diff --git a/attachment_s3/models/ir_attachment.py b/attachment_s3/models/ir_attachment.py
index b09d9f0..dd058b0 100644
--- a/attachment_s3/models/ir_attachment.py
+++ b/attachment_s3/models/ir_attachment.py
@@ -54,14 +54,19 @@ class IrAttachment(models.Model):
         region_name = os.environ.get('AWS_REGION')
         access_key = os.environ.get('AWS_ACCESS_KEY_ID')
         secret_key = os.environ.get('AWS_SECRET_ACCESS_KEY')
+        aws_use_irsa = os.environ.get('AWS_USE_IRSA')
         bucket_name = bucket_name or os.environ.get('AWS_BUCKETNAME')
         # replaces {db} by the database name to handle multi-tenancy
         bucket_name = bucket_name.format(db=self.env.cr.dbname)
         params = {
-            'aws_access_key_id': access_key,
-            'aws_secret_access_key': secret_key,
             'bucket_name': bucket_name,
         }
+        if access_key:
+            params['aws_access_key_id'] = access_key
+        if secret_key:
+            params['aws_secret_access_key'] = secret_key
+        if aws_use_irsa:
+            params['aws_use_irsa'] = aws_use_irsa
         if host:
             params['endpoint_url'] = host
         if region_name:
@@ -79,6 +84,7 @@ class IrAttachment(models.Model):
         * ``AWS_ACCESS_KEY_ID``
         * ``AWS_SECRET_ACCESS_KEY``
         * ``AWS_BUCKETNAME``
+        * ``AWS_USE_IRSA``
 
         If a name is provided, we'll read this bucket, otherwise, the bucket
         from the environment variable ``AWS_BUCKETNAME`` will be read.
@@ -89,14 +95,17 @@ class IrAttachment(models.Model):
         #  keyword argument 'bucket_name'
         bucket_name = params.pop("bucket_name")
         if not (
-            params["aws_access_key_id"] and
-            params["aws_secret_access_key"] and
-            bucket_name
+            bucket_name and
+            (params["aws_access_key_id"] and
+             params["aws_secret_access_key"] or
+             params["aws_use_irsa"])
         ):
             msg = _('If you want to read from the %s S3 bucket, the following '
                     'environment variables must be set:\n'
                     '* AWS_ACCESS_KEY_ID\n'
                     '* AWS_SECRET_ACCESS_KEY\n'
+                    'or use irsa for authentification\n'
+                    '* AWS_USE_IRSA\n'
                     'If you want to write in the %s S3 bucket, this variable '
                     'must be set as well:\n'
                     '* AWS_BUCKETNAME\n'
diff --git a/requirements.txt b/requirements.txt
index 0525441..c699e4f 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -10,3 +10,4 @@ keystoneauth1==3.14.0
 # error with 5.x (ConstructorError: could not determine a constructor for the tag '!record')
 PyYAML==4.2b4
 prometheus_client==0.11.0
+portalocker==1.7.1