Use IRSA with the AWS SDK - Amazon EKS

Use IRSA with the AWS SDK

Using the credentials

To use the credentials from IAM roles for service accounts, your code can use any AWS SDK to create a client for an AWS service with an SDK, and by default the SDK searches in a chain of locations for AWS Identity and Access Management credentials to use. The IAM roles for service accounts credentials will be used if you don’t specify a credential provider when you create the client or otherwise initialized the SDK.

This works because IAM roles for service accounts have been added as a step in the default credential chain. If your workloads currently use credentials that are earlier in the chain of credentials, those credentials will continue to be used even if you configure an IAM roles for service accounts for the same workload.

The SDK automatically exchanges the service account OIDC token for temporary credentials from AWS Security Token Service by using the AssumeRoleWithWebIdentity action. Amazon EKS and this SDK action continue to rotate the temporary credentials by renewing them before they expire.

When using IAM roles for service accountsIAM roles for service accounts, the containers in your Pods must use an AWS SDK version that supports assuming an IAM role through an OpenID Connect web identity token file. Make sure that you’re using the following versions, or later, for your AWS SDK:

Many popular Kubernetes add-ons, such as the Cluster Autoscaler, the Route internet traffic with AWS Load Balancer ControllerRoute internet traffic with AWS Load Balancer Controller, and the Configure Amazon VPC CNI plugin to use IRSAAmazon VPC CNI plugin for Kubernetes support IAM roles for service accounts.

To ensure that you’re using a supported SDK, follow the installation instructions for your preferred SDK at Tools to Build on AWS when you build your containers.