IAM role for Service Account (IRSA) in AWS EKS
IAM role for Service Account or IRSA is a method to grant IAM permission to the Pods running on a service account in AWS EKS so that they can interact with other AWS services like storage, database, other compute services, analytics services etc.
To do this first, we need to enable the OpenID Connect Provider on the EKS cluster so that the cluster itself works as an OpenID Connect Provider. To do this we need to use the Thumbprint of Root CA for EKS OIDC, which is Valid until 2037 We also need the AWS partition information which can be fetched using the data source block.
Here I am using an existing AWS EKS cluster, used Data source blocks and Kubernetes provider block.
data "aws_eks_cluster" "testcluster" {
data "aws_eks_cluster_auth" "cluster" {
provider "kubernetes" {
host = data.aws_eks_cluster.testcluster.endpoint
cluster_ca_certificate =base64decode(data.aws_eks_cluster.testcluster.certificate_authority[0].data)
token = data.aws_eks_cluster_auth.cluster.token
variable "eks_oidc_root_ca_thumbprint" {
type = string
description = "Thumbprint of Root CA for EKS OIDC, Valid until 2037"
default = "9e99a48a9960b14926bb7f3b02e22da2b0ab7280"
data "aws_partition" "current_partition" {}
resource "aws_iam_openid_connect_provider" "oidc_provider" {
client_id_list = ["sts.${data.aws_partition.current_partition.dns_suffix}"]
thumbprint_list = [var.eks_oidc_root_ca_thumbprint]
output "aws_iam_openid_connect_provider_arn" {
value = aws_iam_openid_connect_provider.oidc_provider.arn
locals {
aws_iam_oidc_connect_provider_extract_from_arn = element(split("oidc-provider/", "${aws_iam_openid_connect_provider.oidc_provider.arn}"), 1)
Here I have extracted the OIDC Provider ARN in the Terraform locals block using element and split functions.
Next, create an IAM role and attach permissions as per your requirements. I have attached only AmazonS3ReadOnlyAccess.
I have added one condition. Using the Condition and StringEquals block I have specified the name of the service account which only can assume this role.
resource "aws_iam_role" "irsa_iam_role" {
depends_on = [ aws_iam_openid_connect_provider.oidc_provider ]
name = "mytestapp-irsa-iam-role"
Version = "2012-10-17"
Statement = [
Action = "sts:AssumeRoleWithWebIdentity"
Effect = "Allow"
Sid = ""
Principal = {
Federated= "${aws_iam_openid_connect_provider.oidc_provider.arn}"
Condition = {
StringEquals = {
"${local.aws_iam_oidc_connect_provider_extract_from_arn}:sub": "system:serviceaccount:default:mytestapp-irsa-sa"}
resource "aws_iam_role_policy_attachment" "irsa_iam_role_policy_attach1" {
policy_arn = "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
role = aws_iam_role.irsa_iam_role.name
Finally, created the Kubernetes service account block.
resource "kubernetes_service_account_v1" "mytestapp_irsa_sa" {
depends_on = [ aws_iam_role_policy_attachment.irsa_iam_role_policy_attach1, aws_iam_role_policy_attachment.irsa_iam_role_policy_attach2]
metadata {
name = "mytestapp-irsa-sa"
annotations = {
"eks.amazonaws.com/role-arn" = aws_iam_role.irsa_iam_role.arn
Now you can test this by creating a Kubernetes job. The pods running on the service account named mytestapp_irsa_sa can only perform a ReadOnly job on Amazon S3.
You can attach some other policies on the IAM role and test again.
