Skip to content

feat(eks-v2): allow providing an existing IAM role to ServiceAccount with POD_IDENTITY#37388

Open
letsgomeow wants to merge 5 commits intoaws:mainfrom
letsgomeow:feature/37299-aws-eks-v2
Open

feat(eks-v2): allow providing an existing IAM role to ServiceAccount with POD_IDENTITY#37388
letsgomeow wants to merge 5 commits intoaws:mainfrom
letsgomeow:feature/37299-aws-eks-v2

Conversation

@letsgomeow
Copy link
Copy Markdown

@letsgomeow letsgomeow commented Mar 28, 2026

Issue # (if applicable)

Closes #37299.

Reason for this change

When using ServiceAccount with IdentityType.POD_IDENTITY, there was no way to
provide an externally-created IAM role. The construct always auto-generated a new role,
making it impossible to use a pre-existing role (e.g., one managed by a separate stack
or created outside CDK).

Description of changes

Added an optional role?: IRoleRef property to ServiceAccountOptions in aws-eks-v2.

  • When role is provided with IdentityType.POD_IDENTITY, the given role is used for
    the CfnPodIdentityAssociation instead of auto-generating one.
  • When role is omitted, behavior is unchanged (a new role is auto-generated).
  • Providing role with IdentityType.IRSA (or the default) throws a ValidationError
    at construction time, since IRSA requires a cluster-specific OIDC trust policy that
    cannot be set up on an external role.
  • The role property accepts IRoleRef rather than IRole, following CDK's Enhanced L1
    direction. Since IRole extends IRoleRef, all existing IRole values (e.g., iam.Role,
    iam.Role.fromRoleArn()) are accepted without any breaking change.
  • The ServiceAccount.role getter and related IPrincipal members (assumeRoleAction,
    grantPrincipal, policyFragment) were changed from readonly properties to getters
    so that construction succeeds even when an L1 CfnRole is passed; accessing sa.role
    on a CfnRole-backed ServiceAccount throws a descriptive error.

Describe any new or updated permissions being added

No new IAM permissions are introduced. When the caller provides an existing role, the
trust policy on that role is their responsibility.

Description of how you validated changes

  • Added 6 unit tests to service-account.test.ts covering:
    • Provided role ARN is used in CfnPodIdentityAssociation (no auto-generated role)
    • ValidationError is thrown when role is specified with IRSA identity type
    • ValidationError is thrown when role is specified with default identity type
    • sa.role getter returns the provided L2 role as-is
    • ServiceAccount construction succeeds with an L1 CfnRole, but sa.role getter throws
    • sa.role getter returns auto-generated role when no role prop is provided
  • Added integration test integ.eks-pod-identities.ts with two cases:
    • Case 1: auto-generated role (existing behavior)
    • Case 2: externally-created role passed via the role prop
  • All existing unit tests pass without modification.
  • Integration test passed in ap-northeast-1.

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

letsgomeow and others added 4 commits March 22, 2026 19:27
@letsgomeow
WIP
00eb8fd
@letsgomeow
Merge branch 'aws:main' into feature/37299-aws-eks-v2
f463d85
@letsgomeow
WIP
74c3322
@letsgomeow
feat(aws-eks-v2): allow providing an existing IAM role to ServiceAcco…
b9c901c 
…unt with POD_IDENTITY

Add an optional `role` property to `ServiceAccountOptions` so that
`ServiceAccount` with `IdentityType.POD_IDENTITY` can accept an
externally-created IAM role instead of always auto-generating one.
@github-actions github-actions bot added effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2 beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK labels Mar 28, 2026
@aws-cdk-automation aws-cdk-automation requested a review from a team March 28, 2026 14:52
aws-cdk-automation
aws-cdk-automation previously requested changes Mar 28, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(This review is outdated)

@pahud pahud mentioned this pull request Mar 28, 2026
Open
@aws-cdk-automation aws-cdk-automation added the pr/needs-further-review PR requires additional review from our team specialists due to the scope or complexity of changes. label Mar 28, 2026
@letsgomeow
feat(aws-eks-v2): allow providing an existing IAM role to ServiceAcco…
49e64dc 
…unt with POD_IDENTITY

Add an optional `role` property to `ServiceAccountOptions` so that
`ServiceAccount` with `IdentityType.POD_IDENTITY` can accept an
externally-created IAM role instead of always auto-generating one.
@aws-cdk-automation aws-cdk-automation dismissed their stale review March 29, 2026 04:59

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

@letsgomeow letsgomeow mentioned this pull request Mar 29, 2026
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aws-cdk-automation aws-cdk-automation aws-cdk-automation left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2 pr/needs-further-review PR requires additional review from our team specialists due to the scope or complexity of changes.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

eks: ServiceAccount (IdentityType.POD_IDENTITY) should accept an existing IAM role via optional role prop

2 participants

@letsgomeow @aws-cdk-automation