Pod AWS Permissions (Node Role vs IRSA)

What it is: How a Pod gets permissions to call AWS APIs (S3, DynamoDB, etc.).

What it’s for:

• Enforce least privilege for each workload.

Two common models:

1) Node IAM Role (EC2 Instance Profile)

• Pods inherit permissions indirectly because AWS credentials come from the node.
• Problem: any Pod on that node may gain broad permissions → not least privilege.

2) IRSA (Recommended)

• Pod uses a specific Kubernetes Service Account.
• That service account is mapped to an IAM Role.
• Pod receives temporary credentials via STS and can only do what that role allows.

Exam cues:

• “UI Pods only DynamoDB, data Pods only S3” → IRSA with separate service accounts.

Hard words:

• *inherit* /ɪnˈherɪt/: thừa hưởng
• *temporary credentials* /ˈtɛmpəˌrɛri krəˈdɛnʃəlz/: thông tin tạm thời
• *mapped* /mæpt/: ánh xạ
• *least privilege* /liːst ˈprɪvəlɪdʒ/: cấp đúng quyền cần thiết