.com/aws/aws-sdk-go-v2/service/pricing v1.34.3/go.mod h1:giTP9ufzBQJRB6bc7P30PO8s35hCp6au5uM70zkohU4=
 github.com/aws/aws-sdk-go-v2/service/route53 v1.52.2 h1:dXHWVVPx2W2fq2PTugj8QXpJ0YTRAGx0KLPKhMBmcsY=
@@ -170,8 +170,8 @@ github.com/aws/aws-sdk-go-v2/service/signin v1.0.5 h1:VrhDvQib/i0lxvr3zqlUwLwJP4
 github.com/aws/aws-sdk-go-v2/service/signin v1.0.5/go.mod h1:k029+U8SY30/3/ras4G/Fnv/b88N4mAfliNn08Dem4M=
 github.com/aws/aws-sdk-go-v2/service/sqs v1.38.8 h1:80dpSqWMwx2dAm30Ib7J6ucz1ZHfiv5OCRwN/EnCOXQ=
 github.com/aws/aws-sdk-go-v2/service/sqs v1.38.8/go.mod h1:IzNt/udsXlETCdvBOL0nmyMe2t9cGmXmZgsdoZGYYhI=
-github.com/aws/aws-sdk-go-v2/service/ssm v1.67.4 h1:pOwUUY5FzKUsxtxGR6qsczZP7MuZMVlMbAOPQOcmJlo=
-github.com/aws/aws-sdk-go-v2/service/ssm v1.67.4/go.mod h1:+nlWvcgDPQ56mChEBzTC0puAMck+4onOFaHg5cE+Lgg=
+github.com/aws/aws-sdk-go-v2/service/ssm v1.67.8 h1:31Llf5VfrZ78YvYs7sWcS7L2m3waikzRc6q1nYenVS4=
+github.com/aws/aws-sdk-go-v2/service/ssm v1.67.8/go.mod h1:/jgaDlU1UImoxTxhRNxXHvBAPqPZQ8oCjcPbbkR6kac=
 github.com/aws/aws-sdk-go-v2/service/sso v1.30.9 h1:v6EiMvhEYBoHABfbGB4alOYmCIrcgyPPiBE1wZAEbqk=
 github.com/aws/aws-sdk-go-v2/service/sso v1.30.9/go.mod h1:yifAsgBxgJWn3ggx70A3urX2AN49Y5sJTD1UQFlfqBw=
 github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.13 h1:gd84Omyu9JLriJVCbGApcLzVR3XtmC4ZDPcAI6Ftvds=
diff --git a/pkg/actions/podidentityassociation/tasks.go b/pkg/actions/podidentityassociation/tasks.go
@@ -50,6 +50,7 @@ func (t *createPodIdentityAssociationTask) Do(errorCh chan error) error {
 		ServiceAccount:     &t.podIdentityAssociation.ServiceAccountName,
 		Tags:               t.podIdentityAssociation.Tags,
 		DisableSessionTags: t.podIdentityAssociation.DisableSessionTags,
+		Policy:             t.podIdentityAssociation.Policy,
 	}
 
 	// Add target role ARN if specified (for cross-account access)
diff --git a/pkg/actions/podidentityassociation/updater.go b/pkg/actions/podidentityassociation/updater.go
@@ -98,9 +98,10 @@ func (u *Updater) update(ctx context.Context, updateConfig *UpdateConfig, podIde
 			return err
 		}
 
-		// If there's no change to the IAM role or pod identity association properties, return early
+		// If there's no change to the IAM role, policy or pod identity association properties, return early
 		if !hasChanged &&
 			updateConfig.PodIdentityAssociation.TargetRoleARN == nil &&
+			updateConfig.PodIdentityAssociation.Policy == nil &&
 			updateConfig.PodIdentityAssociation.DisableSessionTags == nil {
 			return nil
 		}
@@ -116,6 +117,7 @@ func (u *Updater) updatePodIdentityAssociation(ctx context.Context, roleARN stri
 		RoleArn:            aws.String(roleARN),
 		TargetRoleArn:      updateConfig.PodIdentityAssociation.TargetRoleARN,
 		DisableSessionTags: updateConfig.PodIdentityAssociation.DisableSessionTags,
+		Policy:             updateConfig.PodIdentityAssociation.Policy,
 	}); err != nil {
 		return fmt.Errorf("(associationID: %s, roleARN: %s): %w", updateConfig.AssociationID, roleARN, err)
 	}
@@ -200,10 +202,11 @@ func (r *RoleUpdateValidator) ValidateRoleUpdate(pia api.PodIdentityAssociation,
 			RoleARN:            pia.RoleARN,
 			TargetRoleARN:      pia.TargetRoleARN,
 			DisableSessionTags: pia.DisableSessionTags,
+			Policy:             pia.Policy,
 		}
 
