diff --git a/config/config.go b/config/config.go
index 03d0d815..e578a4aa 100644
--- a/config/config.go
+++ b/config/config.go
@@ -26,6 +26,7 @@ type Instance struct {
 	DisableBasicMetrics    bool              `yaml:"disable_basic_metrics"`
 	DisableEnhancedMetrics bool              `yaml:"disable_enhanced_metrics"`
 	Labels                 map[string]string `yaml:"labels"` // may be empty
+	IRSAEnabled            bool              `yaml:"irsa_enabled"`
 
 	// TODO Type InstanceType `yaml:"type"` // may be empty for old pmm-managed
 }
diff --git a/sessions/sessions.go b/sessions/sessions.go
index 2238b807..8c134b22 100644
--- a/sessions/sessions.go
+++ b/sessions/sessions.go
@@ -183,6 +183,21 @@ func (s *Sessions) GetSession(region, instance string) (*session.Session, *Insta
 }
 
 func buildCredentials(instance config.Instance) (*credentials.Credentials, error) {
+	// If IRSA is enabled, let the AWS SDK use the default credential provider chain,
+	// which includes the service account role credentials.
+	if instance.IRSAEnabled {
+		// Create a new session with just the region set, no credentials provided explicitly.
+		// This allows the SDK to use the credentials mounted by IRSA.
+		stsSession, err := session.NewSession(&aws.Config{
+			Region: aws.String(instance.Region),
+		})
+		if err != nil {
+			return nil, err
+		}
+
+		return stsSession.Config.Credentials, nil
+	}
+
 	if instance.AWSRoleArn != "" {
 		stsSession, err := session.NewSession(&aws.Config{
 			Region:      aws.String(instance.Region),