In this blog, we will dive into configuring Kubernetes Pods to use IAM Roles for Service Accounts (IRSA), enabling applications running in your Pods to securely access AWS services without embedding AWS credentials. This approach is secure, scalable, and aligns well with modern DevOps best practices.

Prerequisites
Before getting started, ensure you have the following ready:

An existing Amazon EKS cluster: If you don’t have one, follow the guide in Get started with Amazon EKS.

IAM OpenID Connect (OIDC) provider configured: Learn to create one or verify its existence by following the Create an IAM OIDC provider for your cluster guide.

AWS CLI installed: Ensure version 2.12.3 or later or version 1.27.160 or later is installed and configured. Check your version with:

aws --version | cut -d / -f2 | cut -d ' ' -f1
Update it if needed, following the Installing AWS CLI guide.

kubectl installed: Ensure it matches your Kubernetes version (within ±1 minor version). Follow the Set up kubectl and eksctl guide if necessary.

Step-by-Step Guide to Enable IAM Roles for Service Accounts

1. Create an IAM Policy First, create an IAM policy that defines the permissions required by your application. For example, if your application needs read-only access to an S3 bucket, create a policy file s3-readonly-policy.json with the following content:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my-bucket/*"
    }
  ]
}

Then create the policy using the AWS CLI:
aws iam create-policy --policy-name S3ReadOnlyPolicy --policy-document file://s3-readonly-policy.json


1. Create an IAM Role for the Service Account Using the IAM OIDC provider, create an IAM role that trusts the OIDC provider associated with your cluster.

First, retrieve the OIDC provider URL:
aws eks describe-cluster --name my-cluster1 --query "cluster.identity.oidc.issuer" --output text