Update iamserviceaccount for existing role

[omerlh]

Before creating a feature request, please search existing feature requests to see if you find a similar one. If there is a similar feature request please up-vote it and/or add your comments to it instead

Why do you want this feature?
Managing service accounts IAM credentials when having multiple cluster is challenging - the current approach is to create a new role for each cluster, and have a different annotation for each service in each cluster.

What feature/behavior/change do you want
eksctl update iamserviceaccount —role —cluster —service-account —namespace

The command will update the existing role with the cluster OIDC. So now, the process will be:

• create a role and a policy
• run this command for each production cluster
• deploy the service account with the same annotation (same role) for all clusters

Next phase is GitOps support, which I guess should be simple - just need to add roleARN to the cluster definition under IAM section.

[vgribok]

+1 as this would be helpful for service accounts created by the ALB Ingress Controller Helm Chart.

[github-actions]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

[michaelbeaumont]

@aclevername Is this part of #3064 and #1497?

[aclevername]

@aclevername Is this part of #3064 and #1497?

#1497 is mainly focused around roles in a single cluster. This issue appears to be slightly different, it seems to want to enable a single role for use in multiple clusters, which I think won't work currently as we add a condition to the role associating it to the clusters OIDC provider

[michaelbeaumont]

@omerlh @vgribok WDYT? If I'm not mistaken, the role should have a trust policy that only permits one cluster to use it.

[github-actions]

This issue was closed because it has been stalled for 5 days with no activity.