AWS IRSA
This page provides information on configuring IRSA (IAM Role Service Accounts) for Kubernetes.
AWS Service Accounts and IRSA
Service Accounts can be used to assume a configured IAM role to provide access and permissions to AWS services. For example, if you have a Skill that calls for an S3 connection, you can use a service account in lieu of providing an AWS API tokens (access key and secret key).
For details about native IAM/Service Account support read this.
Configure IRSA support
AWS documentation for setting up IRSA support is found here.
IMPORTANT
Even if you assign an IAM role to a Kubernetes service account, the pod still also has the permissions assigned to the Amazon EKS node IAM role.
Create an IAM OIDC provider for your cluster – You only need to do this once for a cluster.
Create an IAM role and attach an IAM policy to it with the permissions that your service accounts need – Cortex currently supports using a single Service Account and by extension a single IAM Role can be assumed.
Associate an IAM role with a service account – Complete this task for each Kubernetes service account that needs access to AWS resources.