AWS Fundamentals for Agents

Calendar February 22, 2026
Cloud-Services
Intermediate
Aws-Resource-Management, Aws-Networking, Aws-Identity-Management
Aws, Iam, Vpc, Ec2, S3, Rds, Eks, Route53, Cloudwatch
Aws-Cli, Aws-Iam, Aws-Ec2, Aws-S3, Aws-Rds, Aws-Eks

IAM: Identity and Access Management#

IAM controls who can do what in your AWS account. Everything in AWS is an API call, and IAM decides which API calls are allowed. There are three concepts an agent must understand: users, roles, and policies.

Users are long-lived identities for humans or service accounts. Roles are temporary identities that can be assumed by users, services, or other AWS accounts. Policies are JSON documents that define permissions. Roles are always preferred over users for programmatic access because they issue short-lived credentials through STS (Security Token Service).

AWS Terraform Patterns: IAM, Networking, EKS, RDS, and Common Gotchas

Calendar February 22, 2026
Infrastructure
Intermediate
Aws-Terraform, Iam-Patterns, Eks-Setup, Rds-Configuration, Vpc-Networking
Terraform, Aws, Iam, Vpc, Eks, Rds, S3, Security-Groups, Irsa, Gotchas, Best-Practices
Terraform, Aws-Cli

AWS Terraform Patterns#

AWS is the most common Terraform target and the most complex. It has more services, more configuration options, and more subtle gotchas than Azure or GCP. This article covers the AWS-specific patterns that agents need to write correct, secure Terraform — with emphasis on the mistakes that cause real production issues.

IAM: The Foundation of Everything#

Every AWS resource that does anything needs IAM permissions. The two patterns agents must know: service roles (letting AWS services act on your behalf) and IRSA (letting Kubernetes pods assume IAM roles).

Cloud Behavioral Divergence Guide: Where AWS, Azure, and GCP Actually Differ

Calendar February 22, 2026
Cloud-Services
Intermediate, Advanced
Multi-Cloud-Operations, Cloud-Migration-Planning, Infrastructure-Debugging, Cross-Cloud-Translation
Aws, Azure, Gcp, Multi-Cloud, Iam, Irsa, Workload-Identity, Managed-Identity, Vpc, Vnet, Networking, Storage, Ebs, Csi-Drivers, Rds, Cloud-Sql, Azure-Sql, Dns, Load-Balancers, Behavioral-Divergence
Aws-Cli, Gcloud, Az-Cli, Kubectl, Terraform

Cloud Behavioral Divergence Guide#

Running the “same” workload on AWS, Azure, and GCP does not produce the same behavior. The Kubernetes API is portable, application containers are portable, and SQL queries are portable. Everything else – identity, networking, storage, load balancing, DNS, and managed service behavior – diverges in ways that matter for production reliability.

This guide documents the specific divergence points with practical examples. Use it when translating infrastructure from one cloud to another, when debugging behavior that differs between environments, or when assessing migration risk.

Cloud-Native vs Portable Infrastructure: A Decision Framework

Calendar February 22, 2026
Cloud-Services
Intermediate, Advanced
Infrastructure-Architecture, Platform-Evaluation, Cloud-Migration-Planning, Kubernetes-Operations
Kubernetes, Eks, Aks, Gke, Multi-Cloud, Portability, Cloud-Native, Helm, Terraform, Iam, Csi-Drivers, Load-Balancers, Managed-Services, Decision-Framework
Kubernetes, Helm, Terraform, Kubectl, Aws-Cli, Gcloud, Az-Cli, Minikube, Kind

Cloud-Native vs Portable Infrastructure#

Every infrastructure decision sits on a spectrum between portability and fidelity. On one end, you have generic Kubernetes running on minikube or kind – it works everywhere, costs nothing, and captures the behavior of the Kubernetes API itself. On the other end, you have cloud-native managed services – EKS with IRSA and ALB Ingress Controller, GKE with Workload Identity and Cloud Load Balancing, AKS with Azure AD Pod Identity and Azure Load Balancer. These capture the behavior of the actual platform your workloads will run on.

