One of the biggest annoyances while using aws cli for me was the fact that the command’s output was not printed to standard stdout but it was opened in less like session, which was very annoying if you needed to copy several entries from the output result.

IRSA (IAM role for service account) is a very useful tool which permits us to provide AWS permissions to the containers in any pod that uses that service account. This enables us to give a very granular permission setting for specific service accounts and remove most of the headache related to authentication and persisting of secrets.

Below a quick snippet of how to create such mechanism.

When working with EKS under AWS, it’s possible that at some point you wanted to run a pod under a certain role, and you’ve encountered a following error:

An error occurred (AccessDenied) when calling the AssumeRoleWithWebIdentity operation: Not authorized to perform sts:AssumeRoleWithWebIdentity

What’s frustrating, is that by default AWS doesn’t provide you a lot of feedback of why that error happened.

So I’ve written down some debug steps for further reference: