There’s (at least) two ways you can do it:
1. Use a
Secret block to store an
account and access key. This is more straightforward to get started with, but the downside is that this is a static credential, so you may want to rotate it periodically.
2. Use
IAM Roles for Service Accounts, which sounds like what you’re getting at. It’s an EKS-specific mechanism that lets you bind a Kubernetes service account to a particular AWS role. This requires some setup at the cluster level, but simplifies things as it’s a dynamic credential that rotates automatically. You can use infra_overrides to influence the job spec that Prefect creates, and bind it to a service account that has the IRSA annotation for the credential you want to use.
The agent has its own Kubernetes service account, but I would recommend creating a separate service account for your flow, so that you can reduce permissions granted to it. The Prefect agent KSA requires the ability to create and deploy pods, whereas your flow KSA may not need any permissions inside Kubernetes (no RoleBinding or ClusterRoleBindings) and would only exist so that you can link it to your IAM role on the AWS side