🛠️ 開発・MCP コミュニティ
eks-irsa
EKS環境で、PodごとにAWSリソースへのアクセス権限をIAMロールで細かく設定し、最小権限の原則に基づいたセキュアな環境構築や、OIDC連携のトラブルシューティング、AWSコントローラーの導入などを支援するSkill。
📜 元の英語説明(参考)
IAM Roles for Service Accounts (IRSA) for EKS pod-level AWS permissions. Use when configuring pod IAM access, setting up AWS service integrations, implementing least-privilege security, troubleshooting OIDC trust relationships, or deploying AWS controllers.
🇯🇵 日本人クリエイター向け解説
一言でいうと
EKS環境で、PodごとにAWSリソースへのアクセス権限をIAMロールで細かく設定し、最小権限の原則に基づいたセキュアな環境構築や、OIDC連携のトラブルシューティング、AWSコントローラーの導入などを支援するSkill。
※ jpskill.com 編集部が日本のビジネス現場向けに補足した解説です。Skill本体の挙動とは独立した参考情報です。
⚡ おすすめ: コマンド1行でインストール(60秒)
下記のコマンドをコピーしてターミナル(Mac/Linux)または PowerShell(Windows)に貼り付けてください。 ダウンロード → 解凍 → 配置まで全自動。
🍎 Mac / 🐧 Linux
mkdir -p ~/.claude/skills && cd ~/.claude/skills && curl -L -o eks-irsa.zip https://jpskill.com/download/9414.zip && unzip -o eks-irsa.zip && rm eks-irsa.zip
🪟 Windows (PowerShell)
$d = "$env:USERPROFILE\.claude\skills"; ni -Force -ItemType Directory $d | Out-Null; iwr https://jpskill.com/download/9414.zip -OutFile "$d\eks-irsa.zip"; Expand-Archive "$d\eks-irsa.zip" -DestinationPath $d -Force; ri "$d\eks-irsa.zip"完了後、Claude Code を再起動 → 普通に「動画プロンプト作って」のように話しかけるだけで自動発動します。
💾 手動でダウンロードしたい(コマンドが難しい人向け)
- 1. 下の青いボタンを押して
eks-irsa.zipをダウンロード - 2. ZIPファイルをダブルクリックで解凍 →
eks-irsaフォルダができる - 3. そのフォルダを
C:\Users\あなたの名前\.claude\skills\(Win)または~/.claude/skills/(Mac)へ移動 - 4. Claude Code を再起動
⚠️ ダウンロード・利用は自己責任でお願いします。当サイトは内容・動作・安全性について責任を負いません。
🎯 このSkillでできること
下記の説明文を読むと、このSkillがあなたに何をしてくれるかが分かります。Claudeにこの分野の依頼をすると、自動で発動します。
📦 インストール方法 (3ステップ)
- 1. 上の「ダウンロード」ボタンを押して .skill ファイルを取得
- 2. ファイル名の拡張子を .skill から .zip に変えて展開(macは自動展開可)
- 3. 展開してできたフォルダを、ホームフォルダの
.claude/skills/に置く- · macOS / Linux:
~/.claude/skills/ - · Windows:
%USERPROFILE%\.claude\skills\
- · macOS / Linux:
Claude Code を再起動すれば完了。「このSkillを使って…」と話しかけなくても、関連する依頼で自動的に呼び出されます。
詳しい使い方ガイドを見る →- 最終更新
- 2026-05-18
- 取得日時
- 2026-05-18
- 同梱ファイル
- 1
📖 Skill本文(日本語訳)
※ 原文(英語/中国語)を Gemini で日本語化したものです。Claude 自身は原文を読みます。誤訳がある場合は原文をご確認ください。
EKS IAM Roles for Service Accounts (IRSA)
概要
Amazon EKS での IAM Roles for Service Accounts (IRSA) 実装のための包括的なガイドです。IRSA は、OpenID Connect (OIDC) フェデレーションを使用して、Pod レベルできめ細かい IAM 権限を有効にし、ノードレベルの IAM 認証情報の必要性を排除し、最小権限のセキュリティを可能にします。
キーワード: IRSA, IAM Roles for Service Accounts, EKS security, OIDC provider, pod IAM permissions, service account annotations, least privilege, AWS integration, trust policy, cross-account access
ステータス: 本番環境対応 (2025 年のベストプラクティス)
この Skill を使用するタイミング
- EKS での Pod レベルの AWS 権限の設定
- AWS サービス統合 (S3, DynamoDB, Secrets Manager, SQS, SNS) の構成
- EKS アドオン (AWS Load Balancer Controller, EBS CSI Driver, External DNS) のインストール
- 最小権限のセキュリティアーキテクチャの実装
- OIDC 信頼関係の問題のトラブルシューティング
- EKS からのクロスアカウント IAM ロール引き受け
- ノード IAM ロールから Pod レベルの権限への移行
- IRSA を使用した Blue/green クラスタのアップグレード
IRSA とは?
