From b266cb6a81a6e49d0622f090994c426cde87d3ae Mon Sep 17 00:00:00 2001
From: Jorge Turrado Ferrero <Jorge_turrado@hotmail.es>
Date: Tue, 9 Jan 2024 17:15:57 +0100
Subject: [PATCH] Add documentation about new AWS auth (#1251)

Co-authored-by: Tom Kerkhove <kerkhove.tom@gmail.com>
Co-authored-by: Blake Pettersson <blake.pettersson@gmail.com>
Co-authored-by: Zbynek Roubalik <zroubalik@gmail.com>
---
 .htmltest.yml                                 |   1 +
 .../2.0/authentication-providers/aws-eks.md   |   2 +-
 .../2.0/authentication-providers/aws-kiam.md  |   2 +-
 .../2.1/authentication-providers/aws-eks.md   |   2 +-
 .../2.1/authentication-providers/aws-kiam.md  |   2 +-
 .../2.10/authentication-providers/aws-eks.md  |   2 +-
 .../2.10/authentication-providers/aws-kiam.md |   2 +-
 .../2.11/authentication-providers/aws-eks.md  |   2 +-
 .../2.11/authentication-providers/aws-kiam.md |   2 +-
 .../2.12/authentication-providers/aws-eks.md  |   2 +-
 .../2.12/authentication-providers/aws-kiam.md |   2 +-
 .../2.13/authentication-providers/aws-eks.md  |   4 +-
 .../2.13/authentication-providers/aws-kiam.md |   4 +-
 .../docs/2.13/authentication-providers/aws.md | 140 ++++++++++++++++++
 content/docs/2.13/scalers/aws-cloudwatch.md   |  12 +-
 .../docs/2.13/scalers/aws-dynamodb-streams.md |   8 +-
 content/docs/2.13/scalers/aws-dynamodb.md     |   8 +-
 content/docs/2.13/scalers/aws-kinesis.md      |   9 +-
 content/docs/2.13/scalers/aws-sqs.md          |   9 +-
 .../2.2/authentication-providers/aws-eks.md   |   2 +-
 .../2.2/authentication-providers/aws-kiam.md  |   2 +-
 .../2.3/authentication-providers/aws-eks.md   |   2 +-
 .../2.3/authentication-providers/aws-kiam.md  |   2 +-
 .../2.4/authentication-providers/aws-eks.md   |   2 +-
 .../2.4/authentication-providers/aws-kiam.md  |   2 +-
 .../2.5/authentication-providers/aws-eks.md   |   2 +-
 .../2.5/authentication-providers/aws-kiam.md  |   2 +-
 .../2.6/authentication-providers/aws-eks.md   |   2 +-
 .../2.6/authentication-providers/aws-kiam.md  |   2 +-
 .../2.7/authentication-providers/aws-eks.md   |   2 +-
 .../2.7/authentication-providers/aws-kiam.md  |   2 +-
 .../2.8/authentication-providers/aws-eks.md   |   2 +-
 .../2.8/authentication-providers/aws-kiam.md  |   2 +-
 .../2.9/authentication-providers/aws-eks.md   |   2 +-
 .../2.9/authentication-providers/aws-kiam.md  |   2 +-
 35 files changed, 192 insertions(+), 55 deletions(-)
 create mode 100644 content/docs/2.13/authentication-providers/aws.md

diff --git a/.htmltest.yml b/.htmltest.yml
index fa52cc160..7d18c7a6c 100644
--- a/.htmltest.yml
+++ b/.htmltest.yml
@@ -4,4 +4,5 @@ CheckExternal: false
 IgnoreAltMissing: true
 IgnoreEmptyHref: true
 IgnoreInternalURLs:
+  - /docs/2.12/authentication-providers/aws/
   - /docs/2.12/authentication-providers/configmap/
diff --git a/content/docs/2.0/authentication-providers/aws-eks.md b/content/docs/2.0/authentication-providers/aws-eks.md
index 178119bb3..5daadfadf 100644
--- a/content/docs/2.0/authentication-providers/aws-eks.md
+++ b/content/docs/2.0/authentication-providers/aws-eks.md
@@ -1,5 +1,5 @@
 +++
-title = "EKS Pod Identity Webhook for AWS"
+title = "AWS EKS Pod Identity Webhook"
 +++
 
 [**EKS Pod Identity Webhook**](https://github.com/aws/amazon-eks-pod-identity-webhook), which is described more in depth [here](https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/), allows you to provide the role name using an annotation on a service account associated with your pod.
diff --git a/content/docs/2.0/authentication-providers/aws-kiam.md b/content/docs/2.0/authentication-providers/aws-kiam.md
index 143ffe1f4..8286484e8 100644
--- a/content/docs/2.0/authentication-providers/aws-kiam.md
+++ b/content/docs/2.0/authentication-providers/aws-kiam.md
@@ -1,5 +1,5 @@
 +++
-title = "Kiam Pod Identity for AWS"
+title = "AWS Kiam Pod Identity"
 +++
 
 [**Kiam**](https://github.com/uswitch/kiam/) lets you bind an AWS IAM Role to a pod using an annotation on the pod.
diff --git a/content/docs/2.1/authentication-providers/aws-eks.md b/content/docs/2.1/authentication-providers/aws-eks.md
index 178119bb3..5daadfadf 100644
--- a/content/docs/2.1/authentication-providers/aws-eks.md
+++ b/content/docs/2.1/authentication-providers/aws-eks.md
@@ -1,5 +1,5 @@
 +++
-title = "EKS Pod Identity Webhook for AWS"
+title = "AWS EKS Pod Identity Webhook"
 +++
 
