====== EKS: RBAC vs IAM Permissions ======

**What it is:** The difference between Kubernetes RBAC and AWS IAM permissions.

**What it’s for:**
  * Avoid confusing “Kubernetes permissions” with “AWS service permissions”.

**RBAC (role-based access control in Kubernetes) controls:**
  * Access to Kubernetes API resources (Pods, Deployments, Services, Secrets, etc.)
  * Example: can a user/service account list pods? create deployments?

**IAM controls:**
  * Access to AWS APIs (S3, DynamoDB, KMS, etc.)
  * Example: can a workload call `s3:GetObject` or `dynamodb:Query`?

**Key exam takeaway:**
  * RBAC **cannot** restrict calls to S3/DynamoDB.
  * To control AWS service access from Pods, use [[aws:containers:eks:irsa|IRSA]].

**Hard words (English + IPA + Vietnamese meaning):**
  * *RBAC* /ˌɑːr biː eɪ ˈsiː/: kiểm soát truy cập theo vai trò (Kubernetes)
  * *restrict* /rɪˈstrɪkt/: giới hạn
  * *workload* /ˈwɝːkloʊd/: workload (khối chạy)