 		if !reflect.DeepEqual(pia, podIDWithCrossAccountFields) {
-			return errors.New("only namespace, serviceAccountName and roleARN can be specified if the role was not created by eksctl")
+			return errors.New("only namespace, serviceAccountName, roleARN and policy can be specified if the role was not created by eksctl")
 		}
 	}
 	return nil
diff --git a/pkg/actions/podidentityassociation/updater_test.go b/pkg/actions/podidentityassociation/updater_test.go
@@ -47,6 +47,7 @@ var _ = Describe("Pod Identity Update", func() {
 		describeStackOutputs      []cfntypes.Output
 		describeStackCapabilities []cfntypes.Capability
 		makeStackName             func(podidentityassociation.Identifier) string
+		policy                    *string
 	}
 
 	mockCalls := func(stackManager *managerfakes.FakeStackManager, eksAPI *mocksv2.EKS, o mockOptions) {
@@ -74,6 +75,7 @@ var _ = Describe("Pod Identity Update", func() {
 				AssociationId: aws.String(associationID),
 				ClusterName:   aws.String(clusterName),
 				RoleArn:       aws.String(o.updateRoleARN),
+				Policy:        o.policy,
 			}
 
 			// For the cross-account access test case
@@ -262,7 +264,7 @@ var _ = Describe("Pod Identity Update", func() {
 				eksAPI.AssertExpectations(GinkgoT())
 			},
 
-			expectedErr: `error updating pod identity association "kube-system/aws-node": only namespace, serviceAccountName and roleARN can be specified if the role was not created by eksctl`,
+			expectedErr: `error updating pod identity association "kube-system/aws-node": only namespace, serviceAccountName, roleARN and policy can be specified if the role was not created by eksctl`,
 		}),
 
 		Entry("roleName specified when the pod identity association was not created with a roleName", updateEntry{
diff --git a/pkg/apis/eksctl.io/v1alpha5/assets/schema.json b/pkg/apis/eksctl.io/v1alpha5/assets/schema.json
@@ -2868,6 +2868,11 @@
         "permissionsBoundaryARN": {
           "type": "string"
         },
+        "policy": {
+          "type": "string",
+          "description": "optional policy that applies additional restrictions to this pod identity association beyond the IAM policies attached to the IAM role.",
+          "x-intellij-html-description": "optional policy that applies additional restrictions to this pod identity association beyond the IAM policies attached to the IAM role."
+        },
         "roleARN": {
           "type": "string"
         },
@@ -2905,7 +2910,8 @@
         "wellKnownPolicies",
         "tags",
         "targetRoleARN",
-        "disableSessionTags"
+        "disableSessionTags",
+        "policy"
       ],
       "additionalProperties": false
     },
diff --git a/pkg/apis/eksctl.io/v1alpha5/iam.go b/pkg/apis/eksctl.io/v1alpha5/iam.go
@@ -209,6 +209,10 @@ type PodIdentityAssociation struct {
 	// +optional
 	// DisableSessionTags disables the tags that are automatically added to role session by Amazon EKS.
 	DisableSessionTags *bool `json:"disableSessionTags,omitempty"`
+
+	// +optional
+	// Policy is the optional policy that applies additional restrictions to this pod identity association beyond the IAM policies attached to the IAM role.
+	Policy *string `json:"policy,omitempty"`
 }
 
 func (p PodIdentityAssociation) NameString() string {
diff --git a/pkg/ctl/cmdutils/cmdutils.go b/pkg/ctl/cmdutils/cmdutils.go
@@ -249,3 +249,7 @@ func ErrUnsupportedManagedFlag(flag string) error {
 func ErrUnsupportedNameArg() error {
 	return errors.New("name argument is not supported")
 }
+
+func ErrDisableSessionTagsMustBeSet() error {
+	return errors.New("--disable-session-tags must be set to true when using --policy")
+}
diff --git a/pkg/ctl/cmdutils/pod_identity_association.go b/pkg/ctl/cmdutils/pod_identity_association.go
@@ -22,6 +22,7 @@ var (
 		"create-service-account",
 		"target-role-arn",
 		"disable-session-tags",
+		"policy",
 	}
 )
 
