Grant an EKS pod IAM access to S3
WHAT IT TESTS: secure workload identity. OUTLINE: IRSA maps a service account to an IAM role via the cluster OIDC provider, and pods exchange a projected token for short-lived STS credentials. RED FLAG: hardcoding keys or sharing the node profile.
WHAT IT TESTS: whether you grant pod-level AWS access without long-lived secrets. ANSWER OUTLINE: use IAM Roles for Service Accounts; EKS exposes an OIDC provider, an IAM role trusts it scoped to a namespace and service account, the service account is annotated with the role ARN, and a webhook injects a projected token the SDK swaps with STS for temporary credentials. RED FLAG: baking keys into images or reusing the node instance profile for every pod.
Read the original → interview
- #aws
- #eks
- #kubernetes
- #iam
- #security
Get five bites like this every day.
Tezvyn delivers a daily feed of 60-second tech bites with quizzes to lock in what you learn.