IAM Roles for Service Accounts (IRSA) を使用すると、Kubernetes ワークロードはノードレベルの認証情報に依存せずに、IAM ロールを安全に引き受けることができます。
IRSA の仕組み
1. Pod がアノテーション付きの ServiceAccount で起動
2. EKS mutating webhook が AWS_WEB_IDENTITY_TOKEN_FILE を挿入
3. AWS SDK が挿入されたファイルから JWT トークンを読み取る
4. SDK が STS::AssumeRoleWithWebIdentity を呼び出す
5. OIDC プロバイダーが信頼ポリシーに対してトークンを検証
6. 一時的な認証情報が発行される (自動的にローテーションされる)
7. Pod がスコープされた IAM 権限を使用する主な利点
セキュリティ:
- Pod レベルの権限 (ノードレベルではない)
- 権限昇格を防止
- 認証情報の自動ローテーション
- 長期的な認証情報がない
コンプライアンス:
- 最小権限の原則
- CloudTrail による監査証跡
- コンプライアンス要件を満たす
- きめ細かいアクセス制御
運用:
- 各アプリが独自の IAM ロールを取得
- ノードの変更なしに権限を変更
- より優れたリソース分離
- マルチテナントをサポート
クイックスタート
前提条件
- OIDC Provider Enabled (terraform-aws-modules/eks で自動)
- IAM Role Created (OIDC の信頼ポリシー付き)
- ServiceAccount Annotated (ロール ARN 付き)
- Pod Configured (ServiceAccount を使用するように)
30 秒セットアップ (Terraform)
# 1. EKS モジュールで IRSA を有効にする (OIDC セットアップを自動化)
module "eks" {
source = "terraform-aws-modules/eks/aws"
version = "~> 20.0"
cluster_name = "production"
enable_irsa = true # OIDC プロバイダーを自動的に作成
}
# 2. S3 アクセス用の IAM ロールを作成
module "s3_access_irsa" {
source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
version = "~> 5.0"
role_name = "my-app-s3-access"
role_policy_arns = {
s3_read = "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
}
oidc_providers = {
main = {
provider_arn = module.eks.oidc_provider_arn
namespace_service_accounts = ["production:my-app-sa"]
}
}
}
# 3. Kubernetes ServiceAccount を作成
resource "kubernetes_service_account" "my_app" {
metadata {
name = "my-app-sa"
namespace = "production"
annotations = {
"eks.amazonaws.com/role-arn" = module.s3_access_irsa.iam_role_arn
}
}
}
# 4. Pod で ServiceAccount を使用
resource "kubernetes_deployment" "my_app" {
spec {
template {
spec {
service_account_name = "my-app-sa" # ✅ IRSA が有効になりました!
