diff --git a/aks/extra-variables.tf b/aks/extra-variables.tf
index 73d1ef9b..fbeef5e2 100644
--- a/aks/extra-variables.tf
+++ b/aks/extra-variables.tf
@@ -10,10 +10,10 @@ variable "metrics_storage" {
 
   validation {
     condition     = (var.metrics_storage.managed_identity_node_rg_name == null && var.metrics_storage.managed_identity_oidc_issuer_url == null) != (var.metrics_storage.storage_account_key == null)
-    error_message = "You can either set the variables for the managed identity or use storage account key, not both at the same time."
+    error_message = "You can either set the variables for the managed identity or use a storage account key, not both at the same time."
   }
 
-    validation {
+  validation {
     condition     = (var.metrics_storage.managed_identity_node_rg_name == null) == (var.metrics_storage.managed_identity_oidc_issuer_url == null)
     error_message = "When using the managed identity, both `managed_identity_node_rg_name` and `managed_identity_oidc_issuer_url` are required."
   }
diff --git a/eks/extra-variables.tf b/eks/extra-variables.tf
index f4217174..5c96371b 100644
--- a/eks/extra-variables.tf
+++ b/eks/extra-variables.tf
@@ -1,8 +1,18 @@
 variable "metrics_storage" {
-  description = "AWS S3 bucket configuration values for the bucket where the archived metrics will be stored."
+  description = <<-EOT
+    AWS S3 bucket configuration values for the bucket where the archived metrics will be stored.
+
+    An IAM role is required to give the Thanos components read and write access to the S3 bucket. You can create this role yourself or let the module create it for you. If you want the module to create the role, you need to provide the OIDC issuer's URL for the EKS cluster. If you create the role yourself, you need to provide the ARN of the IAM role you created.
+  EOT
   type = object({
-    bucket_id    = string
-    region       = string
-    iam_role_arn = string
+    bucket_id               = string
+    create_role             = bool
+    iam_role_arn            = optional(string, null)
+    cluster_oidc_issuer_url = optional(string, null)
   })
+
+  validation {
+    condition     = var.metrics_storage.create_role ? var.metrics_storage.cluster_oidc_issuer_url != null : var.metrics_storage.iam_role_arn != null
+    error_message = "If you want to create a role, you need to provide the OIDC issuer's URL for the EKS cluster. Otherwise, you need to provide the ARN of the IAM role you created."
+  }
 }
diff --git a/eks/locals.tf b/eks/locals.tf
index 17fb1a94..388d0411 100644
--- a/eks/locals.tf
+++ b/eks/locals.tf
@@ -1,13 +1,14 @@
 locals {
+  iam_role_arn = var.metrics_storage.create_role ? module.iam_assumable_role_thanos.iam_role_arn : var.metrics_storage.iam_role_arn
+
   helm_values = [{
     thanos = {
-
       objstoreConfig = {
         type = "S3"
         config = {
-          bucket             = "${var.metrics_storage.bucket_id}"
+          bucket             = "${data.aws_s3_bucket.thanos.id}"
           endpoint           = "s3.amazonaws.com" # Value explicitly specified by Thanos docs for Amazon S3 buckets
-          region             = "${var.metrics_storage.region}"
+          region             = "${data.aws_s3_bucket.thanos.region}"
           signature_version2 = false
           insecure           = false
         }
@@ -18,25 +19,24 @@ locals {
       bucketweb = {
         serviceAccount = {
           annotations = {
-            "eks.amazonaws.com/role-arn" = var.metrics_storage.iam_role_arn
+            "eks.amazonaws.com/role-arn" = local.iam_role_arn
           }
         }
       }
       compactor = {
         serviceAccount = {
           annotations = {
-            "eks.amazonaws.com/role-arn" = var.metrics_storage.iam_role_arn
+            "eks.amazonaws.com/role-arn" = local.iam_role_arn
           }
         }
       }
       storegateway = {
         serviceAccount = {
           annotations = {
-            "eks.amazonaws.com/role-arn" = var.metrics_storage.iam_role_arn
+            "eks.amazonaws.com/role-arn" = local.iam_role_arn
           }
         }
       }
-
     }
   }]
 }
diff --git a/eks/main.tf b/eks/main.tf
index 721e18d3..c6bcde71 100644
--- a/eks/main.tf
+++ b/eks/main.tf
@@ -1,3 +1,52 @@
+data "aws_s3_bucket" "thanos" {
+  bucket = var.metrics_storage.bucket_id
+}
+
+data "aws_iam_policy_document" "thanos" {
+  count = var.metrics_storage.create_role ? 1 : 0
+
+  statement {
+    actions = [
+      "s3:ListBucket",
+      "s3:PutObject",
+      "s3:GetObject",
+      "s3:DeleteObject",
+    ]
+
+    resources = [
+      data.aws_s3_bucket.thanos.arn,
+      format("%s/*", data.aws_s3_bucket.thanos.arn),
+    ]
+
+    effect = "Allow"
+  }
+}
+
+resource "aws_iam_policy" "thanos" {
+  count = var.metrics_storage.create_role ? 1 : 0
+
+  name_prefix = "thanos-s3-"
+  description = "Thanos IAM policy for accessing the S3 bucket named ${data.aws_s3_bucket.thanos.id}"
+  policy      = data.aws_iam_policy_document.thanos[0].json
+}
+
+module "iam_assumable_role_thanos" {
+  source                     = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
+  version                    = "~> 5.0"
+  create_role                = var.metrics_storage.create_role
+  number_of_role_policy_arns = 1
+  role_name_prefix           = "thanos-s3-"
+  provider_url               = try(trimprefix(var.metrics_storage.cluster_oidc_issuer_url, "https://"), "")
+  role_policy_arns           = [try(resource.aws_iam_policy.thanos[0].arn, null)]
+
+  # List of ServiceAccounts that have permission to attach to this IAM role
+  oidc_fully_qualified_subjects = [
+    "system:serviceaccount:thanos:thanos-bucketweb",
+    "system:serviceaccount:thanos:thanos-storegateway",
+    "system:serviceaccount:thanos:thanos-compactor",
+  ]
+}
+
 module "thanos" {
   source = "../"