menu
IRSA(IAM Roles for Service Account) Explained

IRSA(IAM Roles for Service Account) Explained

3
calendar_today agoschedule2 min read
— Originally published at medium.com

One of the most common mistakes I see in Kubernetes environments is this:

A pod needs access to AWS services, so teams simply attach permissions to the EC2 worker node and call it a day.

It works.

Until one compromised pod suddenly has access to everything the node can access.

That’s when I started appreciating the beauty of IRSA (IAM Roles for Service Accounts) in Amazon EKS.

What is IRSA?

IRSA enables Kubernetes pods running in Amazon EKS to securely access AWS services using dedicated IAM roles.

Instead of storing AWS Access Keys inside Kubernetes Secrets or relying on broad node-level permissions , each workload can assume its own IAM role using a Kubernetes Service Account.

How does it work?

  1. Create an IAM Role with required permissions

  2. Configure the EKS OIDC Provider

  3. Associate the IAM Role with a Kubernetes Service Account

  4. Deploy pods using that Service Account

  5. AWS STS issues temporary credentials to the pod

  6. Pod accesses AWS services securely

No static credentials.
No credential rotation headaches.
No shared node permissions.

Why IRSA Matters

  • Eliminates AWS Access Keys from Kubernetes
  • Enforces Least-Privilege Access
  • Temporary Credentials issued by AWS STS
  • Better Auditability with CloudTrail
  • Reduced Blast Radius if a Pod is Compromised
  • Each Workload Gets Its Own Identity

IRSA vs Node IAM Roles

  • Node IAM Roles

    • All pods inherit node permissions
    • Difficult to isolate workloads
    • Larger attack surface
    • Harder to determine which workload accessed AWS resources

  • IRSA

    • Per-workload IAM permissions
    • Better security boundaries
    • Improved compliance and auditing
    • Fine-grained access control

Real-World Example

Imagine an EKS cluster running:

Payment Service → Access to DynamoDB
Reporting Service → Access to S3
Notification Service → Access to SQS

  • With Node IAM Roles, all three services could potentially access all resources.

  • With IRSA, each service receives only the permissions it actually needs.

That’s security done right.!!

"The Bigger Lesson"

Cloud security is moving away from: "Long-lived credentials" To "Identity-based access"

Whether it’s:

• IRSA in EKS
• OIDC in GitHub Actions
• Workload Identity in GCP
• Managed Identities in Azure

The future is the same:

"Stop distributing secrets. Start distributing identities."

How are you managing AWS access for Kubernetes workloads today?

🔥 Join developers growing publicly
Share your knowledge, build in public, and grow your developer presence with a global community.
Join CoderLegion

More Posts

AWS Certifications Are a Building Block, Not the Final Destination

Ijay - Jun 16

Designing a Multicloud Cellular Architecture for Blast Radius Containment

Cláudio Raposo - May 4

Implementing Cellular Redundancy: Cross-Cloud Failover with AWS Transit Gateway and Azure ExpressRou

Cláudio Raposo - May 5

Beyond the CLI: Mastering Lambda Invocation Patterns with Terraform

tuni56 - Apr 29

10 Proven Ways to Cut Your AWS Bill

rogo032 - Jan 16
chevron_left
Tapan
124 Points3 Badges
1Posts
0Comments
Cloud & DevOps Engineer passionate about Kubernetes, Infrastructure as Code, and Platform Engineerin... Show more

Related Jobs

View all jobs →

Commenters (This Week)

1 comment
1 comment

Contribute meaningful comments to climb the leaderboard and earn badges!