πŸ’‘ Big News! πŸ§™ AI Wizard - Instant Page Insights is Here : Explore Smarter, Friendlier Solutions Just for You β†’
Kubernetes
KubeAddons
AWS-EKS
Irsa S3

πŸ” Secure S3 Access from EKS Pod using IRSA (IAM Roles for Service Accounts)

To securely give your microservice in Amazon EKS access to S3 without using access keys or secret keys, use IAM Roles for Service Accounts (IRSA). This method enables your pod to assume an IAM role with defined permissions via a Kubernetes service account, eliminating the need to hardcode credentials.

βœ… Step-by-Step Guide to Configure IRSA for S3 Access

πŸ“Œ 1. Enable OIDC Provider for Your EKS Cluster

First, associate your EKS cluster with an IAM OIDC provider:

eksctl utils associate-iam-oidc-provider \
  --region <your-region> \
  --cluster <your-cluster-name> \
  --approve

πŸ“Œ 2. Create an IAM Policy for S3 Access

Define a policy that grants access to the required S3 bucket:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:*"],
      "Resource": [
        "arn:aws:s3:::your-bucket-name",
        "arn:aws:s3:::your-bucket-name/*"
      ]
    }
  ]
}

Save this to a file (e.g., s3-access-policy.json) and create the policy via AWS CLI:

aws iam create-policy \
  --policy-name S3AccessForMyApp \
  --policy-document file://s3-access-policy.json

πŸ“Œ 3. Create IAM Role & Kubernetes Service Account with Policy

Create the Kubernetes service account and attach the IAM policy:

eksctl create iamserviceaccount \
  --name s3-access-sa \
  --namespace your-namespace \
  --cluster <your-cluster-name> \
  --attach-policy-arn arn:aws:iam::<account-id>:policy/S3AccessForMyApp \
  --approve \
  --override-existing-serviceaccounts

This command creates:

  • A Kubernetes service account (s3-access-sa)
  • An IAM role linked to it
  • An OIDC trust relationship for secure role assumption

πŸ“Œ 4. Annotate the Kubernetes Deployment

Update your deployment YAML to use the new service account:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: your-microservice
spec:
  replicas: 1
  template:
    spec:
      serviceAccountName: s3-access-sa
      containers:
        - name: your-container
          image: your-image

πŸ“Œ 5. Use AWS SDK Without Keys

Your application can now use the AWS SDK (e.g., boto3, aws-sdk) and it will automatically assume the IAM role via the pod's service account β€” no need to set AWS credentials manually.

πŸ”’ Production-Ready Security Tips

  • βœ… Use least-privilege policies (s3:GetObject, s3:PutObject, etc.).
  • βœ… Restrict access to specific buckets and prefixes.
  • βœ… Rotate IAM roles if compromise is suspected.
  • βœ… Audit with AWS CloudTrail for all assumed role actions.

🎯 Summary

IRSA is production-grade, secure, and fully managed by AWS. It is the best practice to provide AWS service access to applications running inside EKS without exposing any static credentials.

EcrReadme Hashicorp Vault Secrets
πŸ§™ AI Wizard - Instant Page Insights

Click the button below to analyze this page.
Get an AI-generated summary and key insights in seconds.
Powered by Perplexity AI!