@@ -181,12 +182,14 @@ type UpdatePodIdentityAssociationOptions struct {
 	// DisableSessionTags is a boolean flag to enable or disable session tags.
 	// This is used for cross-account pod identity access.
 	DisableSessionTags *bool
+	// Policy is the optional policy that applies additional restrictions to this pod identity association beyond the IAM policies attached to the IAM role.
+	Policy *string
 }
 
 // NewUpdatePodIdentityAssociationLoader will load config or use flags for `eksctl update podidentityassociation`.
 func NewUpdatePodIdentityAssociationLoader(cmd *Cmd, options UpdatePodIdentityAssociationOptions) ClusterConfigLoader {
 	l := newCommonClusterConfigLoader(cmd)
-	l.flagsIncompatibleWithConfigFile.Insert("namespace", "service-account-name", "role-arn", "target-role-arn", "disable-session-tags")
+	l.flagsIncompatibleWithConfigFile.Insert("namespace", "service-account-name", "role-arn", "target-role-arn", "disable-session-tags", "policy")
 
 	l.validateWithoutConfigFile = func() error {
 		if err := validatePodIdentityAssociation(l, options.PodIdentityAssociationOptions); err != nil {
diff --git a/pkg/ctl/create/pod_identity_association.go b/pkg/ctl/create/pod_identity_association.go
@@ -37,6 +37,12 @@ func doCreatePodIdentityAssociation(cmd *cmdutils.Cmd) error {
 	cfg := cmd.ClusterConfig
 	ctx := context.Background()
 
+	for _, pia := range cfg.IAM.PodIdentityAssociations {
+		if pia.Policy != nil && (pia.DisableSessionTags == nil || !*pia.DisableSessionTags) {
+			return cmdutils.ErrDisableSessionTagsMustBeSet()
+		}
+	}
+
 	ctl, err := cmd.NewProviderForExistingCluster(ctx)
 	if err != nil {
 		return err
@@ -74,8 +80,10 @@ func configureCreatePodIdentityAssociationCmd(cmd *cmdutils.Cmd, pia *api.PodIde
 		fs.StringVar(&pia.PermissionsBoundaryARN, "permission-boundary-arn", "", "ARN of the policy that is used to set the permission boundary for the role")
 		var targetRoleARN string
 		var disableSessionTags bool
+		var policy string
 		fs.StringVar(&targetRoleARN, "target-role-arn", "", "ARN of the target IAM role for cross-account access (default to empty string for no cross-account access)")
 		fs.BoolVar(&disableSessionTags, "disable-session-tags", false, "Disable session tags added by EKS Pod Identity (if not provided, session tags are enabled by default)")
+		fs.StringVar(&policy, "policy", "", "Optional policy that applies additional restrictions to this pod identity association beyond the IAM policies attached to the IAM role")
 
 		// Store the flag values in the struct
 		cmdutils.AddPreRun(cmd.CobraCommand, func(cobraCmd *cobra.Command, args []string) {
@@ -85,6 +93,9 @@ func configureCreatePodIdentityAssociationCmd(cmd *cmdutils.Cmd, pia *api.PodIde
 			if fs.Changed("disable-session-tags") {
 				pia.DisableSessionTags = aws.Bool(true)
 			}
+			if fs.Changed("policy") {
+				pia.Policy = &policy
+			}
 		})
 
 		fs.BoolVar(&pia.CreateServiceAccount, "create-service-account", false, "instructs eksctl to create the K8s service account")
diff --git a/pkg/ctl/create/pod_identity_association_test.go b/pkg/ctl/create/pod_identity_association_test.go
@@ -77,5 +77,9 @@ var _ = Describe("create pod identity association", func() {
 			args:        []string{"--disable-session-tags", "--config-file", configFile},
 			expectedErr: "cannot use --disable-session-tags when --config-file/-f is set",
 		}),
+		Entry("setting --policy without --disable-session-tags", createPodIdentityAssociationEntry{
+			args:        append(defaultArgs, "--role-arn", "arn:aws:iam::111122223333:role/test-role", "--policy", `{"Version":"2012-10-17","Statement":[]}`),
+			expectedErr: "--disable-session-tags must be set to true when using --policy",
+		}),
 	)
 })
diff --git a/pkg/ctl/update/pod_identity_association.go b/pkg/ctl/update/pod_identity_association.go
diff --git a/pkg/ctl/update/pod_identity_association_test.go b/pkg/ctl/update/pod_identity_association_test.go

