@@ -280,6 +280,7 @@ Temporary credentials are used with:
280280- `EC2 instance roles <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html>`_.
281281- `ECS task roles <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html>`_.
282282- `AWS Lambda environment <https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html>`_.
283+ - `IAM roles for service accounts <https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html>`_.
283284
284285The Ruby driver allows providing both regular and temporary credentials
285286explicitly as Ruby options or URI options. If credentials are not explicitly
@@ -362,6 +363,18 @@ the specified order:
362363 a variety of AWS-related libraries and tools such as the official
363364 AWS Ruby SDK and the AWS CLI. They are also defined when running in an
364365 AWS Lambda environment.
366+ - The AWS STS `AssumeRoleWithWebIdentity action
367+ <https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html>`_.
368+ This returns credentials associated with the service account token. This mechanism
369+ requires the following environment variables to be set:
370+
371+ - ``AWS_WEB_IDENTITY_TOKEN_FILE`` - path to a file containing the service
372+ account token.
373+ - ``AWS_ROLE_ARN`` - the Amazon Resource Name (ARN) of the role that the
374+ caller is assuming.
375+ - ``AWS_ROLE_SESSION_NAME`` (optional) - An identifier for the assumed role
376+ session. If omitted, a random name will be generated by the driver.
377+
365378- The AWS `ECS task metadata endpoint
366379 <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html>`_.
367380 This returns credentials associated with the ECS task role assigned to
0 commit comments