A company uses an Amazon EKS cluster and must ensure Kubernetes service accounts have secure, granular access to specific AWS resources using IAM roles for service accounts (IRSA). Which combination of solutions will meet these requirements? (Choose two.)
Choose an answer
Tap an option to check your answer.
Correct answer: Define an IAM role that includes the necessary permissions. Annotate the Kubernetes service accounts with the Amazon Resource Name (ARN) of the IAM role., Set up a trust relationship between the IAM roles for the service accounts and an OpenID Connect (OIDC) identity provider..
Why this is the answer
The correct answers describe the core components of IAM Roles for Service Accounts (IRSA). Annotating Kubernetes service accounts with an IAM role's ARN allows pods using that service account to assume the specified IAM role, granting granular AWS permissions. This relies on a trust relationship established between the IAM roles and an OpenID Connect (OIDC) identity provider, which is configured for the EKS cluster. The OIDC provider allows AWS to verify the identity of the Kubernetes service account and grant temporary credentials. Incorrect options: Attaching policies directly to EKS node IAM roles grants permissions to all pods on the node, not specific service accounts, violating granularity. Implementing network policies restricts network access, not AWS resource permissions. Modifying the EKS cluster's IAM role or creating one-to-one mappings between IAM and Kubernetes roles are not how IRSA works; IRSA maps IAM roles to Kubernetes service accounts.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed