Guide to Set Up IRSA

for RDS, SecretManager, S3 Bucket

eksctl utils associate-iam-oidc-provider \
  --region <your-region> \
  --cluster <your-cluster-name> \
  --approve

aws eks describe-cluster --name <your-cluster-name> --query "cluster.identity.oidc.issuer" --output text

Create IAM Policy for S3 Access (without Delete)

# s3-access-without-delete.json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::<your-bucket-name>",
        "arn:aws:s3:::<your-bucket-name>/*"
      ]
    }
  ]
}

IAM policy Creation for S3

aws iam create-policy \
  --policy-name TraceMyPodsS3AccessPolicyForIRSA \
  --policy-document file://s3-access-without-delete.json

Create IAM Role with Trust Policy for IRSA

eksctl create iamserviceaccount \
  --region <your-region> \
  --name tracemypods-irsa-sa \
  --namespace myapp-namespace \
  --cluster <your-cluster-name> \
  --attach-policy-arn arn:aws:iam::<account-id>:policy/TraceMyPodsS3AccessPolicyForIRSA \
  --approve \
  --override-existing-serviceaccounts

Kubernetes Deployment to Use the IRSA Service Account

apiVersion: apps/v1
kind: Deployment
metadata:
  name: <name-of-deployments>
  namespace: ai-assistant
spec:
  template:
    spec:
      serviceAccountName: tracemypods-irsa-sa
      containers:
        - name: myapp
          image: your-app-image

For RDS Access (via Secrets Manager or IAM auth)

# secrets-manager-policy.json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ReadRDSSecret",
      "Effect": "Allow",
      "Action": [
        "secretsmanager:GetSecretValue"
      ],
      "Resource": "arn:aws:secretsmanager:<region>:<account-id>:secret:<secret-name>*"
    }
  ]
}

Gpu Dcgm Exporter Irsa S3