Help improve this page
Want to contribute to this user guide? Scroll to the bottom of this page and select Edit this page on GitHub. Your contributions will help make our user guide better for everyone.
Use IRSA with the AWS SDK
Using the credentials
To use the credentials from IAM roles for service accounts, your code can use any AWS SDK to create a client for an AWS service with an SDK, and by default the SDK searches in a chain of locations for AWS Identity and Access Management credentials to use. The IAM roles for service accounts credentials will be used if you don't specify a credential provider when you create the client or otherwise initialized the SDK.
This works because IAM roles for service accounts have been added as a step in the default credential chain. If your workloads currently use credentials that are earlier in the chain of credentials, those credentials will continue to be used even if you configure an IAM roles for service accounts for the same workload.
The SDK automatically exchanges the service account OIDC token for
temporary credentials from AWS Security Token Service by using the AssumeRoleWithWebIdentity
action. Amazon EKS and this SDK action continue to rotate the temporary credentials by renewing
them before they expire.
When using IAM roles for service accounts, the containers in your Pods must use an AWS SDK version that supports assuming an IAM role through an OpenID Connect web identity token file. Make sure that you're using the following versions, or later, for your AWS SDK:
Many popular Kubernetes add-ons, such as the Cluster
Autoscaler
To ensure that you're using a supported SDK, follow the installation instructions for your
preferred SDK at Tools to Build on AWS