containers {
name = "app"
image = "my-app:latest"
# AWS SDK は IRSA 認証情報を自動的に使用します
}
}
}
}
}IRSA セットアップの確認
# OIDC プロバイダーが存在するか確認
aws iam list-open-id-connect-providers
# IAM ロールの信頼ポリシーを確認
aws iam get-role --role-name my-app-s3-access
# Pod からテスト
kubectl exec -it my-pod -- env | grep AWS
# 以下が表示されるはずです:
# AWS_WEB_IDENTITY_TOKEN_FILE=/var/run/secrets/eks.amazonaws.com/serviceaccount/token
# AWS_ROLE_ARN=arn:aws:iam::123456789012:role/my-app-s3-access
# AWS アクセスをテスト
kubectl exec -it my-pod -- aws s3 ls一般的な IRSA パターン
1. AWS Load Balancer Controller
必要なもの: ALB および NLB の作成/管理
module "lb_controller_irsa" {
source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
role_name = "aws-load-balancer-controller"
attach_load_balancer_controller_policy = true # 事前構築済みのポリシー!
oidc_providers = {
main = {
provider_arn = module.eks.oidc_provider_arn
namespace_service_accounts = ["kube-system:aws-load-balancer-controller"]
}
}
}2. EBS CSI Driver
必要なもの: EBS ボリュームの作成/アタッチ/削除
module "ebs_csi_irsa" {
source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
role_name = "ebs-csi-controller"
attach_ebs_csi_policy = true # 事前構築済みのポリシー!
oidc_providers = {
main = {
provider_arn = module.eks.oidc_provider_arn
namespace_service_accounts = ["kube-system:ebs-csi-controller-sa"]
}
}
}3. External DNS
必要なもの: Route53 レコードの管理
module "external_dns_irsa" {
source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
role_name = "external-dns"
attach_external_dns_policy = true # 事前構築済みのポリシー!
external_dns_hosted_zone_arns = ["arn:aws:route53:::hostedzone/Z123456789"]
oidc_providers = {
main = {
provider_arn = module.eks.oidc_provider_arn
namespace_service_accounts = ["kube-system:external-dns"]
}
}
}4. Cluster Autoscaler
必要なもの: Auto Scaling グループの変更
module "cluster_autoscaler_irsa" {
source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
role_name = "cluster-autoscaler"
attach_cluster_autoscaler_p
(原文がここで切り詰められています)📜 原文 SKILL.md(Claudeが読む英語/中国語)を展開
EKS IAM Roles for Service Accounts (IRSA)
Overview
Comprehensive guide for implementing IAM Roles for Service Accounts (IRSA) in Amazon EKS. IRSA enables fine-grained IAM permissions at the pod level using OpenID Connect (OIDC) federation, eliminating the need for node-level IAM credentials and enabling least-privilege security.
Keywords: IRSA, IAM Roles for Service Accounts, EKS security, OIDC provider, pod IAM permissions, service account annotations, least privilege, AWS integration, trust policy, cross-account access
Status: Production-ready (2025 best practices)
When to Use This Skill
- Setting up pod-level AWS permissions in EKS
- Configuring AWS service integrations (S3, DynamoDB, Secrets Manager, SQS, SNS)
- Installing EKS add-ons (AWS Load Balancer Controller, EBS CSI Driver, External DNS)
- Implementing least-privilege security architecture
- Troubleshooting OIDC trust relationship issues
- Cross-account IAM role assumption from EKS
- Migrating from node IAM roles to pod-level permissions
- Blue/green cluster upgrades with IRSA
What is IRSA?
IAM Roles for Service Accounts (IRSA) allows Kubernetes workloads to assume IAM roles securely without relying on node-level credentials.
