Assign IAM Role to Pod without kube2ami

Abdennour Toumi
2 min readSep 26, 2019

Natively, Amazon EKS Adds Support to Assign IAM Permissions to Kubernetes Service Accounts .

Binding this service account with the Pod means the Pod leverages immediately the IAM permissions.

  • This feature is GA since EKS k8s 1.13 and later.
  • This feature is adopted & implemented by Terraform since v2.28.0.
  • This feature is adopted & implemented in Terraform EKS module since v6.0.1.


Walkthrough Example

  • The example above is about allowing a pod to read-only access to S3.
  • IAM role assigns a IAM policy(ies) to a service account, + the service account is assigned to pod ==> pod leverages IAM policy
eksctl create iamserviceaccount \ 
--name my-serviceaccount \
--namespace default \
--cluster irptest \
--attach-policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess \

[ℹ] 1 task: { 2 sequential sub-tasks: { create addon stack “eksctl-irptest-addon-iamsa-default-my-serviceaccount”, create ServiceAccount:default/my-serviceaccount } }

Advantages of using IAM roles vs AWS Keys

  • Least privilege — By using the IAM roles for service accounts feature, you no longer need to provide extended permissions to the worker node IAM role so that pods on that node can call AWS APIs. You can scope IAM permissions to a service account, and only pods that use that service account have access to those permissions. This feature also eliminates the need for third-party solutions such as kiam or kube2iam.
  • Credential isolation — A container can only retrieve credentials for the IAM role that is associated with the service account to which it belongs. A container never has access to credentials that are intended for another container that belongs to another pod.
  • Auditability — Access and event logging is available through CloudTrail to help ensure retrospective auditing.


Udemy course about running EKS on production :



Abdennour Toumi

Software engineer, Cloud Architect, 5/5 AWS|GCP|PSM Certified, Owner of