All posts
September 15, 20251 min read

AWS S3 Read-Only Access with Helm Charts and IRSA in EKS

If you store data in AWS S3, you know the stakes. Permissive roles can turn into security breaches overnight. Sometimes, all you want is a clean, reliable way to give read-only access—no stumbling through tangled IAM policies or YAML spaghetti. You want it repeatable. You want it fast. You want it to work every time. A Helm chart can be that answer. When you define AWS S3 read-only roles as part of your deployment pipeline, you lock down access without slowing down builds. Done right, your clus

Free White Paper

Auditor Read-Only Access + Just-in-Time Access: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

If you store data in AWS S3, you know the stakes. Permissive roles can turn into security breaches overnight. Sometimes, all you want is a clean, reliable way to give read-only access—no stumbling through tangled IAM policies or YAML spaghetti. You want it repeatable. You want it fast. You want it to work every time.

A Helm chart can be that answer. When you define AWS S3 read-only roles as part of your deployment pipeline, you lock down access without slowing down builds. Done right, your cluster workloads can pull only what they need and nothing else. This isn’t about theory—it’s about combining AWS Identity and Access Management (IAM) and Kubernetes the smart way.

The core is simple: a Helm chart that creates Kubernetes service accounts bound to IAM roles granting S3 read-only permissions. No write capabilities. No hidden exposure. Just least-privilege done the way it was meant to be.

Here’s the essential workflow:

Continue reading? Get the full guide.

Auditor Read-Only Access + Just-in-Time Access: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.
  1. Define your IAM role in AWS with the AmazonS3ReadOnlyAccess policy. Refine further if your workloads only need parts of a bucket.
  2. Enable IAM Roles for Service Accounts (IRSA) in your EKS cluster.
  3. Create a Kubernetes service account that maps to the IAM role.
  4. Package the configuration into a Helm chart, baking in the annotations that bind the account to the IAM role ARN.
  5. Deploy with a single helm install, and your pods inherit S3 read-only access instantly.

This approach folds permission management into your GitOps workflow. Roles are versioned. Deployments are predictable. Risk shrinks. You can propagate the same setup across clusters without rewriting Terraform or manually tweaking AWS settings.

The benefits aren’t just security. Builds become smoother because they don’t break on over-privileged or under-privileged credentials. Your team doesn’t waste hours troubleshooting role mismatches—it’s all codified in one repeatable tool.

And the best part? You don’t have to spend days on it. With the right tooling, you can see a live AWS S3 read-only roles Helm chart deployment in minutes—running, locked down, and ready to scale. hoop.dev makes that happen. Deploy, test, and see it work now.

Do you want me to go ahead and also write you the Helm chart YAML for AWS S3 read-only roles so you can include it directly in your pipeline or blog code examples?

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts