Skip to main content


Otterize can create just-in-time AWS IAM roles and policies for your workloads running on EKS Kubernetes clusters, greatly simplifying the lifecycle of managing IAM roles and policies.


To learn how to use the Intents Operator and Credentials Operator to manage just-in-time AWS IAM access, check out the tutorial.

How does Otterize work with AWS IAM?

  1. First, the EKS cluster must have Otterize installed.
  2. To have a role created for a pod, label the pod with "true"
  3. The credentials operator will create a role and an AssumeRolePolicy (trust relationship) bound to the pod's ServiceAccount. The ServiceAccount will be annotated automatically.
  4. At this point, the pod is able to assume the role, but role does not have the ability to perform any actions. We will need to create a ClientIntents YAML for the access the service requires and apply it to our cluster. Below is an example of a ClientIntents file for accessing an S3 bucket. View the reference to learn more about the AWS IAM ClientIntents syntax.
  5. Once the intent is applied, the intents operator will create a new policy, which will be attached to the service’s role with the appropriate access.
  6. Done!
kind: ClientIntents
name: server
name: server
- name: arn:aws:s3:::example-bucket-*/*
type: aws
- "s3:PutObject"
- "s3:GetObject"

Automatically generating ClientIntents for AWS IAM

Figuring out which access you need for AWS can be a painful, trial and error process, and something you must do if you're tightening production access.

Otterize is getting ready to release support for using existing traffic to generate least-privilege IAM policies. Keen to try this out as part of early access? Sign up to the Early Access Beta Program and we'll be in touch!