AWS EKS Pod Identity Agent Daigram

Kubernetes has become the de facto standard for container orchestration in the cloud-native world. Among the various Kubernetes offerings, Amazon Elastic Kubernetes Service (EKS) stands out as a popular choice due to its seamless integration with other AWS services and its managed nature.

Recently, AWS EKS introduced a new feature called Pod Identities for Service Account (IAM integration). This feature provides enhanced security and simplifies the management of access permissions for pods running in EKS clusters. In this article, we will explore the details of this feature and how it improves the overall security of your EKS workloads. So, let’s dive in and learn more about Pod Identities for Service Account in AWS EKS!

Understanding Pod Identities

EKS Pod Identities are a feature of AWS EKS (Elastic Kubernetes Service) that allows applications running in EKS to securely access AWS resources using IAM Roles. They are similar to Amazon EC2 instance profile or Lambda execution roles, but specifically designed for Pods in EKS Cluster.

You can say ‘We already have IRSA (IAM Roles for Service Account)!’, but this feature allows for a much easier and smoother integration. Instead of managing the OIDC integration between your EKS Clusters and AWS Account individually for each pod, you can associate an IAM role with a Kubernetes service account using a Trust Policy. This service account is then used by Pods (containers) to automatically obtain the required credentials for accessing AWS services.

Our brand-new Trusted Policy Service Principal.  –> “Principal”: { “Service”: “”}

Benefit of Pod Identities

  • Increase the efficiency with seamless integration with IAM, now you can use the same IAM for different EKS Cluster. Also, it works better with multi-account strategies.
  • Enhances auditability, as all actions can be traced back to specific IAM roles with CloudTrail. It offers
  • Eliminates the need for third-party tools like kiam or kube2iam.


  • You can use it with Linux AMI-based Amazon EC2 instances. Windows EKS AMIs and Fargate are not supported yet.
  • Also, you can find list of  the compatible versions of Kubernetes and EKS Platform in the AWS Docs.

Step-by-step guide: Enabling and using Pod Identities in AWS EKS

1. Deploy the Amazon EKS Pod Identity Agent in your EKS Cluster

You can use following commands

Do it with AWS EKS CLI:

OR with eksctl tool:

Check your deployed pods in your cluster

2. Create an IAM Role to use with your EKS Pod Identity

Copy the following contents to a file named eks-pod-identity-role-trust-policy.json

Then create the IAM role using AWS CLI using eks-pod-identity-role-trust-policy.json

Attach the required Amazon EKS managed IAM policy to the role. For instance, we’ll add AWS managed S3ReadOnlyAccess policy.

3. Associate your pod identity role with EKS Service Account

You need to associate the IAM role with Kubernetes cluster service account and namespace.

Do it with AWS EKS CLI

OR with eksctl tool

4. Check the list of the identity associations

Do it with AWS EKS CLI

OR with eksctl tool

5. Have a quick test about your pod identity

Apply the following k8s manifest file

Apply it with kubectl

Access the bash inside your container

List your environment variables for temporary access tokens. Then print out your SERVICE_TOKEN

You can also check AWS access from bash, so you can be sure it is accessing to Amazon S3.


In conclusion, implementing pod identities in EKS provides significant advantages in terms of security and operational overhead. By enforcing strict access controls, enabling Attribute-based access control with IAM policies, and simplifying administrative tasks, pod identities offer an effective solution for complex systems in EKS environments.

Share This Article ->

Published On: December 15, 2023By

Related Articles...