Original file line number	Diff line number	Diff line change
`@@ -50,6 +50,7 @@ func (t *createPodIdentityAssociationTask) Do(errorCh chan error) error {`
`50`	`50`	`ServiceAccount: &t.podIdentityAssociation.ServiceAccountName,`
`51`	`51`	`Tags: t.podIdentityAssociation.Tags,`
`52`	`52`	`DisableSessionTags: t.podIdentityAssociation.DisableSessionTags,`
	`53`	`+ Policy: t.podIdentityAssociation.Policy,`
`53`	`54`	`}`
`54`	`55`
`55`	`56`	`// Add target role ARN if specified (for cross-account access)`
Original file line number	Diff line number	Diff line change
`@@ -98,9 +98,10 @@ func (u Updater) update(ctx context.Context, updateConfig UpdateConfig, podIde`
`98`	`98`	`return err`
`99`	`99`	`}`
`100`	`100`
`101`		`- // If there's no change to the IAM role or pod identity association properties, return early`
	`101`	`+ // If there's no change to the IAM role, policy or pod identity association properties, return early`
`102`	`102`	`if !hasChanged &&`
`103`	`103`	`updateConfig.PodIdentityAssociation.TargetRoleARN == nil &&`
	`104`	`+ updateConfig.PodIdentityAssociation.Policy == nil &&`
`104`	`105`	`updateConfig.PodIdentityAssociation.DisableSessionTags == nil {`
`105`	`106`	`return nil`
`106`	`107`	`}`
`@@ -116,6 +117,7 @@ func (u *Updater) updatePodIdentityAssociation(ctx context.Context, roleARN stri`
`116`	`117`	`RoleArn: aws.String(roleARN),`
`117`	`118`	`TargetRoleArn: updateConfig.PodIdentityAssociation.TargetRoleARN,`
`118`	`119`	`DisableSessionTags: updateConfig.PodIdentityAssociation.DisableSessionTags,`
	`120`	`+ Policy: updateConfig.PodIdentityAssociation.Policy,`
`119`	`121`	`}); err != nil {`
`120`	`122`	`return fmt.Errorf("(associationID: %s, roleARN: %s): %w", updateConfig.AssociationID, roleARN, err)`
`121`	`123`	`}`
`@@ -200,10 +202,11 @@ func (r *RoleUpdateValidator) ValidateRoleUpdate(pia api.PodIdentityAssociation,`
`200`	`202`	`RoleARN: pia.RoleARN,`
`201`	`203`	`TargetRoleARN: pia.TargetRoleARN,`
`202`	`204`	`DisableSessionTags: pia.DisableSessionTags,`
	`205`	`+ Policy: pia.Policy,`
`203`	`206`	`}`
`204`	`207`
`205`	`208`	`if !reflect.DeepEqual(pia, podIDWithCrossAccountFields) {`
`206`		`- return errors.New("only namespace, serviceAccountName and roleARN can be specified if the role was not created by eksctl")`
	`209`	`+ return errors.New("only namespace, serviceAccountName, roleARN and policy can be specified if the role was not created by eksctl")`
`207`	`210`	`}`
`208`	`211`	`}`
`209`	`212`	`return nil`
Original file line number	Diff line number	Diff line change
`@@ -249,3 +249,7 @@ func ErrUnsupportedManagedFlag(flag string) error {`
`249`	`249`	`func ErrUnsupportedNameArg() error {`
`250`	`250`	`return errors.New("name argument is not supported")`
`251`	`251`	`}`
	`252`	`+`
	`253`	`+func ErrDisableSessionTagsMustBeSet() error {`
	`254`	`+ return errors.New("--disable-session-tags must be set to true when using --policy")`
	`255`	`+}`