What were you trying to accomplish?
Run eksctl update podidentityassociation --config-file=cluster.yaml to update disableSessionTags on pod identity associations that use roleName + permissionPolicyARNs (no explicit roleARN).
What happened?
UpdatePodIdentityAssociation is called with an empty roleArn. The EKS API returns:
(associationID: a-…, roleARN: ): Cross-account pass role is not allowed
Note the empty roleARN: — that's the actual bug. The "cross-account" message is a red herring.
The cause is in IAMRoleUpdater.Update (pkg/actions/podidentityassociation/iam_role_updater.go). When CloudFormation returns NoChangeError, the handler returns podIdentityAssociation.RoleARN from the parsed config YAML, which is "" when using roleName without roleARN. The success path resolves the ARN from stack outputs via populateRoleARN, but the no-change path skips that call.
Trigger conditions (all four required):
- Pod identity association exists with an eksctl-owned IAM stack
- Config uses
roleName + permissionPolicyARNs (no roleARN)
- CFN returns "nothing to update" (
NoChangeError)
- An EKS-side field still needs updating (e.g.
disableSessionTags: true)
How to reproduce it?
- Create a config with
roleName + permissionPolicyARNs + disableSessionTags:
iam:
podIdentityAssociations:
- namespace: my-namespace
serviceAccountName: my-sa
roleName: my-cluster-pods-my-role
createServiceAccount: true
disableSessionTags: true
permissionPolicyARNs:
- arn:aws:iam::123456789012:policy/my-policy
eksctl create podidentityassociation --config-file=cluster.yamleksctl update podidentityassociation --config-file=cluster.yaml (no IAM changes, only EKS-side update needed)- CFN returns "nothing to update", eksctl sends empty
roleArn to EKS API
Logs
2026-04-09T… [Info] IAM resources for my-namespace/my-sa (pod identity association ID: …) are already up-to-date
2026-04-09T… [Error] (associationID: a-…, roleARN: ): Cross-account pass role is not allowed
Anything else we need to know?
Fix submitted in #8717.
Versions
Bug is also present on main as of 2026-04-24.
What were you trying to accomplish?
Run
eksctl update podidentityassociation --config-file=cluster.yamlto updatedisableSessionTagson pod identity associations that useroleName+permissionPolicyARNs(no explicitroleARN).What happened?
UpdatePodIdentityAssociationis called with an emptyroleArn. The EKS API returns:Note the empty
roleARN:— that's the actual bug. The "cross-account" message is a red herring.The cause is in
IAMRoleUpdater.Update(pkg/actions/podidentityassociation/iam_role_updater.go). When CloudFormation returnsNoChangeError, the handler returnspodIdentityAssociation.RoleARNfrom the parsed config YAML, which is""when usingroleNamewithoutroleARN. The success path resolves the ARN from stack outputs viapopulateRoleARN, but the no-change path skips that call.Trigger conditions (all four required):
roleName+permissionPolicyARNs(noroleARN)NoChangeError)disableSessionTags: true)How to reproduce it?
roleName+permissionPolicyARNs+disableSessionTags:eksctl create podidentityassociation --config-file=cluster.yamleksctl update podidentityassociation --config-file=cluster.yaml(no IAM changes, only EKS-side update needed)roleArnto EKS APILogs
Anything else we need to know?
Fix submitted in #8717.
Versions
Bug is also present on
mainas of 2026-04-24.