What it is: A mechanism that allows Kubernetes service accounts to assume IAM roles.

What it’s for:

• Give pods AWS permissions using least privilege.
• Avoid using node instance roles for all pods (which is too broad).

How it works (high level):

• EKS cluster has an OIDC Provider.
• A Kubernetes service account is annotated with an IAM role ARN.
• Pods using that service account receive temporary credentials via STS.

Exam cues:

• “UI pods must access only DynamoDB, data pods only S3” → separate service accounts + IRSA roles.

Hard words:

• *assume* /əˈsuːm/: nhận quyền tạm thời
• *annotate* /ˈænəteɪt/: gắn ghi chú (annotation)
• *temporary credentials* /ˈtɛmpəˌrɛri krəˈdɛnʃəlz/: thông tin tạm thời