IAM roles for service accounts
- Applications in a pod’s containers can use an AWS SDK or the AWS CLI to make API requests to AWS services using AWS Identity and Access Management (IAM) permissions. Applications must sign their AWS API requests with AWS credentials. IAM roles for service accounts provide the ability to manage credentials for your applications, similar to the way that Amazon EC2 instance profiles provide credentials to Amazon EC2 instances
- Instead of creating and distributing your AWS credentials to the containers or using the Amazon EC2 instance’s role, you associate an IAM role with a Kubernetes service account and configure your pods to use the service account.
refer
HOW TO enable IAM role for service accounts
step 1: Creating an IAM OIDC provider for your cluster – You only complete this procedure once for each cluster.
step 2: Configuring a Kubernetes service account to assume an IAM role – Complete this procedure for each unique set of permissions that you want an application to have.
step 3: Configuring pods to use a Kubernetes service account – Complete this procedure for each pod that needs access to AWS services.
Introducing fine-grained IAM roles for service accounts