Pod uses node role instead of IAM Role for Service Account

[RobinFrcd]

Hi,
I have an issue with the role assumed by my pod. If I check the AWS_ROLE_ARN value it has the right profile but when doing aws sts get-caller-identity from the pod it shows the NODE role and not the one linked to the ServiceAccount.

Values seem to be well set by the AddOn:

env:
      AWS_STS_REGIONAL_ENDPOINTS:   regional                                                                                                 
      AWS_ROLE_ARN:                 arn:aws:iam::...:role/...                       
      AWS_WEB_IDENTITY_TOKEN_FILE:  /var/run/secrets/eks.amazonaws.com/serviceaccount/token  
Mounts:                                                                                                                                                                                               
      /var/run/secrets/eks.amazonaws.com/serviceaccount from aws-iam-token (ro)                                                              
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-wjbpg (ro)   
Volumes:                                                                                                                                     
  aws-iam-token:                                                                                                                             
    Type:                    Projected (a volume that contains injected data from multiple sources)                                          
    TokenExpirationSeconds:  86400                                                                                                                                                                        
  kube-api-access-wjbpg:                                                                                                                     
    Type:                    Projected (a volume that contains injected data from multiple sources)                                          
    TokenExpirationSeconds:  3607                                                                                                            
    ConfigMapName:           kube-root-ca.crt                                                                                                
    ConfigMapOptional:       <nil>                                                                                                           
    DownwardAPI:             true 

I saw that when I describe the ServiceAccount, a few values are , can it be an issue ?

Image pull secrets:  <none>                                                                                                                  
Mountable secrets:   <none>                                                                                                                  
Tokens:              <none>                                                                                                                  
Events:              <none>   

I've rechecked the steps in https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html#irsa-confirm-role-configuration but everything seems to be done like stated in this doc.

Environment:

• AWS Region: eu-west-3
• EKS Platform version (if using EKS, run aws eks describe-cluster --name <name> --query cluster.platformVersion): eks.2
• Kubernetes version (if using EKS, run aws eks describe-cluster --name <name> --query cluster.version): 1.30
• Amazon EKS Pod Identity Agent: v1.2.0-eksbuild.1

Am I missing something ?

Thanks !

[RobinFrcd]

Alright, my bad, the issue comes from the ex_aws packages which is not able to use the WebIdentity: ex-aws/ex_aws#1057