How IRSA Works
1. Pod starts with annotated ServiceAccount
2. EKS mutating webhook injects AWS_WEB_IDENTITY_TOKEN_FILE
3. AWS SDK reads JWT token from injected file
4. SDK calls STS::AssumeRoleWithWebIdentity
5. OIDC provider validates token against trust policy
6. Temporary credentials issued (automatically rotated)
7. Pod uses scoped IAM permissionsKey Benefits
Security:
- Pod-level permissions (not node-level)
- Prevents privilege escalation
- Automatic credential rotation
- No long-lived credentials
Compliance:
- Least-privilege principle
- Audit trail via CloudTrail
- Compliance requirements met
- Fine-grained access control
Operational:
- Each app gets own IAM role
- Modify permissions without node changes
- Better resource isolation
- Supports multi-tenancy
Quick Start
Prerequisites
- OIDC Provider Enabled (automatic with terraform-aws-modules/eks)
- IAM Role Created with trust policy for OIDC
- ServiceAccount Annotated with role ARN
- Pod Configured to use ServiceAccount
30-Second Setup (Terraform)
# 1. Enable IRSA in EKS module (automatic OIDC setup)
module "eks" {
source = "terraform-aws-modules/eks/aws"
version = "~> 20.0"
cluster_name = "production"
enable_irsa = true # Creates OIDC provider automatically
}
# 2. Create IAM role for S3 access
module "s3_access_irsa" {
source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
version = "~> 5.0"
role_name = "my-app-s3-access"
role_policy_arns = {
s3_read = "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
}
oidc_providers = {
main = {
provider_arn = module.eks.oidc_provider_arn
namespace_service_accounts = ["production:my-app-sa"]
}
}
}
# 3. Create Kubernetes ServiceAccount
resource "kubernetes_service_account" "my_app" {
metadata {
name = "my-app-sa"
namespace = "production"
annotations = {
"eks.amazonaws.com/role-arn" = module.s3_access_irsa.iam_role_arn
}
}
}
# 4. Use ServiceAccount in pod
resource "kubernetes_deployment" "my_app" {
spec {
template {
spec {
service_account_name = "my-app-sa" # ✅ IRSA enabled!
containers {
name = "app"
image = "my-app:latest"
# AWS SDK automatically uses IRSA credentials
}
}
}
}
}Verify IRSA Setup
# Check OIDC provider exists
aws iam list-open-id-connect-providers
# Verify IAM role trust policy
aws iam get-role --role-name my-app-s3-access
# Test from pod
kubectl exec -it my-pod -- env | grep AWS
# Should show:
# AWS_WEB_IDENTITY_TOKEN_FILE=/var/run/secrets/eks.amazonaws.com/serviceaccount/token
# AWS_ROLE_ARN=arn:aws:iam::123456789012:role/my-app-s3-access
# Test AWS access
kubectl exec -it my-pod -- aws s3 lsCommon IRSA Patterns
1. AWS Load Balancer Controller
What it needs: Create/manage ALBs and NLBs
module "lb_controller_irsa" {
source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
role_name = "aws-load-balancer-controller"
attach_load_balancer_controller_policy = true # Pre-built policy!
oidc_providers = {
main = {
provider_arn = module.eks.oidc_provider_arn
namespace_service_accounts = ["kube-system:aws-load-balancer-controller"]
}
}
}2. EBS CSI Driver
What it needs: Create/attach/delete EBS volumes
module "ebs_csi_irsa" {
source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
role_name = "ebs-csi-controller"
attach_ebs_csi_policy = true # Pre-built policy!
oidc_providers = {
main = {
provider_arn = module.eks.oidc_provider_arn
namespace_service_accounts = ["kube-system:ebs-csi-controller-sa"]
}
}
}3. External DNS
What it needs: Manage Route53 records
module "external_dns_irsa" {
source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
role_name = "external-dns"
attach_external_dns_policy = true # Pre-built policy!
