IRSA requires **zero application changes**, and the trick is not in the application at all. AWS SDKs resolve credentials through a documented ordered chain — explicit config, environment variables, web-identity token file, shared profile, EC2 instance profile last. The EKS webhook simply injects environment variables that sit *higher in the chain* than the instance-profile fallback, and every SDK in every language retargets its identity without recompilation. The durable concept: **an ordered-fallback resolution chain is a public integration surface.** A platform changes a consumer's behavior by injecting a higher-precedence entry, never by editing the consumer. The same lever appears in: - `PATH` lookup — version shims (rbenv, asdf) front-run system binaries - DNS — search domains and `/etc/hosts` override resolution - Configuration cascades — env var beats config file beats built-in default Two corollaries: - The chain's **tail is the risk** — silent fallback is exactly how [[Default Credentials Inherit the Host Identity]] happens. - The chain's **order is a contract** — transparent injection by platforms ([[Admission Webhook Credential Injection]]) depends on it; reordering it breaks them. ## Source [Diving into IAM Roles for Service Accounts](https://aws.amazon.com/blogs/containers/diving-into-iam-roles-for-service-accounts/) — Gaurav Pilay, AWS Containers Blog, 2022-02-28. --- *Source: Diving into IAM Roles for Service Accounts (Gaurav Pilay, AWS Containers Blog 2022)*