Live · Laravel Cloud

Pods assume AWS roles automatically.

No static credentials. No sidecar. No role ARN annotation on the service account. Laravel Cloud now uses EKS Pod Identity with a server-side TargetRoleArn chain, so every workload pod gets temporary credentials for a customer-owned IAM role — scoped by a trust policy that only permits this specific namespace.

Your Pod
AWS SDK requests creds
Pod Identity Agent
exchanges service-account token
EKS Control Plane
chains via TargetRoleArn
Customer IAM Role
trust policy admits this namespace only

sts:GetCallerIdentity

Credentials resolved
Account 461958694064 (SRE Sandbox)
ARN arn:aws:sts::461958694064:assumed-role/iam-temp-creds-demo/eks-dev-use2-c-inst-a18cb-0362b144-7033-4584-b11d-793fae81c9a6
User ID AROAWXDXCISYKPTLGPAIO:eks-dev-use2-c-inst-a18cb-0362b144-7033-4584-b11d-793fae81c9a6

What just happened

  1. AWS SDK reads AWS_CONTAINER_CREDENTIALS_FULL_URI set by the operator.
  2. Laravel Cloud operator had created a PodIdentityAssociation for this namespace + service account, with a TargetRoleArn pointing to the customer role.
  3. The Pod Identity Agent swaps the projected service-account token for STS credentials, and EKS server-side AssumeRole-chains into the TargetRoleArn before handing them to the pod.
  4. The customer role's trust policy narrows the principal to only this namespace, so no other workload in the cluster can assume it.

Pod Environment

Hostnameinst-a18cba55-5bf7-4a75-bc83-f32ba6d6d4c0-8107-app-599cc78kqtcv
AWS_REGIONus-east-2
AWS_DEFAULT_REGION
Credentials URIhttp://[fd00:ec2::23]/v1/credentials
Token file/var/run/secrets/pods.eks.amazonaws.com/serviceaccount/eks-pod-identity-token