import { Command as $Command } from "@smithy/smithy-client"; import type { MetadataBearer as __MetadataBearer } from "@smithy/types"; import type { EKSClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes } from "../EKSClient"; import type { UpdatePodIdentityAssociationRequest, UpdatePodIdentityAssociationResponse } from "../models/models_0"; /** * @public */ export type { __MetadataBearer }; export { $Command }; /** * @public * * The input for {@link UpdatePodIdentityAssociationCommand}. */ export interface UpdatePodIdentityAssociationCommandInput extends UpdatePodIdentityAssociationRequest { } /** * @public * * The output of {@link UpdatePodIdentityAssociationCommand}. */ export interface UpdatePodIdentityAssociationCommandOutput extends UpdatePodIdentityAssociationResponse, __MetadataBearer { } declare const UpdatePodIdentityAssociationCommand_base: { new (input: UpdatePodIdentityAssociationCommandInput): import("@smithy/smithy-client").CommandImpl; new (input: UpdatePodIdentityAssociationCommandInput): import("@smithy/smithy-client").CommandImpl; getEndpointParameterInstructions(): import("@smithy/middleware-endpoint").EndpointParameterInstructions; }; /** *

Updates a EKS Pod Identity association. In an update, you can change the IAM role, the target IAM role, or disableSessionTags. * You must change at least one of these in an update. An association can't be moved * between clusters, namespaces, or service accounts. If you need to edit the namespace * or service account, you need to delete the association and then create a new * association with your desired settings.

*

Similar to Amazon Web Services IAM behavior, EKS Pod Identity associations are eventually consistent, * and may take several seconds to be effective after the initial API call returns * successfully. You must design your applications to account for these potential delays. * We recommend that you don’t include association create/updates in the * critical, high-availability code paths of your application. Instead, make changes in a * separate initialization or setup routine that you run less frequently.

*

You can set a target IAM role in the same or a different * account for advanced scenarios. With a target role, EKS Pod Identity automatically performs two * role assumptions in sequence: first assuming the role in the association that is in this * account, then using those credentials to assume the target IAM role. This process * provides your Pod with temporary credentials that have the permissions defined in the * target role, allowing secure access to resources in another Amazon Web Services account.

* @example * Use a bare-bones client and the command you need to make an API call. * ```javascript * import { EKSClient, UpdatePodIdentityAssociationCommand } from "@aws-sdk/client-eks"; // ES Modules import * // const { EKSClient, UpdatePodIdentityAssociationCommand } = require("@aws-sdk/client-eks"); // CommonJS import * // import type { EKSClientConfig } from "@aws-sdk/client-eks"; * const config = {}; // type is EKSClientConfig * const client = new EKSClient(config); * const input = { // UpdatePodIdentityAssociationRequest * clusterName: "STRING_VALUE", // required * associationId: "STRING_VALUE", // required * roleArn: "STRING_VALUE", * clientRequestToken: "STRING_VALUE", * disableSessionTags: true || false, * targetRoleArn: "STRING_VALUE", * policy: "STRING_VALUE", * }; * const command = new UpdatePodIdentityAssociationCommand(input); * const response = await client.send(command); * // { // UpdatePodIdentityAssociationResponse * // association: { // PodIdentityAssociation * // clusterName: "STRING_VALUE", * // namespace: "STRING_VALUE", * // serviceAccount: "STRING_VALUE", * // roleArn: "STRING_VALUE", * // associationArn: "STRING_VALUE", * // associationId: "STRING_VALUE", * // tags: { // TagMap * // "": "STRING_VALUE", * // }, * // createdAt: new Date("TIMESTAMP"), * // modifiedAt: new Date("TIMESTAMP"), * // ownerArn: "STRING_VALUE", * // disableSessionTags: true || false, * // targetRoleArn: "STRING_VALUE", * // externalId: "STRING_VALUE", * // policy: "STRING_VALUE", * // }, * // }; * * ``` * * @param UpdatePodIdentityAssociationCommandInput - {@link UpdatePodIdentityAssociationCommandInput} * @returns {@link UpdatePodIdentityAssociationCommandOutput} * @see {@link UpdatePodIdentityAssociationCommandInput} for command's `input` shape. * @see {@link UpdatePodIdentityAssociationCommandOutput} for command's `response` shape. * @see {@link EKSClientResolvedConfig | config} for EKSClient's `config` shape. * * @throws {@link InvalidParameterException} (client fault) *

The specified parameter is invalid. Review the available parameters for the API * request.

* * @throws {@link InvalidRequestException} (client fault) *

The request is invalid given the state of the cluster. Check the state of the cluster * and the associated operations.

* * @throws {@link ResourceNotFoundException} (client fault) *

The specified resource could not be found. You can view your available clusters with * ListClusters. You can view your available managed node groups with * ListNodegroups. Amazon EKS clusters and node groups are Amazon Web Services Region * specific.

* * @throws {@link ServerException} (server fault) *

These errors are usually caused by a server-side issue.

* * @throws {@link EKSServiceException} *

Base exception class for all service exceptions from EKS service.

* * * @public */ export declare class UpdatePodIdentityAssociationCommand extends UpdatePodIdentityAssociationCommand_base { /** @internal type navigation helper, not in runtime. */ protected static __types: { api: { input: UpdatePodIdentityAssociationRequest; output: UpdatePodIdentityAssociationResponse; }; sdk: { input: UpdatePodIdentityAssociationCommandInput; output: UpdatePodIdentityAssociationCommandOutput; }; }; }