containerMode=kubernetes cant assume role in AWS

[noamgreen]

Checks

• [X] I've already read https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/troubleshooting-actions-runner-controller-errors and I'm sure my issue is not covered in the troubleshooting guide.
• [X] I am using charts that are officially provided

Controller Version

0.9.3

Deployment Method

Helm

Checks

• [X] This isn't a question or user support case (For Q&A and community support, go to Discussions).
• [X] I've read the Changelog before submitting this issue and I'm sure it's not due to any recently-introduced backward-incompatible changes

To Reproduce

HI, 
when you use the 
,,,
containerMode:
  type: "kubernetes"
,,,

Try to push some file to S3 " An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied"

Describe the bug

the helm beaver is to create Service account and use it in RoleBinding its using its "new" role , this role dont have and will not have permissions , this issue is limit the use of the container and we cant push or use the pods to access aws serivces ( yes we can add access and secret ) but its missing the point of using roles

containerMode:
  type: "kubernetes"

i am not sure why we cant use are role that we set in the controller to all the workers ? , i did see in the "RoleBinding" you bind it to the " controller " service account but its transparent to the pods .

in my debug path it try to add the above to my pods

template:
  spec:
    metadata:
      annotations:
        eks.amazonaws.com/role-arn: arn:aws:iam::XXXXXXX:role/gha-runner
    serviceAccountName: gha-runner
    containers:
      - name: runner
        image: XXXXXXXXXX
        imagePullPolicy: Always
        command: ["/home/runner/run.sh"]
        resources:
          limits:
            cpu: 2000m
            memory: 8Gi
          requests:
            cpu: 1000m
            memory: 4Gi
    securityContext:
      privileged: true
    affinity:
      nodeAffinity:
        requiredDuringSchedulingIgnoredDuringExecution:
          nodeSelectorTerms:
            - matchExpressions:
                - key: service
                  operator: In
                  values:
                    - gha-run

in this test i see the pods have all the access needs but its get access issues

Error: Error: The Service account needs the following permissions [{"group":"","verbs":["get","list","create","delete"],"resource":"pods","subresource":""},{"group":"","verbs":["get","create"],"resource":"pods","subresource":"exec"},{"group":"","verbs":["get","list","watch"],"resource":"pods","subresource":"log"},{"group":"batch","verbs":["get","list","create","delete"],"resource":"jobs","subresource":""},{"group":"","verbs":["create","delete","get","list"],"resource":"secrets","subresource":""}] on the pod resource in the 'gha-runner' namespace. Please contact your self hosted runner administrator.

i cant understand the error as its use the role that have all the access he needs ( i know its expecting different role ) i am not sure why i cant "overwrite " it

controler config

replicaCount: 1
image:
  repository: "ghcr.io/actions/gha-runner-scale-set-controller"
  pullPolicy: Always
  # Overrides the image tag whose default is the chart appVersion.
  tag: ""
serviceAccount:
  create: true
  annotations:
    eks.amazonaws.com/role-arn: "arn:aws:iam::XXXXXXX:role/gha-runner"
  name: "vu-dev-gha-runner"
flags:
  logLevel: "debug"
  logFormat: "json"
  watchSingleNamespace: "gha-runner"
  updateStrategy: "immediate"

Describe the expected behavior

N/A

Additional Context

N/A

Controller Logs

N/A

Runner Pod Logs

N/A

[github-actions[bot]]

Hello! Thank you for filing an issue.

The maintainers will triage your issue shortly.

In the meantime, please take a look at the troubleshooting guide for bug reports.

If this is a feature request, please review our contribution guidelines.