====== Pod AWS Permissions (Node Role vs IRSA) ======

**What it is:** How a Pod gets permissions to call AWS APIs (S3, DynamoDB, etc.).

**What it’s for:**
  * Enforce least privilege for each workload.

**Two common models:**

**1) Node IAM Role (EC2 Instance Profile)**
  * Pods inherit permissions indirectly because AWS credentials come from the node.
  * **Problem:** any Pod on that node may gain broad permissions → not least privilege.

**2) IRSA (Recommended)**
  * Pod uses a specific Kubernetes Service Account.
  * That service account is mapped to an IAM Role.
  * Pod receives **temporary credentials** via STS and can only do what that role allows.

**Exam cues:**
  * “UI Pods only DynamoDB, data Pods only S3” → IRSA with separate service accounts.

**Hard words:**
  * *inherit* /ɪnˈherɪt/: thừa hưởng
  * *temporary credentials* /ˈtɛmpəˌrɛri krəˈdɛnʃəlz/: thông tin tạm thời
  * *mapped* /mæpt/: ánh xạ
  * *least privilege* /liːst ˈprɪvəlɪdʒ/: cấp đúng quyền cần thiết