# Enable EKS IRSA

AWS Elastic Kubernetes Service (EKS) IAM Roles for Service Accounts (IRSA) authentication can be used to allow SingleStore cluster pods to communicate with S3 buckets (data, backup and pipelines).

This applies to Operator deployments only and is supported for SingleStore Self-Managed engine version 8.5 and later.

To enable IRSA:

1. Set the `enable_eks_irsa` global variable to `ON`.
   ```sql
   SET GLOBAL enable_eks_irsa = ON;
   ```

2. Create an IAM role with proper policies attached to choose which services the role can access and the scope of access for those services.

3. Create a Kubernetes service account with annotation using the IAM role arn.
   ```yaml
   apiVersion: v1
   kind: ServiceAccount
   metadata:  
     annotations:    
       eks.amazonaws.com/role-arn: arn:aws:iam::<aws_account_id>:role/<role_name>  
     name: <service_account_name> # Must be set to the name of the cluster
   ```

4. Update the Memsql CR spec with the service account name from the step above.
   ```yaml
   apiVersion: v1alpha1
   type: MemsqlCluster
   metadata:  
     name: <name> # This is the name of the cluster
   spec:  
     ...  
     serviceAccountName: <service_account_name>  
     backupSpec:    
       credsMode: "eks_irsa"    
       CloudServiceProvider: "AWS"    
       bucketName: "<bucket_name>"    
       s3Region: "<bucket_region; e.g. us-east-1>"
   ```

5. Operator will restart the nodes and mount the JWT token to each node.

6. Update the SQL statements to use the hint `creds_mode: eks_irsa`. For example:

   * Data:
     ```sql
     CREATE LINK <db_name> AS S3 CREDENTIALS '{}' 
     CONFIG '{"region":"us-east-1", "creds_mode":"eks_irsa"}'
     ```
   * Pipelines:
     ```sql
     CREATE PIPELINE <pipeline_name> AS LOAD DATA S3 'path' 
     CONFIG '{"region": "us-east-1", "creds_mode": "eks_irsa"}
     ```
   * Backup:
     ```sql
     BACKUP DATABASE <db_name> TO S3 "<bucket_name/path>" 
     CONFIG '{"region":"us-east-1", “creds_mode”: “eks_irsa”}' CREDENTIALS '{}';
     ```
   * Restore:
     ```sql
     RESTORE DATABASE <db_name> FROM S3 'bucket_name/path' 
     CONFIG '{"region":"us-east-1", "creds_mode":"eks_irsa"}' CREDENTIALS '{}';
     ```

***

Modified at: April 1, 2026

Source: [/db/v9.1/reference/singlestore-operator-reference/enable-eks-irsa/](https://docs.singlestore.com/db/v9.1/reference/singlestore-operator-reference/enable-eks-irsa/)

(An index of the documentation is available at /llms.txt)