diff --git a/deploy/Chart/templates/rp/deployment.yaml b/deploy/Chart/templates/rp/deployment.yaml
index c82fba9016..5763657a9c 100644
--- a/deploy/Chart/templates/rp/deployment.yaml
+++ b/deploy/Chart/templates/rp/deployment.yaml
@@ -69,6 +69,10 @@ spec:
         volumeMounts:
         - name: config-volume
           mountPath: /etc/config
+        {{- if eq .Values.global.aws.irsa.enabled true }}
+        - name: aws-iam-token
+          mountPath: /var/run/secrets/eks.amazonaws.com/serviceaccount
+        {{- end }}
         - name: terraform
           mountPath: {{ .Values.rp.terraform.path }}
         {{- if .Values.global.rootCA.cert }}
@@ -83,6 +87,15 @@ spec:
         - name: config-volume
           configMap:
             name: applications-rp-config
+        {{- if eq .Values.global.aws.irsa.enabled true }}
+        - name: aws-iam-token
+          projected:
+            sources:
+            - serviceAccountToken:
+                path: token
+                expirationSeconds: 86400
+                audience: "sts.amazonaws.com"
+        {{- end }}
         - name: terraform
           emptyDir: {}
         {{- if .Values.global.rootCA.cert }}
diff --git a/deploy/Chart/templates/ucp/deployment.yaml b/deploy/Chart/templates/ucp/deployment.yaml
index 4c497fd8e6..0112c0d086 100644
--- a/deploy/Chart/templates/ucp/deployment.yaml
+++ b/deploy/Chart/templates/ucp/deployment.yaml
@@ -63,6 +63,10 @@ spec:
         volumeMounts:
         - name: config-volume
           mountPath: /etc/config
+        {{- if eq .Values.global.aws.irsa.enabled true }}
+        - name: aws-iam-token
+          mountPath: /var/run/secrets/eks.amazonaws.com/serviceaccount
+        {{- end }}
         - name: cert
           mountPath: '/var/tls/cert'
           readOnly: true
@@ -77,6 +81,15 @@ spec:
             # Provide the name of the ConfigMap containing the files you want
             # to add to the container
             name: ucp-config
+        {{- if eq .Values.global.aws.irsa.enabled true }}
+        - name: aws-iam-token
+          projected:
+            sources:
+            - serviceAccountToken:
+                path: token
+                expirationSeconds: 86400
+                audience: "sts.amazonaws.com"
+        {{- end }}
         - name: cert
           secret:
             secretName: ucp-cert
diff --git a/deploy/Chart/values.yaml b/deploy/Chart/values.yaml
index 359aff7f19..eb39f707ad 100644
--- a/deploy/Chart/values.yaml
+++ b/deploy/Chart/values.yaml
@@ -26,6 +26,12 @@ global:
   azureWorkloadIdentity:
     enabled: false
 
+  # Configure global.aws.irsa.enabled=true to enable AWS IRSA.
+  # Disabled by default.
+  aws:
+    irsa:
+      enabled: false
+
 controller:
   image: ghcr.io/radius-project/controller
   # Default tag uses Chart AppVersion.