All posts
ConceptsOctober 16, 20251 min read

Kubernetes Ingress with AWS S3 Read-Only Roles

The request hit our dashboard at 3:17 a.m. A Kubernetes cluster needed an Ingress to securely serve application endpoints, while pulling data from AWS S3 with strict read-only access. No write. No accidental overwrites. Zero breach surface. To make this work, you need to combine Kubernetes Ingress configuration with AWS IAM roles that enforce S3 read-only permissions. The goal is precise: deliver content from S3 through your services without exposing credentials or opening dangerous write paths

Free White Paper

Read-Only Root Filesystem + AWS IAM Policies: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

The request hit our dashboard at 3:17 a.m. A Kubernetes cluster needed an Ingress to securely serve application endpoints, while pulling data from AWS S3 with strict read-only access. No write. No accidental overwrites. Zero breach surface.

To make this work, you need to combine Kubernetes Ingress configuration with AWS IAM roles that enforce S3 read-only permissions. The goal is precise: deliver content from S3 through your services without exposing credentials or opening dangerous write paths.

Step 1: Define the IAM Role
Create a role in AWS with the AmazonS3ReadOnlyAccess managed policy. For tighter control, attach a custom policy specifying only the required bucket and object actions:

{
 "Version": "2012-10-17",
 "Statement": [
 {
 "Effect": "Allow",
 "Action": [
 "s3:GetObject",
 "s3:ListBucket"
 ],
 "Resource": [
 "arn:aws:s3:::your-bucket-name",
 "arn:aws:s3:::your-bucket-name/*"
 ]
 }
 ]
}

Step 2: Connect Kubernetes to AWS via IRSA
If you run on EKS, configure IAM Roles for Service Accounts (IRSA). Annotate the service account used by the pod accessing S3 with the role ARN. This ties the AWS read-only permissions directly to workloads in the cluster, without embedding AWS keys in environment variables or secrets.

Continue reading? Get the full guide.

Read-Only Root Filesystem + AWS IAM Policies: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

Step 3: Configure Ingress for the Application
Use a Kubernetes Ingress resource to route external traffic to pods. Common controllers like NGINX Ingress or AWS Load Balancer Controller support secure routing with TLS termination. Ensure network policies restrict connections only to application pods that need S3 access. Keep the Ingress minimal and secure—no wildcard hosts, no open paths.

Step 4: Verify Read-Only Enforcement
From the pod, run aws s3 ls s3://your-bucket-name to confirm listing works. Try uploading—AWS should deny it. This proves the IAM role is correctly scoped.

Best Practices for Kubernetes Ingress + AWS S3 Read-Only Roles

  • Scope IAM policies to exactly one bucket or prefix.
  • Apply TLS to all Ingress endpoints.
  • Use IRSA to avoid static credentials in your cluster.
  • Monitor access logs in AWS CloudTrail to detect anomalies.
  • Keep Ingress YAML and IAM role definitions in version control for auditability.

When Kubernetes Ingress and AWS S3 read-only roles are built together with discipline, you get a strong, lean system. Traffic flows in. Data stays safe. No chaos.

Want to see a live setup that works in minutes? Check out hoop.dev and deploy Kubernetes Ingress with AWS S3 read-only roles without the guesswork.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts