From a345e1ea9fce66a6664b4e4f84113f12420ca96d Mon Sep 17 00:00:00 2001
From: Binh Nguyen <37973609+leondkr@users.noreply.github.com>
Date: Fri, 2 Aug 2024 11:35:23 +0700
Subject: [PATCH] add-limitation-of-eks-addon

---
 docs/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/README.md b/docs/README.md
index f41d1bca2..6fc633e9e 100644
--- a/docs/README.md
+++ b/docs/README.md
@@ -186,7 +186,7 @@ A Pod running on AWS Fargate automatically mounts an Amazon EFS file system, wit
 
 #### Set up driver permission
 The driver requires IAM permission to talk to Amazon EFS to manage the volume on user's behalf. There are several methods to grant driver IAM permission:
-* Using the EKS Pod Identity Add-on - [Install the EKS Pod Identity add-on to your EKS cluster](https://docs.aws.amazon.com/eks/latest/userguide/pod-id-agent-setup.html). This doesn't need the efs-csi-driver to be installed through EKS add-on, it can be used no matter the method of installation of the efs-csi-driver. If this installation method is used, the **AWS managed policy**  ```AmazonEFSCSIDriverPolicy``` has to be added to the IAM role which will be associated with the **k8s service account** of the driver over ```--set controller.serviceAccount.name```. This [Pod Identity's IAM role trust relationship](https://docs.aws.amazon.com/eks/latest/userguide/pod-id-association.html) is described as follows:
+* Using the EKS Pod Identity Add-on - [Install the EKS Pod Identity add-on to your EKS cluster](https://docs.aws.amazon.com/eks/latest/userguide/pod-id-agent-setup.html). This requires the driver to be installed not through EKS add-on due to [limitation](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html) of the add-ons that require IAM credentials, it can only be used with self-installation method such as via [HELM chart](https://kubernetes-sigs.github.io/aws-efs-csi-driver/). If the self-installation method is used, the **AWS managed policy**  ```AmazonEFSCSIDriverPolicy``` has to be added to the IAM role which will be associated with the **k8s service account** of the driver over ```--set controller.serviceAccount.name```. This [Pod Identity's IAM role trust relationship](https://docs.aws.amazon.com/eks/latest/userguide/pod-id-association.html) is described as follows:
   ```json
   {
     "Version": "2012-10-17",