EKS: RBAC vs IAM Permissions

What it is: The difference between Kubernetes RBAC and AWS IAM permissions.

What it’s for:

• Avoid confusing “Kubernetes permissions” with “AWS service permissions”.

RBAC (role-based access control in Kubernetes) controls:

• Access to Kubernetes API resources (Pods, Deployments, Services, Secrets, etc.)
• Example: can a user/service account list pods? create deployments?

IAM controls:

• Access to AWS APIs (S3, DynamoDB, KMS, etc.)
• Example: can a workload call `s3:GetObject` or `dynamodb:Query`?

Key exam takeaway:

• RBAC cannot restrict calls to S3/DynamoDB.
• To control AWS service access from Pods, use IRSA.

Hard words (English + IPA + Vietnamese meaning):

• *RBAC* /ˌɑːr biː eɪ ˈsiː/: kiểm soát truy cập theo vai trò (Kubernetes)
• *restrict* /rɪˈstrɪkt/: giới hạn
• *workload* /ˈwɝːkloʊd/: workload (khối chạy)