diff --git a/pkg/addons/default/aws_node.go b/pkg/addons/default/aws_node.go
index 757418ddd0..fb92ce3c51 100644
--- a/pkg/addons/default/aws_node.go
+++ b/pkg/addons/default/aws_node.go
@@ -45,7 +45,8 @@ func UpdateAWSNode(rawClient kubernetes.RawClientInterface, region string, plan
 		if err != nil {
 			return false, err
 		}
-		if resource.GVK.Kind == "DaemonSet" {
+		switch resource.GVK.Kind {
+		case "DaemonSet":
 			daemonSet, ok := resource.Info.Object.(*appsv1.DaemonSet)
 			if !ok {
 				return false, fmt.Errorf("expected type %T; got %T", &appsv1.Deployment{}, resource.Info.Object)
@@ -67,13 +68,24 @@ func UpdateAWSNode(rawClient kubernetes.RawClientInterface, region string, plan
 			if err != nil {
 				return false, err
 			}
-		}
-
-		if resource.GVK.Kind == "CustomResourceDefinition" && plan {
-			// eniconfigs.crd.k8s.amazonaws.com CRD is only partially defined in the
-			// manifest, and causes a range of issue in plan mode, we can skip it
-			logger.Info(resource.LogAction(plan, "replaced"))
-			continue
+		case "CustomResourceDefinition":
+			if plan {
+				// eniconfigs.crd.k8s.amazonaws.com CRD is only partially defined in the
+				// manifest, and causes a range of issue in plan mode, we can skip it
+				logger.Info(resource.LogAction(plan, "replaced"))
+				continue
+			}
+		case "ServiceAccount":
+			// Leave service account if it exists
+			// to avoid overwriting annotations
+			_, exists, err := resource.Get()
+			if err != nil {
+				return false, err
+			}
+			if exists {
+				logger.Info(resource.LogAction(plan, "skipped existing"))
+				continue
+			}
 		}
 
 		status, err := resource.CreateOrReplace(plan)
diff --git a/pkg/addons/default/aws_node_test.go b/pkg/addons/default/aws_node_test.go
index e3c2cf785d..7486061dec 100644
--- a/pkg/addons/default/aws_node_test.go
+++ b/pkg/addons/default/aws_node_test.go
@@ -3,6 +3,7 @@ package defaultaddons_test
 import (
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
+	. "github.com/onsi/gomega/gstruct"
 
 	. "github.com/weaveworks/eksctl/pkg/addons/default"
 
@@ -56,7 +57,10 @@ var _ = Describe("default addons - aws-node", func() {
 
 			_, err := UpdateAWSNode(rawClient, "eu-west-1", false)
 			Expect(err).ToNot(HaveOccurred())
-			Expect(rawClient.Collection.UpdatedItems()).To(HaveLen(4))
+			Expect(rawClient.Collection.UpdatedItems()).To(HaveLen(3))
+			Expect(rawClient.Collection.UpdatedItems()).ToNot(ContainElement(PointTo(MatchFields(IgnoreMissing|IgnoreExtras, Fields{
+				"TypeMeta": MatchFields(IgnoreMissing|IgnoreExtras, Fields{"Kind": Equal("ServiceAccount")}),
+			}))))
 			Expect(rawClient.Collection.CreatedItems()).To(HaveLen(10))
 
 			rawClient.ClientSetUseUpdatedObjects = true // for verification of updated objects