Sign in Subscribe
Concepts

Kubernetes Ingress with AWS S3 Read-Only Roles

Andrios Robert

1 min read

The request hit our dashboard at 3:17 a.m. A Kubernetes cluster needed an Ingress to securely serve application endpoints, while pulling data from AWS S3 with strict read-only access. No write. No accidental overwrites. Zero breach surface.

To make this work, you need to combine Kubernetes Ingress configuration with AWS IAM roles that enforce S3 read-only permissions. The goal is precise: deliver content from S3 through your services without exposing credentials or opening dangerous write paths.

Step 1: Define the IAM Role
Create a role in AWS with the AmazonS3ReadOnlyAccess managed policy. For tighter control, attach a custom policy specifying only the required bucket and object actions:

{
 "Version": "2012-10-17",
 "Statement": [
 {
 "Effect": "Allow",
 "Action": [
 "s3:GetObject",
 "s3:ListBucket"
 ],
 "Resource": [
 "arn:aws:s3:::your-bucket-name",
 "arn:aws:s3:::your-bucket-name/*"
 ]
 }
 ]
}

Step 2: Connect Kubernetes to AWS via IRSA
If you run on EKS, configure IAM Roles for Service Accounts (IRSA). Annotate the service account used by the pod accessing S3 with the role ARN. This ties the AWS read-only permissions directly to workloads in the cluster, without embedding AWS keys in environment variables or secrets.

Step 3: Configure Ingress for the Application
Use a Kubernetes Ingress resource to route external traffic to pods. Common controllers like NGINX Ingress or AWS Load Balancer Controller support secure routing with TLS termination. Ensure network policies restrict connections only to application pods that need S3 access. Keep the Ingress minimal and secure—no wildcard hosts, no open paths.

Step 4: Verify Read-Only Enforcement
From the pod, run aws s3 ls s3://your-bucket-name to confirm listing works. Try uploading—AWS should deny it. This proves the IAM role is correctly scoped.

Best Practices for Kubernetes Ingress + AWS S3 Read-Only Roles

  • Scope IAM policies to exactly one bucket or prefix.
  • Apply TLS to all Ingress endpoints.
  • Use IRSA to avoid static credentials in your cluster.
  • Monitor access logs in AWS CloudTrail to detect anomalies.
  • Keep Ingress YAML and IAM role definitions in version control for auditability.

When Kubernetes Ingress and AWS S3 read-only roles are built together with discipline, you get a strong, lean system. Traffic flows in. Data stays safe. No chaos.

Want to see a live setup that works in minutes? Check out hoop.dev and deploy Kubernetes Ingress with AWS S3 read-only roles without the guesswork.