Skip to main content
If your env zero agent runs on an AWS EKS cluster, you can leverage any of these methods to assign an AWS IAM role to your deployments.
Credential Resolution OrderThe env zero deployment agent resolves credentials in the following priority order:
  1. Pod Identity
  2. IRSA (IAM Roles for Service Accounts)
  3. Node Role
This order ensures that more granular and secure identity methods (like Pod Identity and IRSA) are preferred over the instance-level Node Role.

Using EKS Pod Identity

EKS Pod Identity simplifies the management of IAM permissions for applications on EKS clusters by allowing administrators to associate IAM roles directly with Kubernetes service accounts, eliminating the need for OIDC identity providers and enabling role reuse across multiple clusters.
Version SupportTo use EKS Pod Identity with Terraform, you must be using:
  • Terraform AWS Provider version ≥ 5.27.0
  • if fetching credentials for the S3 backend - OpenTofu version ≥ 1.10.0
Earlier versions do not support EKS Pod Identity and will fall back to other credentials (IRSA, Node Roles, etc).
For more details about EKS Pod identity and how to configure it, refer to the EKS User Guide.

Using IAM Roles for Service Accounts (IRSA)

IAM Roles for Service Accounts (IRSA) in Amazon EKS allow Kubernetes pods to securely assume IAM roles, enabling fine-grained access to AWS services without managing AWS credentials within the pods. For more details about IRSA and how to configure it, refer to the EKS User Guide.
Using a Custom Kubernetes Service AccountBy default, env zero uses the default service account within the namespace where the agent is installed.To specify a different service account, set the deploymentJobServiceAccountName Helm value.For detailed steps on configuring a new service account, refer to this AWS Guide.
IRSA & EKS Pod Identity Session ExpiryPlease note that when using IRSA or EKS Pod Identity, the assumed session is only valid for 1 hour.This limitation exists because these methods internally assume the role associated with the Kubernetes service account, and role chaining is restricted to 1-hour sessions.

Using the Node Role

The Node Role is the IAM Role assigned to the EC2 instances that serve as nodes in your EKS cluster. You can use this role directly by assigning the appropriate permissions required for your env zero deployments. For more details, refer to the EKS User Guide.
Restricting Access to the Node IAM RoleIf you are using AWS EKS and do not want to use the Node IAM Role, you must explicitly restrict access to it.More details can be found here