IAM Roles for Service Accounts (IRSA)
Bind fine-grained IAM roles to Kubernetes service accounts with IRSA so pods can access AWS services without node-level permissions.
The Pod IAM Problem
When a pod running in EKS needs to call an AWS API — for example, read from S3 or write to DynamoDB — it needs AWS credentials. The naive approach is to create an IAM user and hard-code its access keys as environment variables. This is insecure and violates the principle of least privilege because all pods on the same node share credentials. IAM Roles for Service Accounts (IRSA) solves this by binding fine-grained IAM roles directly to Kubernetes service accounts.
How IRSA Works: OIDC Federation
IRSA works through OpenID Connect (OIDC) federation. EKS creates an OIDC provider for your cluster. When a pod references a service account annotated with an IAM role ARN, EKS injects a signed projected service account token into the pod. The AWS SDK in the pod exchanges this token for temporary AWS credentials using AWS STS's AssumeRoleWithWebIdentity API — no long-lived keys required.
# View the OIDC issuer URL for your cluster
aws eks describe-cluster \
--name my-cluster \
--query 'cluster.identity.oidc.issuer' \
--output text
# Example output:
# https://oidc.eks.us-east-1.amazonaws.com/id/EXAMPLEIDSTRINGAll lessons in this course
- EKS Control Plane and Worker Nodes
- Fargate Profiles for Serverless Pods
- EKS Networking: VPC CNI and Load Balancing
- IAM Roles for Service Accounts (IRSA)