external_dns_hosted_zone_arns = ["arn:aws:route53:::hostedzone/Z123456789"]
oidc_providers = {
main = {
provider_arn = module.eks.oidc_provider_arn
namespace_service_accounts = ["kube-system:external-dns"]
}
}
}4. Cluster Autoscaler
What it needs: Modify Auto Scaling Groups
module "cluster_autoscaler_irsa" {
source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
role_name = "cluster-autoscaler"
attach_cluster_autoscaler_policy = true # Pre-built policy!
cluster_autoscaler_cluster_names = [module.eks.cluster_name]
oidc_providers = {
main = {
provider_arn = module.eks.oidc_provider_arn
namespace_service_accounts = ["kube-system:cluster-autoscaler"]
}
}
}5. Karpenter (Recommended Autoscaler)
What it needs: Provision EC2 instances, manage instance profiles
module "karpenter" {
source = "terraform-aws-modules/eks/aws//modules/karpenter"
cluster_name = module.eks.cluster_name
irsa_oidc_provider_arn = module.eks.oidc_provider_arn
# Includes pre-configured IRSA role!
}6. External Secrets Operator
What it needs: Read secrets from AWS Secrets Manager
module "external_secrets_irsa" {
source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
role_name = "external-secrets"
attach_external_secrets_policy = true # Pre-built policy!
oidc_providers = {
main = {
provider_arn = module.eks.oidc_provider_arn
namespace_service_accounts = ["kube-system:external-secrets"]
}
}
}7. Custom Application (S3 + DynamoDB)
module "app_irsa" {
source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
role_name = "my-app"
role_policy_arns = {
s3 = aws_iam_policy.app_s3_policy.arn
dynamodb = aws_iam_policy.app_dynamodb_policy.arn
}
oidc_providers = {
main = {
provider_arn = module.eks.oidc_provider_arn
namespace_service_accounts = ["production:my-app-sa"]
}
}
}
# Custom policies with least privilege
resource "aws_iam_policy" "app_s3_policy" {
name = "my-app-s3-access"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Action = [
"s3:GetObject",
"s3:PutObject"
]
Resource = "arn:aws:s3:::my-bucket/my-app/*"
}
]
})
}Application Code Examples
Python (Boto3)
import boto3
# AWS SDK automatically detects IRSA credentials
# No configuration needed!
s3 = boto3.client('s3')
response = s3.list_buckets()
print(response['Buckets'])
# The SDK:
# 1. Reads AWS_WEB_IDENTITY_TOKEN_FILE env var
# 2. Reads AWS_ROLE_ARN env var
# 3. Calls STS::AssumeRoleWithWebIdentity
# 4. Uses temporary credentials automaticallyNode.js (AWS SDK v3)
import { S3Client, ListBucketsCommand } from "@aws-sdk/client-s3";
// AWS SDK automatically detects IRSA credentials
const s3Client = new S3Client({ region: "us-east-1" });
const response = await s3Client.send(new ListBucketsCommand({}));
console.log(response.Buckets);Go (AWS SDK v2)
import (
"context"
"github.com/aws/aws-sdk-go-v2/config"
"github.com/aws/aws-sdk-go-v2/service/s3"
)
func main() {
// AWS SDK automatically detects IRSA credentials
cfg, _ := config.LoadDefaultConfig(context.TODO())
client := s3.NewFromConfig(cfg)
resp, _ := client.ListBuckets(context.TODO(), &s3.ListBucketsInput{})
fmt.Println(resp.Buckets)
}Detailed Documentation
For in-depth guides on specific IRSA topics:
-
OIDC Setup: references/oidc-setup.md
- OIDC provider configuration
- Trust relationship anatomy
- Thumbprint calculation
- Blue/green cluster upgrades
-
Role Creation: references/role-creation.md
- IAM role patterns for common services
- Custom policy examples
- Session tags for ABAC
- Cross-account access
-
Pod Configuration: references/pod-configuration.md
- ServiceAccount annotations
- Pod specifications
- Environment variables
- Troubleshooting
Security Best Practices
1. Use Dedicated Service Accounts
# ❌ BAD: Sharing service account
apiVersion: v1
