diff --git a/doc/changelog.rst b/doc/changelog.rst
index ebd796116e..89d3f2fdde 100644
--- a/doc/changelog.rst
+++ b/doc/changelog.rst
@@ -4,15 +4,20 @@ Changelog
 Changes in Version 4.3.3
 ------------------------
 
-Version 4.3.3 documents support for :ref:`CSFLE on-demand credentials` for cloud KMS providers, and fixes the following bugs:
+Version 4.3.3 documents support for the following:
 
+- :ref:`CSFLE on-demand credentials` for cloud KMS providers.
+- Authentication support for :ref:`EKS Clusters`.
+- Added the :ref:`timeout-example` example page to improve the documentation
+  for :func:`pymongo.timeout`.
+
+Bug Fixes
+.........
 - Fixed a performance regression in :meth:`~gridfs.GridFSBucket.download_to_stream`
   and :meth:`~gridfs.GridFSBucket.download_to_stream_by_name` by reading in chunks
   instead of line by line (`PYTHON-3502`_).
 - Improved performance of :meth:`gridfs.grid_file.GridOut.read` and
   :meth:`gridfs.grid_file.GridOut.readline` (`PYTHON-3508`_).
-- Added the :ref:`timeout-example` example page to improve the documentation
-  for :func:`pymongo.timeout`.
 
 Issues Resolved
 ...............
diff --git a/doc/examples/authentication.rst b/doc/examples/authentication.rst
index 862ac40db2..a984d17fc0 100644
--- a/doc/examples/authentication.rst
+++ b/doc/examples/authentication.rst
@@ -311,6 +311,7 @@ A sample URI would be::
 .. note:: The access_key_id, secret_access_key, and session_token passed into
           the URI MUST be `percent escaped`_.
 
+
 AWS Lambda (Environment Variables)
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
@@ -331,6 +332,23 @@ for the access key ID, secret access key, and session token, respectively::
           PyMongo will use credentials set via the environment variables.
           These environment variables MUST NOT be `percent escaped`_.
 
+
+.. _EKS Clusters:
+
+EKS Clusters
+~~~~~~~~~~~~
+
+Applications using the `Authenticating users for your cluster from an OpenID Connect identity provider <https://docs.aws.amazon.com/eks/latest/userguide/authenticate-oidc-identity-provider.html>`_ capability on EKS can now
+use the provided credentials, by giving the associated IAM User
+`sts:AssumeRoleWithWebIdentity <https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html>`_
+permission.
+
+When the username and password are not provided, the MONGODB-AWS mechanism
+is set, and ``AWS_WEB_IDENTITY_TOKEN_FILE``, ``AWS_ROLE_ARN``, and
+optional ``AWS_ROLE_SESSION_NAME`` are available, the driver will use
+an ``AssumeRoleWithWebIdentity`` call to retrieve temporary credentials.
+The application must be using ``pymongo_auth_aws`` >= 1.1.0 for EKS support.
+
 ECS Container
 ~~~~~~~~~~~~~