EKS IAM and Security

Calendar February 22, 2026
Kubernetes
Intermediate
Eks-Iam-Integration, Irsa-Configuration, Eks-Security-Hardening
Eks, Aws, Iam, Irsa, Pod-Identity, Security, Kms
Aws-Cli, Kubectl, Eksctl, Terraform

EKS IAM and Security#

EKS bridges two identity systems: AWS IAM and Kubernetes RBAC. Understanding how they connect is essential for both granting pods access to AWS services and controlling who can access the cluster.

IAM Roles for Service Accounts (IRSA)#

IRSA lets Kubernetes pods assume IAM roles without using node-level credentials. Each pod gets exactly the AWS permissions it needs, not the broad permissions attached to the node role.

GCP Fundamentals for Agents

Calendar February 22, 2026
Cloud-Services
Intermediate
Gcp-Resource-Management, Gcp-Networking, Gcp-Identity-Management
Gcp, Iam, Vpc, Gke, Cloud-Sql, Cloud-Storage, Cloud-Monitoring, Compute-Engine
Gcloud, Gsutil, Bq, Gke-Gcloud-Auth-Plugin

Projects and Organization#

GCP organizes resources into Projects, which sit under Folders and an Organization. A project is the fundamental unit of resource organization, billing, and API enablement. Every GCP resource belongs to exactly one project.

# Set the active project
gcloud config set project my-prod-project

# List all projects
gcloud projects list

# Create a new project
gcloud projects create staging-project-2026 \
  --name="Staging" \
  --organization=ORG_ID

# Enable required APIs (must be done per-project)
gcloud services enable compute.googleapis.com
gcloud services enable container.googleapis.com
gcloud services enable sqladmin.googleapis.com

Check which project is currently active:

GCP Terraform Patterns: Projects, GKE, Workload Identity, Cloud SQL, and Common Gotchas

Calendar February 22, 2026
Infrastructure
Intermediate
Gcp-Terraform, Gke-Setup, Workload-Identity-Patterns, Cloud-Sql-Configuration
Terraform, Gcp, Gke, Workload-Identity, Cloud-Sql, Iam, Vpc, Secondary-Ranges, Service-Networking, Gotchas
Terraform, Gcloud

GCP Terraform Patterns#

GCP’s Terraform provider (google and google-beta) has patterns distinct from both AWS and Azure. The biggest differences: APIs must be explicitly enabled per project, IAM uses a binding model (not inline policies), and GKE requires secondary IP ranges for VPC-native networking. GCP resources also tend to have longer creation times with more eventual consistency.

Projects and API Enablement#

Before creating any resource in GCP, the corresponding API must be enabled in the project. This is the most common source of first-time failures.

Infrastructure Knowledge Scoping for Agents

Calendar February 22, 2026
Cloud-Services
Intermediate, Advanced
Platform-Detection, Infrastructure-Scoping, Context-Analysis, Multi-Cloud-Operations, Agent-Workflow-Design
Agent-Patterns, Knowledge-Scoping, Multi-Cloud, Kubernetes, Aws, Azure, Gcp, Platform-Detection, Context-Awareness, Iam, Resource-Hierarchy, Infrastructure-as-Code
Kubectl, Aws-Cli, Gcloud, Az-Cli, Terraform, Helm

Infrastructure Knowledge Scoping for Agents#

An agent working on infrastructure tasks needs to operate at the right level of specificity. Giving generic Kubernetes advice when the user runs EKS with IRSA is unhelpful – the agent misses the IAM integration that will make or break the deployment. Giving EKS-specific advice when the user runs minikube on a laptop is equally unhelpful – the agent references services and configurations that do not exist.

Service Account Security: Tokens, RBAC Binding, and Workload Identity

Calendar February 22, 2026
Kubernetes
Intermediate, Advanced
Service-Account-Hardening, Workload-Identity-Configuration, Token-Management, Rbac-Binding
Service-Accounts, Security, Rbac, Workload-Identity, Tokens, Iam
Kubectl, Gcloud, Aws, Az

Service Account Security#

Every pod in Kubernetes runs as a service account. By default, that is the default service account in the pod’s namespace, with an auto-mounted API token that never expires. This default configuration is overly permissive for most workloads. Hardening service accounts is one of the highest-impact security improvements you can make in a Kubernetes cluster.

The Default Problem#

When a pod starts without specifying a service account, Kubernetes does three things: