diff --git a/config/hubs/carbonplan.cluster.yaml b/config/hubs/carbonplan.cluster.yaml
index b409a6799e..63444e78a2 100644
--- a/config/hubs/carbonplan.cluster.yaml
+++ b/config/hubs/carbonplan.cluster.yaml
@@ -64,6 +64,7 @@ hubs:
                   name: Carbon Plan
                   url: https://carbonplan.org
           singleuser:
+            serviceAccountName: cloud-user-sa
             initContainers:
               # Need to explicitly fix ownership here, since EFS doesn't do anonuid
             - name: volume-mount-ownership-fix
@@ -185,6 +186,13 @@ hubs:
               cpu: 2
               memory: 4Gi
         gateway:
+          backend:
+            scheduler:
+              extraPodConfig:
+                serviceAccountName: cloud-user-sa
+            worker:
+              extraPodConfig:
+                serviceAccountName: cloud-user-sa
           resources:
             requests:
               cpu: 0.5
diff --git a/eksctl/carbonplan.jsonnet b/eksctl/carbonplan.jsonnet
index a7c7c0243f..cc5976662a 100644
--- a/eksctl/carbonplan.jsonnet
+++ b/eksctl/carbonplan.jsonnet
@@ -1,5 +1,4 @@
 // Exports an eksctl config file for carbonplan cluster
-local cluster = import "./libsonnet/cluster.jsonnet";
 local ng = import "./libsonnet/nodegroup.jsonnet";
 
 // place all cluster nodes here
@@ -7,6 +6,11 @@ local clusterRegion = "us-west-2";
 local masterAzs = ["us-west-2a", "us-west-2b", "us-west-2c"];
 local nodeAz = "us-west-2a";
 
+// List of namespaces where we have hubs deployed
+// Each will get a ServiceAccount that will get credentials to talk
+// to AWS services, via https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html
+local namespaces = ['staging', 'prod'];
+
 // Node definitions for notebook nodes. Config here is merged
 // with our notebook node definition.
 // A `node.kubernetes.io/instance-type label is added, so pods
@@ -33,12 +37,28 @@ local daskNodes = [
     { instancesDistribution+: { instanceTypes: ["r5.8xlarge"] }},
 ];
 
-cluster {
+{
+    apiVersion: 'eksctl.io/v1alpha5',
+    kind: 'ClusterConfig',
     metadata+: {
         name: "carbonplanhub",
-        region: clusterRegion
+        region: clusterRegion,
+        version: '1.19'
     },
     availabilityZones: masterAzs,
+    iam: {
+        withOIDC: true,
+
+        serviceAccounts: [{
+            metadata: {
+                name: "cloud-user-sa",
+                namespace: namespace
+            },
+            attachPolicyARNs:[
+                "arn:aws:iam::aws:policy/AmazonS3FullAccess"
+            ],
+        } for namespace in namespaces],
+    },
     nodeGroups: [
         ng {
             name: 'core-a',
diff --git a/eksctl/libsonnet/cluster.jsonnet b/eksctl/libsonnet/cluster.jsonnet
deleted file mode 100644
index 7f2ad2e20d..0000000000
--- a/eksctl/libsonnet/cluster.jsonnet
+++ /dev/null
@@ -1,19 +0,0 @@
-// Exports a customizable eksctl cluster object
-// https://eksctl.io/usage/schema/ lists the config
-//
-// The default configuration is pretty bare, and only
-// sets the default k8s version. Everything else must
-// be merged in by the jsonnet file for each cluster
-{
-  apiVersion: 'eksctl.io/v1alpha5',
-  kind: 'ClusterConfig',
-  metadata: {
-    name: '',
-    region: '',
-    version: '1.19',
-  },
-  availabilityZones: [],
-  iam: {
-    withOIDC: true,
-  },
-}