Skip to content

IRSA

OIDC

Create an IAM OIDC provider for your cluster

https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html

Create the Policy

Create a policy with the desired permissions to the kubernetes application

Generate Policy Script

Create the role

Create a role with that policy and this trust relationship

You can use the folling script

Generate Trust Relationship Script

Annotation

Add the following annotation to the service account that needs the permissions

eks.amazonaws.com/role-arn: THE-CREATED-ROLE-ARN
  • Create and associate IAM Role

https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html