diff --git a/README.md b/README.md
index d0b9ff9..771e987 100644
--- a/README.md
+++ b/README.md
@@ -117,11 +117,10 @@ See [basic example](examples/basic) for further information.
 | <a name="input_helm_timeout"></a> [helm\_timeout](#input\_helm\_timeout) | Time in seconds to wait for any individual Kubernetes operation (like Jobs for hooks). Defaults to `300`. | `number` |
 | <a name="input_helm_wait"></a> [helm\_wait](#input\_helm\_wait) | Will wait until all Helm release resources are in a ready state before marking the release as successful. It will wait for as long as timeout. Defaults to `false`. | `bool` |
 | <a name="input_helm_wait_for_jobs"></a> [helm\_wait\_for\_jobs](#input\_helm\_wait\_for\_jobs) | If wait is enabled, will wait until all Helm Jobs have been completed before marking the release as successful. It will wait for as long as timeout. Defaults to `false`. | `bool` |
-| <a name="input_irsa_additional_policies"></a> [irsa\_additional\_policies](#input\_irsa\_additional\_policies) | Map of the additional policies to be attached to default role. Where key is arbitrary id and value is policy ARN. Defaults to `{}`. | `map(string)` |
+| <a name="input_irsa_additional_policies"></a> [irsa\_additional\_policies](#input\_irsa\_additional\_policies) | Map of the additional policies to be attached to IRSA role. Where key is arbitrary id and value is policy ARN. Defaults to `{}`. | `map(string)` |
 | <a name="input_irsa_assume_role_arns"></a> [irsa\_assume\_role\_arns](#input\_irsa\_assume\_role\_arns) | List of ARNs assumable by the IRSA role. Applied only if `irsa_assume_role_enabled` is `true`. Defaults to `""`. | `list(string)` |
-| <a name="input_irsa_assume_role_enabled"></a> [irsa\_assume\_role\_enabled](#input\_irsa\_assume\_role\_enabled) | Whether IRSA is allowed to assume role defined by `irsa_assume_role_arns`. Mutually exclusive with `irsa_policy_enabled`. Defaults to `false`. | `bool` |
-| <a name="input_irsa_policy"></a> [irsa\_policy](#input\_irsa\_policy) | Policy to be attached to the default role. Applied only if `irsa_policy_enabled` is `true`. Defaults to `""`. | `string` |
-| <a name="input_irsa_policy_enabled"></a> [irsa\_policy\_enabled](#input\_irsa\_policy\_enabled) | Whether to create IAM policy specified by `irsa_policy`. Mutually exclusive with `irsa_assume_role_enabled`. Defaults to `false`. | `bool` |
+| <a name="input_irsa_assume_role_enabled"></a> [irsa\_assume\_role\_enabled](#input\_irsa\_assume\_role\_enabled) | Whether IRSA is allowed to assume role defined by `irsa_assume_role_arn`. Defaults to `false`. | `bool` |
+| <a name="input_irsa_permissions_boundary"></a> [irsa\_permissions\_boundary](#input\_irsa\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the IRSA role. Defaults to `null`. | `string` |
 | <a name="input_irsa_role_create"></a> [irsa\_role\_create](#input\_irsa\_role\_create) | Whether to create IRSA role and annotate Service Account. Defaults to `true`. | `bool` |
 | <a name="input_irsa_role_name"></a> [irsa\_role\_name](#input\_irsa\_role\_name) | IRSA role name. The value is prefixed by `var.irsa_role_name_prefix`. Defaults to addon Helm chart name. | `string` |
 | <a name="input_irsa_role_name_prefix"></a> [irsa\_role\_name\_prefix](#input\_irsa\_role\_name\_prefix) | IRSA role name prefix. Defaults to addon IRSA component name with `irsa` suffix. | `string` |
diff --git a/addon-irsa.tf b/addon-irsa.tf
index 1e6a459..e4e7283 100644
--- a/addon-irsa.tf
+++ b/addon-irsa.tf
@@ -21,11 +21,10 @@ module "addon-irsa" {
   irsa_assume_role_arns    = var.irsa_assume_role_arns != null ? var.irsa_assume_role_arns : try(each.value.irsa_assume_role_arns, [])
   irsa_assume_role_enabled = var.irsa_assume_role_enabled != null ? var.irsa_assume_role_enabled : try(each.value.irsa_assume_role_enabled, false)
 
