How to Configure EBS Access for Your EKS Cluster
rjshk013
August 4, 2025
Amazon Elastic Kubernetes Service (EKS) simplifies Kubernetes management, but when it comes to persistent storage, you’ll often need Amazon Elastic Block Store (EBS) volumes for stateful workloads (like databases).
However, by default, EKS worker nodes don’t have permission to create or attach EBS volumes. This article walks you through configuring secure EBS access for your EKS cluster — the right way.
Why Do We Need EBS Access in EKS?
- Many apps (PostgreSQL, Cassandra, etc.) require persistent storage that survives pod restarts.
- Kubernetes uses PersistentVolumes (PV) and PersistentVolumeClaims (PVC) to manage storage — in AWS, these map to EBS volumes.
- Without proper permissions, PVCs stay in
Pendingstate because the EBS CSI driver can’t provision volumes.
High-Level Steps
- Install the EBS CSI Driver (AWS’s recommended storage plugin).
- Configure IAM roles and policies to allow EKS to manage EBS volumes.
- Map the IAM role to your service account via IRSA (IAM Roles for Service Accounts).
- Deploy a sample PVC + Pod to test storage provisioning.
Prerequisites
- An existing EKS Cluster (created via eksctl, Terraform, or console).
- kubectl and AWS CLI configured to access your cluster.
- IAM OIDC provider enabled for the cluster (needed for IRSA).
Step 1: Enable OIDC Provider for EKS
Check if OIDC is enabled:
eksctl utils associate-iam-oidc-provider --cluster <cluster-name> --approve
This allows service accounts in EKS to assume IAM roles securely (no static credentials needed).
Step 2: Create IAM Policy for EBS CSI Driver
AWS provides a ready-made policy for EBS CSI driver:
aws iam create-policy \
--policy-name AmazonEBSCSIDriverPolicy \
--policy-document https://raw.githubusercontent.com/kubernetes-sigs/aws-ebs-csi-driver/master/docs/example-iam-policy.json
This policy grants permissions to create, delete, and manage EBS volumes.
Step 3: Create IAM Role and Attach Policy
Create an IAM role for the EBS CSI driver and attach the policy:
eksctl create iamserviceaccount \
--name ebs-csi-controller-sa \
--namespace kube-system \
--cluster <cluster-name> \
--attach-policy-arn arn:aws:iam::<account-id>:policy/AmazonEBSCSIDriverPolicy \
--approve \
--override-existing-serviceaccounts
Step 4: Install the EBS CSI Driver
Use Helm to deploy the driver to your cluster:
helm repo add aws-ebs-csi-driver https://kubernetes-sigs.github.io/aws-ebs-csi-driver
helm repo update
helm install aws-ebs-csi-driver aws-ebs-csi-driver/aws-ebs-csi-driver \
--namespace kube-system \
--set serviceAccount.controller.create=false \
--set serviceAccount.controller.name=ebs-csi-controller-sa
Step 5: Test with a PersistentVolumeClaim
Create a PVC and Pod to verify EBS provisioning:
pvc.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: ebs-test-claim
spec:
accessModes:
- ReadWriteOnce
storageClassName: gp2
resources:
requests:
storage: 4Gi
pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: ebs-test-pod
spec:
containers:
- name: app
image: busybox
command: [ "sleep", "3600" ]
volumeMounts:
- mountPath: "/data"
name: ebs-volume
volumes:
- name: ebs-volume
persistentVolumeClaim:
claimName: ebs-test-claim
Apply both manifests:
kubectl apply -f pvc.yaml
kubectl apply -f pod.yaml
Check PVC status:
kubectl get pvc
It should bind successfully, and an EBS volume will be created in your AWS account.
Best Practices
- Use gp3 volumes instead of gp2 for better performance and cost savings.
- Tag your EBS volumes for cost allocation and tracking.
- Enable encryption for security (KMS keys).
- Use PodDisruptionBudgets to protect stateful apps during node upgrades.
Conclusion
With the EBS CSI driver and proper IAM configuration, your EKS cluster can dynamically provision EBS volumes for stateful applications. This setup follows AWS best practices using IRSA, ensuring security and scalability without hardcoding credentials.
Looking for more real-world DevOps projects like this?
👉 Explore my free project series: https://cldop.com
Great breakdown! For those looking to streamline their creative workflow, the AI Ad Creative Assistant is a solid tool to explore-tyy.AI Tools does a great job curating these kinds of solutions.