How AWS EKS Pods Get IAM Permissions — IRSA OIDC End-to-End (No Access Keys)

Brought to you by DevXOps — https://devxops.tech Your Kubernetes pods need to talk to AWS services — S3, DynamoDB, SQS — but hardcoding access keys is a security nightmare. So how does an IAM Role securely reach a pod without a single static credential? The answer is IRSA — IAM Roles for Service Accounts — and the OIDC identity flow that powers it. In this fully animated deep-dive, we trace the complete identity journey: from a projected Kubernetes OIDC JWT token inside the pod, through the STS AssumeRoleWithWebIdentity exchange, all the way to short-lived AWS credentials — with every command, YAML manifest, JSON policy, and trust relationship shown on screen. What you will learn: A reusable mental model: the "secure building" analogy (wristband, bouncer, badge desk) The two sides of IRSA: Kubernetes components vs. AWS IAM/STS components How to get your cluster's OIDC issuer URL and create the IAM OIDC Identity Provider The IAM Trust Policy deep dive: why aud, sub, and the Federated principal matter How to write a least-privilege Permission Policy (S3 bucket-scoped example) Kubernetes ServiceAccount annotation and Pod YAML — what actually goes into the cluster The webhook injection: what EKS mutates into your pod spec (env vars + projected token volume) The token-to-credentials exchange: Pod reads JWT - calls STS AssumeRoleWithWebIdentity - gets temporary AccessKeyId, SecretAccessKey, SessionToken Security boundaries: how SCPs and Permission Boundaries intersect with IRSA The IMDS pitfall: how pods can accidentally use node instance profile credentials instead of IRSA Troubleshooting commands: 4 fast checks when IRSA is not working Every concept is explained with real-world analogies, exact CLI commands, well-formatted JSON trust policies, YAML manifests, and on-screen line highlights synced to voiceover. Timestamps: 0:00 Intro DevXOps branding 0:08 Hook Why pods need identity without keys 0:50 Mental Model The Secure Building analogy 2:00 Components Overview Kubernetes side vs AWS side 3:20 Setup 1 Get OIDC Issuer URL and Create Provider 4:50 Setup 2 IAM Role and Trust Policy the critical piece 6:40 Setup 3 Permission Policy S3 read example 7:50 Setup 4 ServiceAccount and Pod YAML 9:10 The Magic Webhook Injection env vars and token volume 10:30 The Token Journey STS AssumeRoleWithWebIdentity exchange 12:20 Security Boundaries SCPs and Permission Boundaries 13:10 Pitfall IMDS Node Role Credential Leakage 14:00 Troubleshooting 4 Fast Commands 14:50 Recap and Final Takeaway 15:40 Thank You DevXOps Tools and technologies: Amazon EKS, IAM, STS, OIDC, Kubernetes, ServiceAccounts, Projected Tokens Animation created with Manim (open-source Python animation engine) + edge-tts + ffmpeg. Key concepts covered: IAM Roles for Service Accounts (IRSA) OIDC (OpenID Connect) Identity Provider STS AssumeRoleWithWebIdentity API Projected Service Account Token Volume EKS Pod Identity Webhook (mutating admission webhook) IAM Trust Policy (Federated principal, aud/sub conditions) IAM Permission Policy (least-privilege S3 scoping) Service Control Policies (SCPs) and Permission Boundaries EC2 Instance Metadata Service (IMDS) credential leakage risk Short-lived credential rotation via AWS SDK web identity provider chain Who is this for? DevOps and Platform Engineers setting up IRSA for the first time SREs debugging why pods cannot assume IAM roles Security Engineers auditing EKS IAM trust relationships Anyone preparing for AWS certifications (SAA, SAP, SCS) Subscribe for more animated deep-dives into AWS, Kubernetes, and distributed systems. Like this video if the secure-building analogy made IRSA click for you. #EKS #IRSA #OIDC #AWS #Kubernetes #IAM #STS #DevOps #SRE #CloudNative #SecurityBestPractices #EKS #IRSA #OIDC #AWS #Kubernetes #IAM #STS #DevOps #SRE #CloudNative #SecurityBestPractices