====== IRSA (IAM Roles for Service Accounts) ======

**What it is:** A mechanism that allows Kubernetes service accounts to assume IAM roles.

**What it’s for:**
  * Give **pods** AWS permissions using least privilege.
  * Avoid using node instance roles for all pods (which is too broad).

**How it works (high level):**
  * EKS cluster has an [[aws:containers:eks:oidc|OIDC Provider]].
  * A Kubernetes service account is annotated with an IAM role ARN.
  * Pods using that service account receive temporary credentials via STS.

**Exam cues:**
  * “UI pods must access only DynamoDB, data pods only S3” → separate service accounts + IRSA roles.

**Hard words:**
  * *assume* /əˈsuːm/: nhận quyền tạm thời
  * *annotate* /ˈænəteɪt/: gắn ghi chú (annotation)
  * *temporary credentials* /ˈtɛmpəˌrɛri krəˈdɛnʃəlz/: thông tin tạm thời

**Child pages:**
  *[[aws:containers:eks:irsa:flow|IRSA Flow (Pod → SA → IAM Role → STS)]]