-  irsa_policy_enabled = var.irsa_policy_enabled != null ? var.irsa_policy_enabled : try(each.value.irsa_policy_enabled, false)
-  irsa_policy         = var.irsa_policy != null ? var.irsa_policy : try(each.value.irsa_policy, "")
+  irsa_permissions_boundary = var.irsa_permissions_boundary != null ? var.irsa_permissions_boundary : try(each.value.irsa_permissions_boundary, null)
+  irsa_additional_policies  = var.irsa_additional_policies != null ? var.irsa_additional_policies : try(each.value.irsa_additional_policies, tomap({}))
 
-  irsa_additional_policies = var.irsa_additional_policies != null ? var.irsa_additional_policies : try(each.value.irsa_additional_policies, tomap({}))
-  irsa_tags                = var.irsa_tags != null ? var.irsa_tags : try(each.value.irsa_tags, tomap({}))
+  irsa_tags = var.irsa_tags != null ? var.irsa_tags : try(each.value.irsa_tags, tomap({}))
 }
 
 output "addon_irsa" {
diff --git a/modules/addon-irsa/iam.tf b/modules/addon-irsa/iam.tf
index 101620d..ce06d89 100644
--- a/modules/addon-irsa/iam.tf
+++ b/modules/addon-irsa/iam.tf
@@ -2,7 +2,6 @@ locals {
   irsa_role_create         = var.enabled == true && var.rbac_create == true && var.service_account_create == true && var.irsa_role_create == true
   irsa_role_name_prefix    = try(coalesce(var.irsa_role_name_prefix), "")
   irsa_role_name           = try(trim("${local.irsa_role_name_prefix}-${var.irsa_role_name}", "-"), "")
-  irsa_policy_enabled      = var.irsa_policy_enabled == true && try(length(var.irsa_policy) > 0, false)
   irsa_assume_role_enabled = var.irsa_assume_role_enabled == true && try(length(var.irsa_assume_role_arns) > 0, false)
 }
 
@@ -19,11 +18,11 @@ data "aws_iam_policy_document" "this_assume" {
 }
 
 resource "aws_iam_policy" "this" {
-  count = local.irsa_role_create && (local.irsa_policy_enabled || local.irsa_assume_role_enabled) ? 1 : 0
+  count = local.irsa_role_create && local.irsa_assume_role_enabled ? 1 : 0
 
   name   = local.irsa_role_name # tflint-ignore: aws_iam_policy_invalid_name
   path   = "/"
-  policy = var.irsa_assume_role_enabled ? data.aws_iam_policy_document.this_assume[0].json : var.irsa_policy
+  policy = data.aws_iam_policy_document.this_assume[0].json
 
   tags = var.irsa_tags
 }
@@ -52,14 +51,15 @@ data "aws_iam_policy_document" "this_irsa" {
 }
 
 resource "aws_iam_role" "this" {
-  count              = local.irsa_role_create ? 1 : 0
-  name               = local.irsa_role_name # tflint-ignore: aws_iam_role_invalid_name
-  assume_role_policy = data.aws_iam_policy_document.this_irsa[0].json
-  tags               = var.irsa_tags
+  count                = local.irsa_role_create ? 1 : 0
+  name                 = local.irsa_role_name # tflint-ignore: aws_iam_role_invalid_name
+  assume_role_policy   = data.aws_iam_policy_document.this_irsa[0].json
+  permissions_boundary = var.irsa_permissions_boundary
+  tags                 = var.irsa_tags
 }
 
 resource "aws_iam_role_policy_attachment" "this" {
-  count      = local.irsa_role_create && (local.irsa_policy_enabled || local.irsa_assume_role_enabled) ? 1 : 0
+  count      = local.irsa_role_create && local.irsa_assume_role_enabled ? 1 : 0
   role       = aws_iam_role.this[0].name
   policy_arn = aws_iam_policy.this[0].arn
 }
diff --git a/modules/addon-irsa/outputs.tf b/modules/addon-irsa/outputs.tf
index dcc884a..64a711b 100644
--- a/modules/addon-irsa/outputs.tf
+++ b/modules/addon-irsa/outputs.tf
@@ -1,3 +1,8 @@
+output "irsa_role_enabled" {
+  description = "Whether is IRSA role enabled"
+  value       = local.irsa_role_create
+}
+
 output "iam_role_attributes" {
   description = "IAM role attributes"
   value       = try(aws_iam_role.this[0], {})
diff --git a/modules/addon-irsa/variables.tf b/modules/addon-irsa/variables.tf
index de02168..d21b401 100644
--- a/modules/addon-irsa/variables.tf
+++ b/modules/addon-irsa/variables.tf
@@ -60,22 +60,10 @@ variable "irsa_role_name" {
   description = "IRSA role name. The value is prefixed by `var.irsa_role_name_prefix`. Defaults to addon Helm chart name."
 }
 
