KubeForge — Hands-on Kubernetes & EKS Learning

Scenario

Your `s3-reader` ServiceAccount uses IRSA via the `eks.amazonaws.com/role-arn` annotation. AWS now recommends EKS Pod Identity — it doesn't require OIDC thumbprint rotation, supports cross-account IAM without trust policy edits, and simplifies IAM role reuse. Migrate: remove the IRSA annotation and add the Pod Identity annotation.

IAM Roles for Service Accounts (IRSA)

IRSA lets pods assume an IAM role by annotating their Kubernetes ServiceAccount. The flow:

EKS creates an OIDC provider for the cluster.
IAM role's trust policy allows sts:AssumeRoleWithWebIdentity from the OIDC provider.
Pod's service account annotation: eks.amazonaws.com/role-arn: arn:aws:iam::ACCOUNT:role/ROLE.
The Pod Identity Webhook injects AWS_WEB_IDENTITY_TOKEN_FILE and AWS_ROLE_ARN env vars.
AWS SDK exchanges the OIDC token for temporary credentials.

apiVersion: v1
kind: ServiceAccount
metadata:
  name: s3-reader
  namespace: default
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/S3ReaderRole

EKS Pod Identity (newer, preferred)

Pod Identity eliminates the OIDC trust policy complexity. Instead of a cluster-specific OIDC URL in the trust policy, you create an association via the EKS API:

aws eks create-pod-identity-association \
  --cluster-name my-cluster \
  --namespace default \
  --service-account s3-reader \
  --role-arn arn:aws:iam::123456789012:role/S3ReaderRole

The ServiceAccount annotation changes to:

annotations:
  eks.amazonaws.com/pod-identity-association: arn:aws:iam::123456789012:role/S3ReaderRole

IRSA vs Pod Identity Comparison

Feature	IRSA	Pod Identity
OIDC provider required	Yes	No
Trust policy complexity	High (cluster-specific OIDC URL)	Low (EKS service principal)
Cross-account	Needs trust policy edit per account	Native support
Multi-cluster reuse	New trust policy per cluster	Same role, new association
Credential refresh	OIDC token rotation	Automatic via EKS agent

Migration Strategy

Create the Pod Identity association via AWS CLI/CDK.
Update the ServiceAccount annotation.
Restart pods to pick up new credentials.
Remove the OIDC provider if no other service accounts still use IRSA.

Migrate from IRSA to EKS Pod Identity

intermediate~25 min

manifest.yamlYAML

Cluster loading…