 [**EKS Pod Identity Webhook**](https://github.com/aws/amazon-eks-pod-identity-webhook), which is described more in depth [here](https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/), allows you to provide the role name using an annotation on a service account associated with your pod.
diff --git a/content/docs/2.1/authentication-providers/aws-kiam.md b/content/docs/2.1/authentication-providers/aws-kiam.md
index 143ffe1f4..8286484e8 100644
--- a/content/docs/2.1/authentication-providers/aws-kiam.md
+++ b/content/docs/2.1/authentication-providers/aws-kiam.md
@@ -1,5 +1,5 @@
 +++
-title = "Kiam Pod Identity for AWS"
+title = "AWS Kiam Pod Identity"
 +++
 
 [**Kiam**](https://github.com/uswitch/kiam/) lets you bind an AWS IAM Role to a pod using an annotation on the pod.
diff --git a/content/docs/2.10/authentication-providers/aws-eks.md b/content/docs/2.10/authentication-providers/aws-eks.md
index 178119bb3..5daadfadf 100644
--- a/content/docs/2.10/authentication-providers/aws-eks.md
+++ b/content/docs/2.10/authentication-providers/aws-eks.md
@@ -1,5 +1,5 @@
 +++
-title = "EKS Pod Identity Webhook for AWS"
+title = "AWS EKS Pod Identity Webhook"
 +++
 
 [**EKS Pod Identity Webhook**](https://github.com/aws/amazon-eks-pod-identity-webhook), which is described more in depth [here](https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/), allows you to provide the role name using an annotation on a service account associated with your pod.
diff --git a/content/docs/2.10/authentication-providers/aws-kiam.md b/content/docs/2.10/authentication-providers/aws-kiam.md
index 143ffe1f4..8286484e8 100644
--- a/content/docs/2.10/authentication-providers/aws-kiam.md
+++ b/content/docs/2.10/authentication-providers/aws-kiam.md
@@ -1,5 +1,5 @@
 +++
-title = "Kiam Pod Identity for AWS"
+title = "AWS Kiam Pod Identity"
 +++
 
 [**Kiam**](https://github.com/uswitch/kiam/) lets you bind an AWS IAM Role to a pod using an annotation on the pod.
diff --git a/content/docs/2.11/authentication-providers/aws-eks.md b/content/docs/2.11/authentication-providers/aws-eks.md
index 178119bb3..5daadfadf 100644
--- a/content/docs/2.11/authentication-providers/aws-eks.md
+++ b/content/docs/2.11/authentication-providers/aws-eks.md
@@ -1,5 +1,5 @@
 +++
-title = "EKS Pod Identity Webhook for AWS"
+title = "AWS EKS Pod Identity Webhook"
 +++
 
 [**EKS Pod Identity Webhook**](https://github.com/aws/amazon-eks-pod-identity-webhook), which is described more in depth [here](https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/), allows you to provide the role name using an annotation on a service account associated with your pod.
diff --git a/content/docs/2.11/authentication-providers/aws-kiam.md b/content/docs/2.11/authentication-providers/aws-kiam.md
index 143ffe1f4..8286484e8 100644
--- a/content/docs/2.11/authentication-providers/aws-kiam.md
+++ b/content/docs/2.11/authentication-providers/aws-kiam.md
@@ -1,5 +1,5 @@
 +++
-title = "Kiam Pod Identity for AWS"
+title = "AWS Kiam Pod Identity"
 +++
 
 [**Kiam**](https://github.com/uswitch/kiam/) lets you bind an AWS IAM Role to a pod using an annotation on the pod.
diff --git a/content/docs/2.12/authentication-providers/aws-eks.md b/content/docs/2.12/authentication-providers/aws-eks.md
index 178119bb3..5daadfadf 100644
--- a/content/docs/2.12/authentication-providers/aws-eks.md
+++ b/content/docs/2.12/authentication-providers/aws-eks.md
@@ -1,5 +1,5 @@
 +++
-title = "EKS Pod Identity Webhook for AWS"
+title = "AWS EKS Pod Identity Webhook"
 +++
 
 [**EKS Pod Identity Webhook**](https://github.com/aws/amazon-eks-pod-identity-webhook), which is described more in depth [here](https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/), allows you to provide the role name using an annotation on a service account associated with your pod.
diff --git a/content/docs/2.12/authentication-providers/aws-kiam.md b/content/docs/2.12/authentication-providers/aws-kiam.md
index 143ffe1f4..8286484e8 100644
--- a/content/docs/2.12/authentication-providers/aws-kiam.md
+++ b/content/docs/2.12/authentication-providers/aws-kiam.md
@@ -1,5 +1,5 @@
 +++
-title = "Kiam Pod Identity for AWS"
+title = "AWS Kiam Pod Identity"
 +++
 
 [**Kiam**](https://github.com/uswitch/kiam/) lets you bind an AWS IAM Role to a pod using an annotation on the pod.
diff --git a/content/docs/2.13/authentication-providers/aws-eks.md b/content/docs/2.13/authentication-providers/aws-eks.md
index 178119bb3..51ae83327 100644
--- a/content/docs/2.13/authentication-providers/aws-eks.md
+++ b/content/docs/2.13/authentication-providers/aws-eks.md
@@ -1,9 +1,11 @@
 +++
-title = "EKS Pod Identity Webhook for AWS"
+title = "AWS EKS Pod Identity Webhook"
 +++
 
 [**EKS Pod Identity Webhook**](https://github.com/aws/amazon-eks-pod-identity-webhook), which is described more in depth [here](https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/), allows you to provide the role name using an annotation on a service account associated with your pod.
 
+> ⚠️ **WARNING:** [`aws-eks` auth has been deprecated](https://github.com/kedacore/keda/discussions/5343) and support for it will be removed from KEDA on v3. We strongly encourage the migration to [`aws` auth](./aws.md).
+
 You can tell KEDA to use EKS Pod Identity Webhook via `podIdentity.provider`.
 
 ```yaml
diff --git a/content/docs/2.13/authentication-providers/aws-kiam.md b/content/docs/2.13/authentication-providers/aws-kiam.md
index 143ffe1f4..a37939bab 100644
--- a/content/docs/2.13/authentication-providers/aws-kiam.md
+++ b/content/docs/2.13/authentication-providers/aws-kiam.md
@@ -1,9 +1,11 @@
 +++
-title = "Kiam Pod Identity for AWS"
+title = "AWS Kiam Pod Identity"
 +++
 
 [**Kiam**](https://github.com/uswitch/kiam/) lets you bind an AWS IAM Role to a pod using an annotation on the pod.
 
+> ⚠️ **WARNING:** `aws-kiam` auth has been deprecated given [AWS KIAM is no longer maintained](https://github.com/uswitch/kiam/#-%EF%B8%8Fthis-project-is-now-being-abandoned-%EF%B8%8F-). As a result, [support for it will be removed from KEDA on v2.15](https://github.com/kedacore/keda/discussions/5342). We strongly encourage the migration to [`aws` auth](./aws.md).
+
 You can tell KEDA to use Kiam via `podIdentity.provider`.
 
