Setting Up IAM Inside a Pod

(
props to :
IAM (International Association of Movers): What You Need to Know

for letting me use their logo..

well..

maybe they did..

I mean..

I wrote them an email..

well..

I have a plan to write them an email..

tomorrow..

….

maybe….
)

1. What is IAM and Why Is It Important?

Identity and Access Management (IAM) is a framework for managing permissions and authenticating identities in a system.

1.1 Why Use IAM Inside a Pod?

🔐 Control access to cloud services (AWS S3, GCP Storage, Azure Key Vault)
🚀 Enforce least privilege (only allow necessary permissions)
🏗 Secure API calls from applications running inside Kubernetes
📜 Ensure compliance (GDPR, HIPAA, PCI DSS)

1.2 How IAM Works in Kubernetes

IAM inside a pod relies on cloud IAM policies and Kubernetes role-based access control (RBAC):

Feature	Description
Cloud IAM	Controls access to cloud services (AWS, GCP, Azure)
Kubernetes RBAC	Controls access to Kubernetes resources
Service Accounts	Allows pods to assume IAM roles
OIDC & Workload Identity	Secure authentication inside clusters

Now, let’s configure IAM inside Kubernetes pods.

2. Setting Up IAM in AWS (EKS) Inside a Pod

Step 1: Enable IAM Roles for Kubernetes Service Accounts

Ensure your AWS EKS cluster supports IAM roles for service accounts.

1
eksctl utils associate-iam-oidc-provider     --region us-east-1     --cluster my-cluster     --approve

Step 2: Create an IAM Role for the Pod

Create an IAM policy:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": ["s3:ListBucket", "s3:GetObject"],
            "Resource": ["arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*"]
        }
    ]
}

Attach this policy to an IAM role:

1
2
aws iam create-role --role-name my-pod-role     --assume-role-policy-document file://trust-policy.json
aws iam attach-role-policy --role-name my-pod-role     --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess

Step 3: Associate IAM Role with a Kubernetes Service Account

1
2
3
4
5
6
apiVersion: v1
kind: ServiceAccount
metadata:
  name: s3-reader
  annotations:
    eks.amazonaws.com/role-arn: "arn:aws:iam::123456789012:role/my-pod-role"

Apply:

1
kubectl apply -f service-account.yaml

Step 4: Use IAM Role Inside a Pod

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
apiVersion: v1
kind: Pod
metadata:
  name: s3-pod
spec:
  serviceAccountName: s3-reader
  containers:
  - name: app
    image: amazonlinux
    command: ["sleep", "3600"]

Verify IAM permissions:

1
kubectl exec -it s3-pod -- aws s3 ls s3://my-bucket/

Now, the pod can access AWS S3 securely without storing credentials. 🚀

3. Setting Up IAM in GCP (GKE) Inside a Pod

Step 1: Enable Workload Identity

1
gcloud container clusters update my-cluster     --workload-pool=my-project.svc.id.goog

Step 2: Create a GCP IAM Service Account

1
gcloud iam service-accounts create gke-service-account     --display-name "GKE Workload Identity SA"

Grant permissions:

1
gcloud projects add-iam-policy-binding my-project     --member "serviceAccount:gke-service-account@my-project.iam.gserviceaccount.com"     --role "roles/storage.objectViewer"

Step 3: Associate IAM Role with a Kubernetes Service Account

1
2
3
4
5
6
apiVersion: v1
kind: ServiceAccount
metadata:
  name: gke-service-account
  annotations:
    iam.gke.io/gcp-service-account: "gke-service-account@my-project.iam.gserviceaccount.com"

Apply:

1
kubectl apply -f service-account.yaml

Step 4: Use IAM Role Inside a Pod

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
apiVersion: v1
kind: Pod
metadata:
  name: gcs-pod
spec:
  serviceAccountName: gke-service-account
  containers:
  - name: app
    image: google/cloud-sdk
    command: ["sleep", "3600"]

Verify IAM permissions:

1
kubectl exec -it gcs-pod -- gsutil ls gs://my-bucket/

Now, the pod can securely access GCP Storage without using service account keys. 🚀

4. Setting Up IAM in Azure (AKS) Inside a Pod

Step 1: Enable Managed Identity for AKS

1
az aks update -g my-resource-group -n my-cluster --enable-managed-identity

Step 2: Assign an IAM Role to the AKS Pod Identity

1
az identity create --name aks-pod-identity --resource-group my-resource-group

Grant permissions:

1
az role assignment create --assignee aks-pod-identity-id     --role "Reader" --scope "/subscriptions/my-subscription-id/resourceGroups/my-resource-group"

Step 3: Associate IAM Role with a Kubernetes Service Account

1
2
3
4
5
6
apiVersion: v1
kind: ServiceAccount
metadata:
  name: aks-service-account
  annotations:
    azure.workload.identity/client-id: "aks-pod-identity-client-id"

Apply:

1
kubectl apply -f service-account.yaml

Step 4: Use IAM Role Inside a Pod

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
apiVersion: v1
kind: Pod
metadata:
  name: azure-pod
spec:
  serviceAccountName: aks-service-account
  containers:
  - name: app
    image: mcr.microsoft.com/azure-cli
    command: ["sleep", "3600"]

Verify IAM permissions:

1
kubectl exec -it azure-pod -- az storage blob list --container-name mycontainer --account-name mystorageaccount

Now, the pod can access Azure services securely. 🚀

5. Best Practices for IAM Inside Kubernetes Pods

✅ Use IAM Roles instead of static credentials
✅ Follow the Principle of Least Privilege (PoLP)
✅ Use Kubernetes RBAC in combination with IAM
✅ Rotate IAM credentials periodically
✅ Monitor and audit IAM access logs

Key Ideas

✅ IAM ensures secure access to cloud services without storing credentials
✅ AWS (EKS), GCP (GKE), and Azure (AKS) all support pod IAM roles
✅ Use Kubernetes Service Accounts to assume IAM roles securely
✅ Follow best practices for securing IAM in Kubernetes