Skip to content

The kubectl plugin which allows us to test IRSA configuration AWS sa

Notifications You must be signed in to change notification settings


Folders and files

Last commit message
Last commit date

Latest commit



36 Commits

Repository files navigation


This kubectl plugin allows us to test abilities of IAM policies which is assigned to the serviceAccount roles via AWS IAM Policy simulator service. Beside of the IAM Policy Simulator it checks the other essential parts like this;

  • Policy Simulator 🟢
  • WebIdentity Issue 🟢
  • Principal Checks 🟢
  • OIDC linking issues like non existing IdentityProvider or wrong audience .. etc 🟠
  • AdmissionController Check 🟠
  • Thumbprint Check 🟠

How to use ?

First step you have to create a simple resource and action map YAML file like this;

This yaml file contains resource list and related actions which would be possibly using by the serviceaccounts roles.

Notice: Each action simulates by the client on individual resources

  - arn:aws:s3:::my-org-cdn-bucket
  - s3:DeleteBucket

After you create this yaml file you are able to use this like this

  $ kubectl irsa -file config.yaml -sa application-service-account -namespace development

⚠️ Important

Based on the latest Kubernetes version changes especially on AWS EKS, you may face issues with authentication API versions that's why you have to upgrade your AWS CLI V2 version while authenticating via IAM to connect the cluster.

How to upgrade awscli version


flag Description
role Name of the role which assumed by service account which is assigned into the annotations of
config Resource map configuration file


From Source;

This is a simple pip3 package so if you want to install this plugin on your cluster you just need to run this command like this;

    go build ./
    mv kubectl-irsa $PATH:/usr/local/bin


You can download plugin artifact over there;


More than welcome! please don't hesitate to open bugs, questions, pull requests