 ```yaml
diff --git a/content/docs/2.13/authentication-providers/aws.md b/content/docs/2.13/authentication-providers/aws.md
new file mode 100644
index 000000000..c78d64b10
--- /dev/null
+++ b/content/docs/2.13/authentication-providers/aws.md
@@ -0,0 +1,140 @@
++++
+title = "AWS (IRSA) Pod Identity Webhook"
++++
+
+[**AWS IAM Roles for Service Accounts (IRSA) Pod Identity Webhook**](https://github.com/aws/amazon-eks-pod-identity-webhook) ([documentation](https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/)) allows you to provide the role name using an annotation on a service account associated with your pod.
+
+You can tell KEDA to use AWS Pod Identity Webhook via `podIdentity.provider`.
+
+```yaml
+podIdentity:
+  provider: aws
+  roleArn: <role-arn> # Optional. 
+  identityOwner: keda|workload # Optional. If not set, 'keda' is default value. Mutually exclusive with 'roleArn' (if set)
+```
+
+**Parameter list:**
+
+- `roleArn` - Role ARN to be used by KEDA. If not set the IAM role which the KEDA operator uses will be used. Mutually exclusive with `identityOwner: workload`
+- `identityOwner` - Owner of the identity to be used. (Values: `keda`, `workload`, Default: `keda`, Optional)
+
+> ⚠️ **NOTE:** `podIdentity.roleArn` and `podIdentity.identityOwner` are mutually exclusive, setting both is not supported.
+
+## How to use 
+
+AWS IRSA will give access to pods with service accounts having appropriate annotations. ([official docs](https://aws.amazon.com/es/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/)) You can set these annotations on the KEDA Operator service account.
+
+This can be done for you during deployment with Helm with the following flags: 
+
+1. `--set podIdentity.aws.irsa.enabled=true`
+2. `--set podIdentity.aws.irsa.roleArn={aws-arn-role}`
+
+You can override the default KEDA operator IAM role by specifying an `roleArn` parameter under the `podIdentity` field. This allows end-users to use different roles to access various resources which allows for more granular access than having a single IAM role that has access to multiple resources.
+
+If you would like to use the same IAM credentials as your workload is currently using, `podIdentity.identityOwner` can be set with the value `workload` and KEDA will inspect the workload service account to check if IRSA annotation is there and KEDA will assume that role.
+
+## AssumeRole or AssumeRoleWithWebIdentity?
+
+This authentication uses automatically both, doing a fallback from [AssumeRoleWithWebIdentity](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html) to [AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) if the first one fails. This extends the capabilities because KEDA doesn't need `sts:AssumeRole` permission if you are already working with [WebIdentities](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html), you just need to add KEDA service account to the trusted relations of the role.
+
+## Setting up KEDA role and policy
+
+The [official AWS docs](https://aws.amazon.com/es/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/) explain how to set up a a basic configuration for an IRSA role. The policy changes depend if you are using the KEDA role (`podIdentity.roleArn` is not set) or workload role (`podIdentity.roleArn` sets a RoleArn or `podIdentity.identityOwner` sets to `workload`).
+
+### Using KEDA role to access infrastructure
+
+This is the easiest case and you just need to attach to KEDA's role the desired policy/policies, granting the access permissions that you want to provide. For example, this could be a policy to use with SQS:
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": "sqs:GetQueueAttributes",
+            "Resource": "arn:aws:sqs:*:YOUR_ACCOUNT:YOUR_QUEUE"
+        }
+    ]
+}
+```
+
+### Using KEDA role to assume workload role using AssumeRoleWithWebIdentity
+In this case, KEDA will use its own (k8s) service account to assume workload role (and to use workload's role attached policies). This scenario requires that KEDA service account is trusted for requesting the role using AssumeRoleWithWebIdentity.
+
+This is an example of how role policy could look like:
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            ... YOUR WORKLOAD TRUSTED RELATION ...
+        },
+        {
+            "Effect": "Allow",
+            "Principal": {
+                "Federated": "YOUR_OIDC_ARN"
+            },
+            "Action": "sts:AssumeRoleWithWebIdentity",
+            "Condition": {
+                "StringEquals": {
+                    "YOUR_OIDC:sub": "system:serviceaccount:keda:keda-operator",
+                    "YOUR_OIDC:aud": "sts.amazonaws.com"
+                }
+            }
+        }
+    ]
+}
+```
+
+### Using KEDA role to assume workload role using AssumeRole
+
+In this case, KEDA will use its own role to assume the workload role (and to use workload's role attached policies). This scenario is a bit more complex because we need to establish a trusted relationship between both roles and we need to grant to KEDA's role the permission to assume other roles.
+
+This is an example of how KEDA's role policy could look like:
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": "sts:AssumeRole",
+      "Resource": [
+        "arn:aws:iam::ACCOUNT_1:role/ROLE_NAME"
+      ]
+    },
+    {
+      "Effect": "Allow",
+      "Action": "sts:AssumeRole",
+      "Resource": [
+        "arn:aws:iam::ACCOUNT_2:role/*"
+      ]
+    }
+  ]
+}
+```
+This can be extended so that KEDA can assume multiple workload roles, either as an explicit array of role ARNs, or with a wildcard.
+This policy attached to KEDA's role will allow KEDA to assume other roles, now you have to allow the workload roles you want to use all allow to being assumed by the KEDA operator role. To achieve this, you have to add a trusted relation to the workload role:
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      // Your already existing relations
+      "Sid": "",
+      "Effect": "Allow",
+      // ...
+    },
+    {
+      "Sid": "",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "arn:aws:iam::ACCOUNT:role/KEDA_ROLE_NAME"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+```
diff --git a/content/docs/2.13/scalers/aws-cloudwatch.md b/content/docs/2.13/scalers/aws-cloudwatch.md
index 9ee6b891a..1f46b03f0 100644
--- a/content/docs/2.13/scalers/aws-cloudwatch.md
+++ b/content/docs/2.13/scalers/aws-cloudwatch.md
@@ -34,7 +34,8 @@ triggers:
     awsAccessKeyIDFromEnv: AWS_ACCESS_KEY_ID # default AWS_ACCESS_KEY_ID
     # Optional: AWS Secret Access Key, can use TriggerAuthentication as well
     awsSecretAccessKeyFromEnv: AWS_SECRET_ACCESS_KEY # default AWS_SECRET_ACCESS_KEY
-    identityOwner: pod | operator # Optional. Default: pod
+    # DEPRECATED: This parameter is deprecated as of KEDA v2.13 and will be removed in v3. Optional # Optional. Default: pod
+    identityOwner: pod | operator 
     # Optional: Collection Time
     metricCollectionTime: "300" # default 300
     # Optional: Metric Statistic
@@ -57,8 +58,7 @@ triggers:
 - `dimensionValue` - Supports specifying multiple dimension values by using ";" as a separator i.e. dimensionValue: queue1;queue2 (Optional, Required when `expression` is not specified)
 - `expression` - Supports query with [expression](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch-metrics-insights-querylanguage.html) (Optional, Required when `dimensionName` & `dimensionValue` are not specified)
 
-- `identityOwner` - Receive permissions for CloudWatch via Pod Identity or from the KEDA operator itself (see below). (Values: `pod`, `operator`, Default: `pod`, Optional)
-
+- `identityOwner` - Receive permissions for CloudWatch via Pod Identity or from the KEDA operator itself (see below). (DEPRECATED: This parameter is deprecated as of KEDA v2.13 and will be removed in version `3`, Values: `pod`, `operator`, Default: `pod`, Optional, This field only applies for `aws-eks` and `aws-kiam` authentications)
 > When `identityOwner` set to `operator` - the only requirement is that the KEDA operator has the correct IAM permissions on the CloudWatch. Additional Authentication Parameters are not required.
 
 - `metricCollectionTime` - How long in the past (seconds) should the scaler check AWS Cloudwatch. Used to define **StartTime** ([official documentation](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_GetMetricData.html)). The value of `metricCollectionTime` must be greater than the `metricStatPeriod`, providing a value which is a multiple of the `metricStatPeriod` can improve performance on fetching data from Cloudwatch. In practice setting `metricCollectionTime` 2-to-3 times more than the `metricStatPeriod` value can make sure the scaler is able to get data points back from Cloudwatch, the scaler will always use the most up-to-date datapoint if more datapoints are returned. (Default: `300`, Optional)
@@ -72,17 +72,15 @@ triggers:
 
 ### Authentication Parameters
 
-> These parameters are relevant only when `identityOwner` is set to `pod`.
-
 You can use `TriggerAuthentication` CRD to configure authentication by providing either a role ARN or a set of IAM credentials.
 
 **Pod identity based authentication:**
 
-- `podIdentity.provider` - Needs to be set to either `aws-kiam` or `aws-eks` on the `TriggerAuthentication` and the pod/service account must be configured correctly for your pod identity provider.
+- `podIdentity.provider` - Needs to be set the `TriggerAuthentication` and the pod/service account must be configured correctly for your pod identity provider.
 
