• IRSA: How to create an IAM role for a specific ServiceAccount

    2 min read

    On AWS EKS you can associate an IAM role with a Kubernetes service account. The assume role policy is going to look like this:

      "Version": "2012-10-17",
      "Statement": [
          "Sid": "",
          "Effect": "Allow",
          "Principal": {
            "Federated": "arn:aws:iam::123456789123:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/A3E2AFA46A6F0C9B37B3F4A479A00C20"
          "Action": "sts:AssumeRoleWithWebIdentity",
          "Condition": {
            "StringEquals": {
              "oidc.eks.us-west-2.amazonaws.com/id/A3E2AFA46A6F0C9B37B3F4A479A00C20:sub": "system:serviceaccount:demons:demosa"

    Let's take a look on how to create this role using Terraform



From pet to cattle
Treat your kubernetes clusters like cattle, not pets