Service Accounts and Workload Identity
Configure Kubernetes service accounts with cloud workload identity for AWS IRSA, GCP Workload Identity, and Azure AD pod federation.
π‘ Quick Answer: Annotate a Kubernetes ServiceAccount with your cloud providerβs IAM role (AWS:
eks.amazonaws.com/role-arn, GCP:iam.gke.io/gcp-service-account), and pods using that SA automatically get cloud credentials via projected token volumes β no static keys needed.
The Problem
Applications running on Kubernetes need cloud API access (S3, Cloud Storage, Key Vault). Traditional approach: create IAM keys, store in Kubernetes Secrets. Problems: keys donβt rotate automatically, secrets can leak, and thereβs no audit trail per-pod.
The Solution
AWS IRSA (IAM Roles for Service Accounts)
apiVersion: v1
kind: ServiceAccount
metadata:
name: s3-reader
namespace: production
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/s3-reader-role
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: data-processor
spec:
template:
spec:
serviceAccountName: s3-reader
containers:
- name: processor
image: registry.example.com/processor:1.0
# AWS SDK auto-discovers credentials from projected tokenGCP Workload Identity
apiVersion: v1
kind: ServiceAccount
metadata:
name: gcs-writer
namespace: production
annotations:
iam.gke.io/gcp-service-account: gcs-writer@my-project.iam.gserviceaccount.comAzure Workload Identity
apiVersion: v1
kind: ServiceAccount
metadata:
name: blob-reader
namespace: production
annotations:
azure.workload.identity/client-id: "12345678-1234-1234-1234-123456789abc"
labels:
azure.workload.identity/use: "true"graph LR
POD[Pod<br/>serviceAccountName: s3-reader] -->|Projected token| OIDC[OIDC Provider<br/>EKS/GKE/AKS]
OIDC -->|Verify token| IAM[Cloud IAM<br/>AssumeRoleWithWebIdentity]
IAM -->|Temporary credentials| POD
POD -->|Authenticated| S3[Cloud API<br/>S3/GCS/Blob]Common Issues
Pod gets βAccessDeniedβ despite correct annotation
Check the IAM trust policy allows the OIDC issuer and service account:
{
"Condition": {
"StringEquals": {
"oidc.eks.region.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE:sub":
"system:serviceaccount:production:s3-reader"
}
}
}SDK not picking up credentials
Ensure youβre using a recent SDK version that supports IRSA/Workload Identity token exchange.
Best Practices
- One ServiceAccount per application β principle of least privilege
- Never use the
defaultServiceAccount β it may have unintended permissions - Set
automountServiceAccountToken: falseon pods that donβt need API access - Audit IAM role bindings β which SA can access which cloud resources
Key Takeaways
- Workload Identity eliminates static cloud credentials in Kubernetes
- Annotate ServiceAccount with IAM role β pods get temporary credentials automatically
- Cloud SDKs auto-discover projected tokens β no code changes needed
- Works with AWS IRSA, GCP Workload Identity, Azure AD Workload Identity
- One SA per application for least-privilege access
Recommended
Kubernetes Recipes β The Complete Book100+ production-ready patterns with detailed explanations, best practices, and copy-paste YAML. Everything in one place.
Get the Book βLearn by Doing
CopyPasteLearn β Hands-on Cloud & DevOps CoursesMaster Kubernetes, Ansible, Terraform, and MLOps with interactive, copy-paste-run lessons. Start free.
Browse Courses β
π Deepen Your Skills β Hands-on Courses
Courses by CopyPasteLearn.com β Learn IT by Doing
Want More Kubernetes Recipes?
This recipe is from Kubernetes Recipes, our 750-page practical guide with hundreds of production-ready patterns.