 **Role based authentication:**
 
-- `awsRoleArn` - Amazon Resource Names (ARNs) uniquely identify AWS resource.
+- `awsRoleArn` - Amazon Resource Names (ARNs) uniquely identify AWS resource. (This field is deprecated only applies for `aws-eks` and `aws-kiam` authentications, for `aws` is set in the auth)
 
 **Credential based authentication:**
 
diff --git a/content/docs/2.13/scalers/aws-dynamodb-streams.md b/content/docs/2.13/scalers/aws-dynamodb-streams.md
index 31f12013d..0d2f9aa4a 100644
--- a/content/docs/2.13/scalers/aws-dynamodb-streams.md
+++ b/content/docs/2.13/scalers/aws-dynamodb-streams.md
@@ -22,7 +22,7 @@ triggers:
     tableName: myTableName
     # Optional targetValue
     shardCount: "2"
-    # Optional. Default: pod
+    # DEPRECATED: This parameter is deprecated as of KEDA v2.13 and will be removed in v3. Optional # Optional. Default: pod
     identityOwner: pod | operator
 ```
 
@@ -33,14 +33,12 @@ triggers:
 - `tableName` - The target DynamoDB table to which the stream belongs.
 - `shardCount` - The target value that a DynamoDB streams consumer can handle. (Default: `2`, Optional)
 - `activationShardCount` - Target value for activating the scaler. Learn more about activation [here](./../concepts/scaling-deployments.md#activating-and-scaling-thresholds).(Default: `0`, Optional)
-- `identityOwner` - Receive permissions on the DynamoDB and DynamoDB Streams via Pod Identity or from the KEDA operator itself (see below). (Values: `pod`, `operator`, Default: `pod`, Optional)
+- `identityOwner` - Receive permissions on the DynamoDB and DynamoDB Streams via Pod Identity or from the KEDA operator itself (see below). (DEPRECATED: This parameter is deprecated as of KEDA v2.13 and will be removed in version `3`, Values: `pod`, `operator`, Default: `pod`, Optional, This field only applies for `aws-eks` and `aws-kiam` authentications)
 
 > When `identityOwner` set to `operator` - the only requirement is that the KEDA operator has the correct IAM permissions on the DynamoDB and Dynamodb Streams. Additional Authentication Parameters are not required.
 
 ### Authentication Parameters
 
-> These parameters are relevant only when `identityOwner` is set to `pod`.
-
 You can use `TriggerAuthentication` CRD to configure the authenticate by providing either a role ARN or a set of IAM credentials.
 
 **Pod identity based authentication:**
@@ -49,7 +47,7 @@ You can use `TriggerAuthentication` CRD to configure the authenticate by providi
 
 **Role based authentication:**
 
-- `awsRoleArn` - Amazon Resource Names (ARNs) uniquely identify AWS resource.
+- `awsRoleArn` - Amazon Resource Names (ARNs) uniquely identify AWS resource. (This field is deprecated only applies for `aws-eks` and `aws-kiam` authentications, for `aws` is set in the auth)
 
 **Credential based authentication:**
 
diff --git a/content/docs/2.13/scalers/aws-dynamodb.md b/content/docs/2.13/scalers/aws-dynamodb.md
index e7a7ceb37..dc6471782 100644
--- a/content/docs/2.13/scalers/aws-dynamodb.md
+++ b/content/docs/2.13/scalers/aws-dynamodb.md
@@ -30,7 +30,7 @@ triggers:
     keyConditionExpression: "#k = :key"
     # Required: expressionAttributeValues
     expressionAttributeValues: '{ ":key" : {"S":"partition_key_target_value"}}'
-    # Optional. Default: pod
+    # DEPRECATED: This parameter is deprecated as of KEDA v2.13 and will be removed in v3. Optional # Optional. Default: pod
     identityOwner: pod | operator
 ```
 
@@ -45,14 +45,12 @@ triggers:
 - `expressionAttributeNames` - one or more substitution tokens for attribute names in an expression. Defined as JSON.
 - `keyConditionExpression` - the condition that specifies the key values for items to be retrieved by the Query action.
 - `expressionAttributeValues` - one or more values that can be substituted in an expression. Defined as JSON.
-- `identityOwner` - Receive permissions on the DynamoDB Table via Pod Identity or from the KEDA operator itself (see below). (Values: `pod`, `operator`, Default: `pod`, Optional)
+- `identityOwner` - Receive permissions on the DynamoDB Table via Pod Identity or from the KEDA operator itself (see below). (DEPRECATED: This parameter is deprecated as of KEDA v2.13 and will be removed in version `3`, Values: `pod`, `operator`, Default: `pod`, Optional, This field only applies for `aws-eks` and `aws-kiam` authentications)
 
 > When `identityOwner` set to `operator` - the only requirement is that the KEDA operator has the correct IAM permissions on the DynamoDB Table. Additional Authentication Parameters are not required.
 
 ### Authentication Parameters
 
-> These parameters are relevant only when `identityOwner` is set to `pod`.
-
 You can use `TriggerAuthentication` CRD to configure the authenticate by providing either a role ARN or a set of IAM credentials.
 
