This page describes the IAM model. The reference architecture’s
iam module is the source of truth for policy JSON and trust relationships.Roles
| Role | K8s ServiceAccount / workload | Purpose |
|---|---|---|
| EKS cluster role | n/a | Lets the EKS control plane manage AWS resources for the cluster. |
| CPU node-group instance role | n/a | Worker-node permissions for the platform node group. |
| GPU node-group instance role | n/a | Worker-node permissions for the inference node group (full profile). |
core-api IRSA role | poolside/core-api-sa | Application access to S3 (user data), KMS, and AWS Marketplace metering. |
inference IRSA role | poolside-models/inference | Read access to the model checkpoints S3 bucket. |
| External Secrets Operator IRSA role | external-secrets/external-secrets | Reference-architecture-only. Reads the RDS master password from AWS Secrets Manager. See External Secrets Operator below. |
| AWS Load Balancer Controller IRSA role | kube-system/aws-load-balancer-controller | Provisions ALBs and target groups from Kubernetes Ingress resources. |
| EBS CSI driver IRSA role | kube-system/ebs-csi-controller-sa | Provisions EBS volumes for gp3 PersistentVolumeClaims. |
| VPC CNI IRSA role | kube-system/aws-node | Lets the vpc-cni add-on manage network interfaces and IP addresses for pods. |
iam module in the reference architecture repository.
Notes on specific roles
core-api
The core application uses three distinct AWS services, so its IRSA role bundles three policies:
- S3 (bucket-scoped): the application stores user data and platform assets in your Poolside S3 bucket.
- KMS (key-scoped): the application encrypts sensitive fields using a customer-managed KMS key.
- AWS Marketplace metering: deployments that subscribe through AWS Marketplace report metering records using
aws-marketplace:MeterUsage. This action does not support resource-level scoping, so the policy is granted on*.
AWS Load Balancer Controller
The controller’s policy follows the upstream AWS Load Balancer Controller IAM policy maintained by the project. Use that JSON as your source of truth; the reference architecture pins a specific revision.Node-group instance roles
These are EC2 instance roles, not IRSA roles, and pods do not assume them. They attach the standard EKS-managed worker-node policies. With IRSA in use, pod-level AWS access (S3, KMS, Secrets Manager, and so on) is granted through the IRSA roles in the preceding table, not through the node role.External Secrets Operator
The Poolside Helm chart does not depend on ESO. It expects the RDS password to be available as a Kubernetes Secret (default namepoolside-db-secret) in the poolside namespace and is agnostic to how that Secret was populated.
The reference architecture deploys ESO to fetch the RDS password from AWS Secrets Manager at runtime, which keeps the password out of Terraform state. If you provision the Kubernetes Secret another way, for example with kubectl create secret or your own secret-management tooling, you can omit ESO and this IRSA role.