Similar to assigning an IAM role to a ec2 instance to grant access to the applications running on it to access AWS services, you can assign an IAM role to each individual k8s service.

This will allow you to get finer control and only grant the access to aws resources that the pod really needs.

Add IdentityProvider

Create OpenID Connect provider. If you create using the console, it will calculate the CA thumbprint for you.

Provider Url

Copy from the OpenID Connect Provider URL (without the protocol).



Create IAM account(s)

Crate one IAM account per service.

Create a file with the policy document for the service (e.g. my-service-policy.json):

    "Version": "2012-10-17",
    "Statement": [
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::1234512345:oidc-provider/"
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "": "system:serviceaccount:my_namespace:my_service"

Create the IAM role using the aws cli:

aws iam create-role \
    --region us-east-2 \
    --role-name my-service-in-namespace \
    --assume-role-policy-document file://my-service-policy.json

Assign any policies to this new IAM role that you want your service pods to be able to assume.

The arn for your the IAM role is going to look like:


where 1234512345 is your AWS account id.

Create K8s Service account

Create a service account for your service.

kubectl create sa my_service -n my_namespace

Link accounts

Annotate the k8s service account with the corresponding IAM role:

kubectl annotate sa my_service -n my_namespace

Add service account to k8 service

apiVersion: apps/v1
kind: Deployment
# ...
  # ...
      # ...
      serviceAccount: my-service


Categories: TL;DR


Leave a Reply

Avatar placeholder