 **Pod identity based authentication:**
@@ -61,7 +59,7 @@ You can use `TriggerAuthentication` CRD to configure the authenticate by providi
 
 **Role based authentication:**
 
-- `awsRoleArn` - Amazon Resource Names (ARNs) uniquely identify AWS resource.
+- `awsRoleArn` - Amazon Resource Names (ARNs) uniquely identify AWS resource. (This field is deprecated only applies for `aws-eks` and `aws-kiam` authentications, for `aws` is set in the auth)
 
 **Credential based authentication:**
 
diff --git a/content/docs/2.13/scalers/aws-kinesis.md b/content/docs/2.13/scalers/aws-kinesis.md
index b5185abbc..e1731d87e 100644
--- a/content/docs/2.13/scalers/aws-kinesis.md
+++ b/content/docs/2.13/scalers/aws-kinesis.md
@@ -22,7 +22,8 @@ triggers:
     awsEndpoint: ""
     # Optional: Default: 2
     shardCount: "2"
-    identityOwner: pod | operator # Optional. Default: pod
+    # DEPRECATED: This parameter is deprecated as of KEDA v2.13 and will be removed in v3. Optional # Optional. Default: pod
+    identityOwner: pod | operator
 ```
 
 **Parameter list:**
@@ -32,21 +33,19 @@ triggers:
 - `activationShardCount` - Target value for activating the scaler. Learn more about activation [here](./../concepts/scaling-deployments.md#activating-and-scaling-thresholds).(Default: `0`, Optional)
 - `awsRegion` - AWS Region for the Kinesis Stream.
 - `awsEndpoint` - Endpoint URL to override the default AWS endpoint. (Default: `""`, Optional)
-- `identityOwner` - Receive permissions on the Kinesis Stream via Pod Identity or from the KEDA operator itself (see below). (Values: `pod`, `operator`, Default: `pod`, Optional)
+- `identityOwner` - Receive permissions on the Kinesis Stream via Pod Identity or from the KEDA operator itself (see below). (DEPRECATED: This parameter is deprecated as of KEDA v2.13 and will be removed in version `3`, Values: `pod`, `operator`, Default: `pod`, Optional, This field only applies for `aws-eks` and `aws-kiam` authentications)
 
 > When `identityOwner` set to `operator` - the only requirement is that the KEDA operator has the correct IAM permissions on the Kinesis Stream. Additional Authentication Parameters are not required.
 
 ### Authentication Parameters
 
-> These parameters are relevant only when `identityOwner` is set to `pod`.
-
 You can use `TriggerAuthentication` CRD to configure the authenticate by providing either a role ARN or a set of IAM credentials, or use other [KEDA supported authentication methods](https://keda.sh/concepts/authentication).
 
 #### Delegate auth with TriggerAuthentication
 
 **Role based authentication:**
 
-- `awsRoleArn` - Amazon Resource Names (ARNs) uniquely identify AWS resource.
+- `awsRoleArn` - Amazon Resource Names (ARNs) uniquely identify AWS resource. (This field is deprecated only applies for `aws-eks` and `aws-kiam` authentications, for `aws` is set in the auth)
 
 **Credential based authentication:**
 
diff --git a/content/docs/2.13/scalers/aws-sqs.md b/content/docs/2.13/scalers/aws-sqs.md
index 91e187a85..49d26ef61 100644
--- a/content/docs/2.13/scalers/aws-sqs.md
+++ b/content/docs/2.13/scalers/aws-sqs.md
@@ -22,7 +22,8 @@ triggers:
     awsRegion: "eu-west-1"
     # Optional: awsEndpoint
     awsEndpoint: ""
-    identityOwner: pod | operator # Optional. Default: pod
+    # DEPRECATED: This parameter is deprecated as of KEDA v2.13 and will be removed in v3. Optional # Optional. Default: pod
+    identityOwner: pod | operator
     
 ```
 
@@ -39,14 +40,12 @@ triggers:
 - `scaleOfDelayed` - Indication of whether or not to include delayed messages when calculating the number of SQS messages. (default: false, Optional)
 - `awsRegion` - AWS Region for the SQS Queue.
 - `awsEndpoint` - Endpoint URL to override the default AWS endpoint. (Default: `""`, Optional)
-- `identityOwner` - Receive permissions on the SQS Queue via Pod Identity or from the KEDA operator itself (see below). (Values: `pod`, `operator`, Default: `pod`, Optional)
+- `identityOwner` - Receive permissions on the SQS Queue via Pod Identity or from the KEDA operator itself (see below). (DEPRECATED: This parameter is deprecated as of KEDA v2.13 and will be removed in version `3`, Values: `pod`, `operator`, Default: `pod`, Optional, This field only applies for `aws-eks` and `aws-kiam` authentications)
 
 > When `identityOwner` set to `operator` - the only requirement is that the KEDA operator has the correct IAM permissions on the SQS queue. Additional Authentication Parameters are not required.
 
 ### Authentication Parameters
 
-> These parameters are relevant only when `identityOwner` is set to `pod`.
-
 You can use `TriggerAuthentication` CRD to configure the authenticate by providing either a role ARN or a set of IAM credentials.
 
