The most secure and recommended method for granting AWS permissions to applications running in Amazon EKS is to use IAM Roles for Service Accounts (IRSA). This feature associates an IAM role with a Kubernetes service account. Pods that use this service account can then assume the associated IAM role and receive temporary, short-lived security credentials from the AWS Security Token Service (STS). This approach adheres to the principle of least privilege and completely avoids the need to store or manage long-lived IAM user credentials (access keys) within the EKS cluster, pods, or container images, directly meeting the stated requirements.

1. AWS Documentation

Amazon EKS User Guide: "IAM roles for service accounts." This document states

"With IAM roles for service accounts

you can associate an IAM role with a Kubernetes service account. This service account can then provide AWS permissions to the containers in any pod that uses that service account." It details how the pod receives a web identity token and exchanges it for temporary AWS credentials.

Source: AWS Documentation

Amazon EKS User Guide

"IAM roles for service accounts".

2. AWS Documentation

IAM User Guide: "IAM best practices." This guide strongly advises against using long-term credentials like IAM user access keys when a temporary alternative is available. It recommends using IAM roles to grant temporary permissions.

Source: AWS Documentation

IAM User Guide

"Security best practices in IAM"

section "Grant least privilege".

3. AWS Documentation

Amazon EKS User Guide: "Amazon EKS node IAM role." This document explains the role of the worker node's IAM policy

which is a prerequisite for the cluster to function but is distinct from the application-specific permissions granted via IRSA. The IRSA mechanism is the specific solution for pod-level permissions.

Source: AWS Documentation

Amazon EKS User Guide

"Amazon EKS node IAM role".