If you self-host K3s on EC2 and your pods need AWS API access, there are at least 4 distinct ways to wire that up - and most blog posts only cover 1 or 2. I built all four on the same 3-node cluster, ran 10 cold starts each, then deliberately broke things to record failure modes: EC2 Instance Profile (default fallback) IRSA via S3 public bucket (the classic 2021 pattern) IRSA via CloudFront + custom domain (private bucket, OAC) IAM Roles Anywhere with self-signed CA (X.509 cert auth) ## 3 things I didn't expect Setup B (IRSA via S3 public bucket) was actually FASTER than baseline - 2.59s vs 3.18s median for plain Instance Profile. I assumed S3 GET for JWKS would add latency. Regional S3 STS validation beats it. Caveat: image was :latest , so timings include some kubelet registry digest resolution overhead. aws_signing_helper serve mode is broken with helper 1.8.2 + current aws-cli + K3s 1.35.4. Returns 400 on the IMDSv2 listing endpoint, botocore overflows on _evaluate_expiration .…