Assign IAM Role to Pod without kube2ami

  • This feature is GA since EKS k8s 1.13 and later.
  • This feature is adopted & implemented by Terraform since v2.28.0.
  • This feature is adopted & implemented in Terraform EKS module since v6.0.1.


Walkthrough Example

  • The example above is about allowing a pod to read-only access to S3.
  • IAM role assigns a IAM policy(ies) to a service account, + the service account is assigned to pod ==> pod leverages IAM policy
eksctl create iamserviceaccount \ 
--name my-serviceaccount \
--namespace default \
--cluster irptest \
--attach-policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess \

[ℹ] 1 task: { 2 sequential sub-tasks: { create addon stack “eksctl-irptest-addon-iamsa-default-my-serviceaccount”, create ServiceAccount:default/my-serviceaccount } }

Advantages of using IAM roles vs AWS Keys

  • Least privilege — By using the IAM roles for service accounts feature, you no longer need to provide extended permissions to the worker node IAM role so that pods on that node can call AWS APIs. You can scope IAM permissions to a service account, and only pods that use that service account have access to those permissions. This feature also eliminates the need for third-party solutions such as kiam or kube2iam.
  • Credential isolation — A container can only retrieve credentials for the IAM role that is associated with the service account to which it belongs. A container never has access to credentials that are intended for another container that belongs to another pod.
  • Auditability — Access and event logging is available through CloudTrail to help ensure retrospective auditing.





Software engineer, Cloud Architect, 5/5 AWS|GCP|PSM Certified, Owner of

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Abdennour Toumi

Abdennour Toumi

Software engineer, Cloud Architect, 5/5 AWS|GCP|PSM Certified, Owner of

More from Medium

Jenkins Build Agents on Nomad Workers

Installation of Cloud-Native Application Stacks in Amazon EKS Cluster

Code Organisation Strategy for GitOps

Self-Hosted Kubernetes Cluster with Rancher in AWS cloud