kind: ServiceAccount
metadata:
name: shared-sa # Used by multiple apps
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::123:role/shared-role
# ✅ GOOD: One service account per app
apiVersion: v1
kind: ServiceAccount
metadata:
name: payment-service-sa
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::123:role/payment-service
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: email-service-sa
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::123:role/email-service2. Restrict IMDS Access
# Prevent pods from accessing node IAM credentials
module "eks" {
source = "terraform-aws-modules/eks/aws"
eks_managed_node_groups = {
main = {
# Require IMDSv2 (prevents container escape to node credentials)
metadata_options = {
http_endpoint = "enabled"
http_tokens = "required" # IMDSv2 only
http_put_response_hop_limit = 1
}
}
}
}3. Least Privilege Policies
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::my-bucket/my-app/*",
"Condition": {
"StringEquals": {
"aws:PrincipalAccount": "123456789012"
}
}
}
]
}4. Regular Auditing
# Find all IRSA roles
aws iam list-roles --query 'Roles[?contains(AssumeRolePolicyDocument.Statement[0].Principal.Federated, `oidc-provider`)]'
# Check CloudTrail for AssumeRoleWithWebIdentity calls
aws cloudtrail lookup-events \
--lookup-attributes AttributeKey=EventName,AttributeValue=AssumeRoleWithWebIdentity \
--max-results 50Troubleshooting Quick Reference
| Issue | Cause | Fix |
|---|---|---|
AccessDenied |
Missing IAM permissions | Check role policy allows action |
AssumeRoleWithWebIdentity failed |
Trust policy mismatch | Verify OIDC provider ARN matches cluster |
InvalidIdentityToken |
Wrong namespace/SA in trust | Check StringEquals condition |
| Pod can't assume role | ServiceAccount not annotated | Add eks.amazonaws.com/role-arn annotation |
| Using node credentials | Pod not using ServiceAccount | Set serviceAccountName in pod spec |
| OIDC provider not found | IRSA not enabled | Set enable_irsa = true in EKS module |
eksctl Quick Setup
# Create cluster with OIDC enabled
eksctl create cluster \
--name production \
--region us-east-1 \
--with-oidc
# Create IRSA role + ServiceAccount in one command
eksctl create iamserviceaccount \
--name my-app-sa \
--namespace production \
--cluster production \
--attach-policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess \
--approve
# Verify
kubectl get sa my-app-sa -n production -o yamlBlue/Green Cluster Upgrades
Problem: IRSA trust policies include cluster OIDC endpoint
Solution: Update trust policies during upgrade
# Support both blue and green clusters temporarily
resource "aws_iam_role" "app" {
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Principal = {
Federated = [
module.eks_blue.oidc_provider_arn, # Old cluster
module.eks_green.oidc_provider_arn # New cluster
]
}
Action = "sts:AssumeRoleWithWebIdentity"
Condition = {
StringEquals = {
"${module.eks_blue.oidc_provider}:sub" = "system:serviceaccount:prod:app-sa"
"${module.eks_green.oidc_provider}:sub" = "system:serviceaccount:prod:app-sa"
}
}
}
]
})
}EKS Pod Identity (New Alternative)
Note: EKS Pod Identity is the new simplified alternative to IRSA (GA 2024).
Differences:
- No OIDC provider needed
- Simpler trust policies
- Managed by AWS entirely
- Recommended for new deployments
IRSA vs Pod Identity:
- IRSA: Proven, mature, widely used (2019+)
- Pod Identity: Simpler, newer, AWS-managed (2024+)
- Both work, Pod Identity is easier for new clusters
Migration Path: Keep IRSA for existing clusters, use Pod Identity for new ones.
Version: 2025 Best Practices
Terraform Module: terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks
Status: Production-ready
Last Updated: November 2025