Post

IRSA to EKS Pod Identity: Migrating a Multi-Controller Stack

A deep dive into migrating from IAM Roles for Service Accounts (IRSA) to EKS Pod Identity, featuring common cluster controllers like Load Balancers and Storage CSI drivers.

Posted Updated
By Shahzeb Mahmood
2 min read
IRSA to EKS Pod Identity: Migrating a Multi-Controller Stack

As EKS Pod Identity gains traction, many are weighing the trade-offs against the established IAM Roles for Service Accounts (IRSA) pattern. In a recent modernization of a production Kubernetes environment, I migrated a multi-controller stack—including identity managers, the AWS Load Balancer Controller, and the EFS CSI driver—to this new model.

Here is an analysis of why the “Pod Identity” approach is fundamentally changing how identity is handled in Kubernetes.

The Problem with IRSA

IRSA has been the standard for years, but it comes with operational overhead:

  1. OIDC Provider per Cluster: You need to manage OIDC identity providers in IAM for every cluster.
  2. Service Account Annotations: Every service account needs a specific ARN annotation.
  3. Trust Policy Verbosity: IAM role trust policies become massive as more clusters and namespaces are added.

The EKS Pod Identity Advantage

EKS Pod Identity simplifies this by removing the OIDC requirement. Instead, the EKS runtime handles the credential exchange natively.

Concrete Example: AWS Load Balancer Controller

Previously, with IRSA, the trust policy looked like this:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::123456789012:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/EXAMPLE"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "oidc.eks.us-east-1.amazonaws.com/id/EXAMPLE:sub": "system:serviceaccount:kube-system:aws-load-balancer-controller"
        }
      }
    }
  ]
}

With Pod Identity, the trust policy is significantly cleaner:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowEksAuthToAssumeRoleForPodIdentity",
            "Effect": "Allow",
            "Principal": {
                "Service": "pods.eks.amazonaws.com"
            },
            "Action": [
                "sts:AssumeRole",
                "sts:TagSession"
            ]
        }
    ]
}

Migrating the Stack: Storage & Identity Controllers

The migration focuses on the EKS Pod Identity Agent addon.

  1. Install the Addon: Ensure the eks-auth-agent is running on the nodes.
  2. Map the Role: Use the aws_eks_pod_identity_association resource to link the ServiceAccount to the IAM Role.
  3. Remove Annotations: There is no longer a need for eks.amazonaws.com/role-arn on ServiceAccounts.

Real Trade-offs

FeatureIRSAPod Identity
SetupOIDC Provider + AnnotationsEKS Addon + Association
ComplexityHigh (Trust Policies)Low (Centralized)
Cross-AccountSupportedNot yet natively seamless
PerformanceNative STSLocal Agent Proxy

Conclusion

Adopting Pod Identity reduces IAM boilerplate significantly. For those running EKS 1.24+ and looking to scale controller management, this is a highly recommended transition.

AWS, EKS
aws eks iam pod-identity irsa kubernetes devops
This post is licensed under CC BY 4.0 by the author.