 **Pod identity based authentication:**
@@ -55,7 +54,7 @@ You can use `TriggerAuthentication` CRD to configure the authenticate by providi
 
 **Role based authentication:**
 
-- `awsRoleArn` - Amazon Resource Names (ARNs) uniquely identify AWS resource.
+- `awsRoleArn` - Amazon Resource Names (ARNs) uniquely identify AWS resource. (This field is deprecated only applies for `aws-eks` and `aws-kiam` authentications, for `aws` is set in the auth)
 
 **Credential based authentication:**
 
diff --git a/content/docs/2.2/authentication-providers/aws-eks.md b/content/docs/2.2/authentication-providers/aws-eks.md
index 178119bb3..5daadfadf 100644
--- a/content/docs/2.2/authentication-providers/aws-eks.md
+++ b/content/docs/2.2/authentication-providers/aws-eks.md
@@ -1,5 +1,5 @@
 +++
-title = "EKS Pod Identity Webhook for AWS"
+title = "AWS EKS Pod Identity Webhook"
 +++
 
 [**EKS Pod Identity Webhook**](https://github.com/aws/amazon-eks-pod-identity-webhook), which is described more in depth [here](https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/), allows you to provide the role name using an annotation on a service account associated with your pod.
diff --git a/content/docs/2.2/authentication-providers/aws-kiam.md b/content/docs/2.2/authentication-providers/aws-kiam.md
index 143ffe1f4..8286484e8 100644
--- a/content/docs/2.2/authentication-providers/aws-kiam.md
+++ b/content/docs/2.2/authentication-providers/aws-kiam.md
@@ -1,5 +1,5 @@
 +++
-title = "Kiam Pod Identity for AWS"
+title = "AWS Kiam Pod Identity"
 +++
 
 [**Kiam**](https://github.com/uswitch/kiam/) lets you bind an AWS IAM Role to a pod using an annotation on the pod.
diff --git a/content/docs/2.3/authentication-providers/aws-eks.md b/content/docs/2.3/authentication-providers/aws-eks.md
index 178119bb3..5daadfadf 100644
--- a/content/docs/2.3/authentication-providers/aws-eks.md
+++ b/content/docs/2.3/authentication-providers/aws-eks.md
@@ -1,5 +1,5 @@
 +++
-title = "EKS Pod Identity Webhook for AWS"
+title = "AWS EKS Pod Identity Webhook"
 +++
 
 [**EKS Pod Identity Webhook**](https://github.com/aws/amazon-eks-pod-identity-webhook), which is described more in depth [here](https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/), allows you to provide the role name using an annotation on a service account associated with your pod.
diff --git a/content/docs/2.3/authentication-providers/aws-kiam.md b/content/docs/2.3/authentication-providers/aws-kiam.md
index 143ffe1f4..8286484e8 100644
--- a/content/docs/2.3/authentication-providers/aws-kiam.md
+++ b/content/docs/2.3/authentication-providers/aws-kiam.md
@@ -1,5 +1,5 @@
 +++
-title = "Kiam Pod Identity for AWS"
+title = "AWS Kiam Pod Identity"
 +++
 
 [**Kiam**](https://github.com/uswitch/kiam/) lets you bind an AWS IAM Role to a pod using an annotation on the pod.
diff --git a/content/docs/2.4/authentication-providers/aws-eks.md b/content/docs/2.4/authentication-providers/aws-eks.md
index 178119bb3..5daadfadf 100644
--- a/content/docs/2.4/authentication-providers/aws-eks.md
+++ b/content/docs/2.4/authentication-providers/aws-eks.md
@@ -1,5 +1,5 @@
 +++
-title = "EKS Pod Identity Webhook for AWS"
+title = "AWS EKS Pod Identity Webhook"
 +++
 
 [**EKS Pod Identity Webhook**](https://github.com/aws/amazon-eks-pod-identity-webhook), which is described more in depth [here](https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/), allows you to provide the role name using an annotation on a service account associated with your pod.
diff --git a/content/docs/2.4/authentication-providers/aws-kiam.md b/content/docs/2.4/authentication-providers/aws-kiam.md
index 143ffe1f4..8286484e8 100644
--- a/content/docs/2.4/authentication-providers/aws-kiam.md
+++ b/content/docs/2.4/authentication-providers/aws-kiam.md
@@ -1,5 +1,5 @@
 +++
-title = "Kiam Pod Identity for AWS"
+title = "AWS Kiam Pod Identity"
 +++
 
 [**Kiam**](https://github.com/uswitch/kiam/) lets you bind an AWS IAM Role to a pod using an annotation on the pod.
diff --git a/content/docs/2.5/authentication-providers/aws-eks.md b/content/docs/2.5/authentication-providers/aws-eks.md
index 178119bb3..5daadfadf 100644
--- a/content/docs/2.5/authentication-providers/aws-eks.md
+++ b/content/docs/2.5/authentication-providers/aws-eks.md
@@ -1,5 +1,5 @@
 +++
-title = "EKS Pod Identity Webhook for AWS"
+title = "AWS EKS Pod Identity Webhook"
 +++
 
 [**EKS Pod Identity Webhook**](https://github.com/aws/amazon-eks-pod-identity-webhook), which is described more in depth [here](https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/), allows you to provide the role name using an annotation on a service account associated with your pod.
diff --git a/content/docs/2.5/authentication-providers/aws-kiam.md b/content/docs/2.5/authentication-providers/aws-kiam.md
index 143ffe1f4..8286484e8 100644
--- a/content/docs/2.5/authentication-providers/aws-kiam.md
+++ b/content/docs/2.5/authentication-providers/aws-kiam.md
@@ -1,5 +1,5 @@
 +++
-title = "Kiam Pod Identity for AWS"
+title = "AWS Kiam Pod Identity"
 +++
 
