Interview AWS

How would you give a Kubernetes pod scoped AWS permissions (IRSA / IAM Roles for Service Accounts)?

AWS · Basic level

Answer

For EKS pods, I use IRSA or EKS Pod Identity to map a Kubernetes service account to a scoped IAM role. That gives each workload temporary least-privilege AWS credentials instead of sharing node-role permissions or storing static keys.

Technical explanation

IRSA uses the cluster OIDC provider and STS AssumeRoleWithWebIdentity; EKS Pod Identity offers a newer managed pattern with similar least-privilege goals.

IAM evaluation is layered: identity policies, resource policies, trust policies, boundaries, SCPs, session policies, and explicit denies all contribute to the final decision.

Prefer temporary credentials through STS, roles, IAM Identity Center, instance profiles, IRSA, or OIDC federation instead of long-lived access keys.

Use conditions, resource ARNs, tags, MFA requirements, external IDs, source account/source ARN constraints, and Access Analyzer to reduce blast radius.

Hands-on example

1. Create a least-privilege IAM role for a small workload, including trust policy, permission policy, tags, and CloudTrail visibility.

2. Test the role with aws sts get-caller-identity and one allowed action, then deliberately test one denied action.

3. Run IAM Access Analyzer or policy simulation and refine broad actions/resources before production.

4. Record the access pattern in IaC and require review for future policy changes.

Preparing for an interview?

Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.

More AWS interview questions

← All AWS questions