diff --git a/terraform/modules/eks/main.tf b/terraform/modules/eks/main.tf
index e4e07f4..6537028 100644
--- a/terraform/modules/eks/main.tf
+++ b/terraform/modules/eks/main.tf
@@ -212,11 +212,7 @@ resource "aws_iam_openid_connect_provider" "cluster" {
   })
 }
 
-# EBS CSI Driver IRSA Role
-locals {
-  oidc_provider_host = replace(aws_eks_cluster.main.identity[0].oidc[0].issuer, "https://", "")
-}
-
+# EBS CSI Driver IAM Role (Pod Identity)
 resource "aws_iam_role" "ebs_csi" {
   name = "${local.name_prefix}-ebs-csi-driver"
 
@@ -226,15 +222,12 @@ resource "aws_iam_role" "ebs_csi" {
       {
         Effect = "Allow"
         Principal = {
-          Federated = aws_iam_openid_connect_provider.cluster.arn
-        }
-        Action = "sts:AssumeRoleWithWebIdentity"
-        Condition = {
-          StringEquals = {
-            "${local.oidc_provider_host}:sub" = "system:serviceaccount:kube-system:ebs-csi-controller-sa"
-            "${local.oidc_provider_host}:aud" = "sts.amazonaws.com"
-          }
+          Service = "pods.eks.amazonaws.com"
         }
+        Action = [
+          "sts:AssumeRole",
+          "sts:TagSession"
+        ]
       }
     ]
   })
@@ -247,6 +240,17 @@ resource "aws_iam_role_policy_attachment" "ebs_csi" {
   role       = aws_iam_role.ebs_csi.name
 }
 
+resource "aws_eks_pod_identity_association" "ebs_csi" {
+  cluster_name    = aws_eks_cluster.main.name
+  namespace       = "kube-system"
+  service_account = "ebs-csi-controller-sa"
+  role_arn        = aws_iam_role.ebs_csi.arn
+
+  tags = local.common_tags
+
+  depends_on = [aws_eks_addon.pod_identity_agent]
+}
+
 # EKS Add-ons
 resource "aws_eks_addon" "vpc_cni" {
   cluster_name                = aws_eks_cluster.main.name
@@ -293,6 +297,16 @@ resource "aws_eks_addon" "cert_manager" {
   depends_on = [aws_eks_node_group.main]
 }
 
+resource "aws_eks_addon" "pod_identity_agent" {
+  cluster_name                = aws_eks_cluster.main.name
+  addon_name                  = "eks-pod-identity-agent"
+  resolve_conflicts_on_create = "OVERWRITE"
+  resolve_conflicts_on_update = "OVERWRITE"
+  tags                        = local.common_tags
+
+  depends_on = [aws_eks_node_group.main]
+}
+
 resource "aws_eks_addon" "ebs_csi" {
   cluster_name                = aws_eks_cluster.main.name
   addon_name                  = "aws-ebs-csi-driver"
@@ -305,5 +319,6 @@ resource "aws_eks_addon" "ebs_csi" {
   depends_on = [
     aws_eks_node_group.main,
     aws_iam_role_policy_attachment.ebs_csi,
+    aws_eks_pod_identity_association.ebs_csi,
   ]
 }
diff --git a/terraform/modules/eks/outputs.tf b/terraform/modules/eks/outputs.tf
index 91e4d58..57b48be 100644
--- a/terraform/modules/eks/outputs.tf
+++ b/terraform/modules/eks/outputs.tf
@@ -44,6 +44,11 @@ output "oidc_provider_url" {
   value       = aws_eks_cluster.main.identity[0].oidc[0].issuer
 }
 
+output "ebs_csi_pod_identity_association_id" {
+  description = "ID of the EBS CSI Pod Identity association"
+  value       = aws_eks_pod_identity_association.ebs_csi.association_id
+}
+
 output "addon_versions" {
   description = "Versions of installed EKS add-ons"
   value = {