 [**Kiam**](https://github.com/uswitch/kiam/) lets you bind an AWS IAM Role to a pod using an annotation on the pod.
diff --git a/content/docs/2.6/authentication-providers/aws-eks.md b/content/docs/2.6/authentication-providers/aws-eks.md
index 178119bb3..5daadfadf 100644
--- a/content/docs/2.6/authentication-providers/aws-eks.md
+++ b/content/docs/2.6/authentication-providers/aws-eks.md
@@ -1,5 +1,5 @@
 +++
-title = "EKS Pod Identity Webhook for AWS"
+title = "AWS EKS Pod Identity Webhook"
 +++
 
 [**EKS Pod Identity Webhook**](https://github.com/aws/amazon-eks-pod-identity-webhook), which is described more in depth [here](https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/), allows you to provide the role name using an annotation on a service account associated with your pod.
diff --git a/content/docs/2.6/authentication-providers/aws-kiam.md b/content/docs/2.6/authentication-providers/aws-kiam.md
index 143ffe1f4..8286484e8 100644
--- a/content/docs/2.6/authentication-providers/aws-kiam.md
+++ b/content/docs/2.6/authentication-providers/aws-kiam.md
@@ -1,5 +1,5 @@
 +++
-title = "Kiam Pod Identity for AWS"
+title = "AWS Kiam Pod Identity"
 +++
 
 [**Kiam**](https://github.com/uswitch/kiam/) lets you bind an AWS IAM Role to a pod using an annotation on the pod.
diff --git a/content/docs/2.7/authentication-providers/aws-eks.md b/content/docs/2.7/authentication-providers/aws-eks.md
index 178119bb3..5daadfadf 100644
--- a/content/docs/2.7/authentication-providers/aws-eks.md
+++ b/content/docs/2.7/authentication-providers/aws-eks.md
@@ -1,5 +1,5 @@
 +++
-title = "EKS Pod Identity Webhook for AWS"
+title = "AWS EKS Pod Identity Webhook"
 +++
 
 [**EKS Pod Identity Webhook**](https://github.com/aws/amazon-eks-pod-identity-webhook), which is described more in depth [here](https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/), allows you to provide the role name using an annotation on a service account associated with your pod.
diff --git a/content/docs/2.7/authentication-providers/aws-kiam.md b/content/docs/2.7/authentication-providers/aws-kiam.md
index 143ffe1f4..8286484e8 100644
--- a/content/docs/2.7/authentication-providers/aws-kiam.md
+++ b/content/docs/2.7/authentication-providers/aws-kiam.md
@@ -1,5 +1,5 @@
 +++
-title = "Kiam Pod Identity for AWS"
+title = "AWS Kiam Pod Identity"
 +++
 
 [**Kiam**](https://github.com/uswitch/kiam/) lets you bind an AWS IAM Role to a pod using an annotation on the pod.
diff --git a/content/docs/2.8/authentication-providers/aws-eks.md b/content/docs/2.8/authentication-providers/aws-eks.md
index 178119bb3..5daadfadf 100644
--- a/content/docs/2.8/authentication-providers/aws-eks.md
+++ b/content/docs/2.8/authentication-providers/aws-eks.md
@@ -1,5 +1,5 @@
 +++
-title = "EKS Pod Identity Webhook for AWS"
+title = "AWS EKS Pod Identity Webhook"
 +++
 
 [**EKS Pod Identity Webhook**](https://github.com/aws/amazon-eks-pod-identity-webhook), which is described more in depth [here](https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/), allows you to provide the role name using an annotation on a service account associated with your pod.
diff --git a/content/docs/2.8/authentication-providers/aws-kiam.md b/content/docs/2.8/authentication-providers/aws-kiam.md
index 143ffe1f4..8286484e8 100644
--- a/content/docs/2.8/authentication-providers/aws-kiam.md
+++ b/content/docs/2.8/authentication-providers/aws-kiam.md
@@ -1,5 +1,5 @@
 +++
-title = "Kiam Pod Identity for AWS"
+title = "AWS Kiam Pod Identity"
 +++
 
 [**Kiam**](https://github.com/uswitch/kiam/) lets you bind an AWS IAM Role to a pod using an annotation on the pod.
diff --git a/content/docs/2.9/authentication-providers/aws-eks.md b/content/docs/2.9/authentication-providers/aws-eks.md
index 178119bb3..5daadfadf 100644
--- a/content/docs/2.9/authentication-providers/aws-eks.md
+++ b/content/docs/2.9/authentication-providers/aws-eks.md
@@ -1,5 +1,5 @@
 +++
-title = "EKS Pod Identity Webhook for AWS"
+title = "AWS EKS Pod Identity Webhook"
 +++
 
 [**EKS Pod Identity Webhook**](https://github.com/aws/amazon-eks-pod-identity-webhook), which is described more in depth [here](https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/), allows you to provide the role name using an annotation on a service account associated with your pod.
diff --git a/content/docs/2.9/authentication-providers/aws-kiam.md b/content/docs/2.9/authentication-providers/aws-kiam.md
index 143ffe1f4..8286484e8 100644
--- a/content/docs/2.9/authentication-providers/aws-kiam.md
+++ b/content/docs/2.9/authentication-providers/aws-kiam.md
@@ -1,5 +1,5 @@
 +++
-title = "Kiam Pod Identity for AWS"
+title = "AWS Kiam Pod Identity"
 +++
 
 [**Kiam**](https://github.com/uswitch/kiam/) lets you bind an AWS IAM Role to a pod using an annotation on the pod.