-variable "irsa_policy_enabled" {
-  type        = bool
-  default     = null
-  description = "Whether to create IAM policy specified by `irsa_policy`. Mutually exclusive with `irsa_assume_role_enabled`. Defaults to `false`."
-}
-
-variable "irsa_policy" {
-  type        = string
-  default     = null
-  description = "Policy to be attached to the default role. Applied only if `irsa_policy_enabled` is `true`. Defaults to `\"\"`."
-}
-
 variable "irsa_assume_role_enabled" {
   type        = bool
   default     = null
-  description = "Whether IRSA is allowed to assume role defined by `irsa_assume_role_arn`. Mutually exclusive with `irsa_policy_enabled`. Defaults to `false`."
+  description = "Whether IRSA is allowed to assume role defined by `irsa_assume_role_arn`. Defaults to `false`."
 }
 
 variable "irsa_assume_role_arns" {
@@ -84,10 +72,16 @@ variable "irsa_assume_role_arns" {
   description = "List of ARNs assumable by the IRSA role. Applied only if `irsa_assume_role_enabled` is `true`. Defaults to `\"\"`."
 }
 
+variable "irsa_permissions_boundary" {
+  type        = string
+  default     = null
+  description = "ARN of the policy that is used to set the permissions boundary for the IRSA role. Defaults to `null`."
+}
+
 variable "irsa_additional_policies" {
   type        = map(string)
   default     = null
-  description = "Map of the additional policies to be attached to default role. Where key is arbitrary id and value is policy ARN. Defaults to `{}`."
+  description = "Map of the additional policies to be attached to IRSA role. Where key is arbitrary id and value is policy ARN. Defaults to `{}`."
 }
 
 variable "irsa_tags" {
diff --git a/variables-addon-irsa.tf b/variables-addon-irsa.tf
index 79d31cc..9fc5d01 100644
--- a/variables-addon-irsa.tf
+++ b/variables-addon-irsa.tf
@@ -56,22 +56,10 @@ variable "irsa_role_name" {
   description = "IRSA role name. The value is prefixed by `var.irsa_role_name_prefix`. Defaults to addon Helm chart name."
 }
 
-variable "irsa_policy_enabled" {
-  type        = bool
-  default     = null
-  description = "Whether to create IAM policy specified by `irsa_policy`. Mutually exclusive with `irsa_assume_role_enabled`. Defaults to `false`."
-}
-
-variable "irsa_policy" {
-  type        = string
-  default     = null
-  description = "Policy to be attached to the default role. Applied only if `irsa_policy_enabled` is `true`. Defaults to `\"\"`."
-}
-
 variable "irsa_assume_role_enabled" {
   type        = bool
   default     = null
-  description = "Whether IRSA is allowed to assume role defined by `irsa_assume_role_arns`. Mutually exclusive with `irsa_policy_enabled`. Defaults to `false`."
+  description = "Whether IRSA is allowed to assume role defined by `irsa_assume_role_arn`. Defaults to `false`."
 }
 
 variable "irsa_assume_role_arns" {
@@ -80,10 +68,16 @@ variable "irsa_assume_role_arns" {
   description = "List of ARNs assumable by the IRSA role. Applied only if `irsa_assume_role_enabled` is `true`. Defaults to `\"\"`."
 }
 
+variable "irsa_permissions_boundary" {
+  type        = string
+  default     = null
+  description = "ARN of the policy that is used to set the permissions boundary for the IRSA role. Defaults to `null`."
+}
+
 variable "irsa_additional_policies" {
   type        = map(string)
   default     = null
-  description = "Map of the additional policies to be attached to default role. Where key is arbitrary id and value is policy ARN. Defaults to `{}`."
+  description = "Map of the additional policies to be attached to IRSA role. Where key is arbitrary id and value is policy ARN. Defaults to `{}`."
 }
 
 variable "irsa_tags" {