AWS IRSA (EKS)

Configure IAM Roles for Service Accounts (IRSA) for Spice.ai on Amazon EKS.

IAM Roles for Service Accounts (IRSA) allows Spice.ai pods on Amazon EKS to assume an IAM role for accessing AWS services (S3, Secrets Manager, DynamoDB, etc.) without managing static credentials.

How It Works

The AWS SDK credential provider chain automatically uses STS Web Identity Token Credentials when a pod runs under an IRSA-annotated ServiceAccount. The SDK calls sts:AssumeRoleWithWebIdentity to retrieve temporary credentials.

Credential chain order:

Environment variables
Shared credentials/config files
STS Web Identity (IRSA)
ECS container credentials
EC2 instance metadata (IMDSv2)

Prerequisites

An EKS cluster with an OIDC provider
An IAM role with the correct trust policy
The Spice Kubernetes Operator installed via Helm

Step 1: Create IAM Role with IRSA Trust Policy

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": {
      "Federated": "arn:aws:iam::ACCOUNT_ID:oidc-provider/oidc.eks.REGION.amazonaws.com/id/CLUSTER_ID"
    },
    "Action": "sts:AssumeRoleWithWebIdentity",
    "Condition": {
      "StringEquals": {
        "oidc.eks.REGION.amazonaws.com/id/CLUSTER_ID:sub": "system:serviceaccount:NAMESPACE:SERVICE_ACCOUNT_NAME"
      }
    }
  }]
}

Replace ACCOUNT_ID, REGION, CLUSTER_ID, NAMESPACE, and SERVICE_ACCOUNT_NAME with your values.

Step 2: Attach IAM Policies

Attach policies for the AWS services your Spicepod connects to:

Use Case

Required IAM Actions

S3 data sources

s3:GetObject, s3:ListBucket

Secrets Manager

secretsmanager:GetSecretValue

DynamoDB

dynamodb:GetItem, dynamodb:Query, dynamodb:Scan

Step 3: Configure the SpicepodSet

Operator-Managed ServiceAccount

apiVersion: spice.ai/v1
kind: SpicepodSet
metadata:
  name: my-spicepod
spec:
  replicas: 1
  service_account:
    enabled: true
    create: true
    annotations:
      eks.amazonaws.com/role-arn: "arn:aws:iam::123456789012:role/spice-ai-role"
  spicepod: |
    name: my-spicepod
    kind: Spicepod
    version: v1

Using an Existing ServiceAccount

spec:
  service_account:
    enabled: true
    create: false
    name: my-irsa-service-account

Helm Chart (Enterprise)

serviceAccount:
  create: true
  name: spiceai
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/my-spice-role

Operator ServiceAccount via Helm

To grant the operator itself AWS access (for example, to pull images from ECR):

# Helm values for the operator chart
serviceAccount:
  annotations:
    eks.amazonaws.com/role-arn: "arn:aws:iam::123456789012:role/spice-operator-role"

EKS Pod Identity (Alternative)

EKS Pod Identity is a simpler alternative to IRSA that uses the EKS Pod Identity Agent add-on. The IAM role association is managed via the EKS API — no ServiceAccount annotation is needed.

Last updated 22 days ago

Was this helpful?

hashtagHow It Works

hashtagPrerequisites

hashtagStep 1: Create IAM Role with IRSA Trust Policy

hashtagStep 2: Attach IAM Policies

hashtagStep 3: Configure the SpicepodSet

hashtagOperator-Managed ServiceAccount

hashtagUsing an Existing ServiceAccount

hashtagHelm Chart (Enterprise)

hashtagOperator ServiceAccount via Helm

hashtagEKS Pod Identity (Alternative)