SA annotation is ignored when using `kubectl apply` instead of `kubectl annotate`

[relaxdiego]

What happened:

When creating the following service account using kubectl apply, either using --server-side=true or not, the amazon-eks-pod-identity-webhook does not mount the AWS environment variables in the pods that use said service account.

apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
    eks.amazon.com/role-arn: arn:aws:iam::XXXXXXXXXXXX:role/YYYYYY
  name: ZZZZZZ
  namespace: AAAAAAAA

However, when I first create the service account as follows:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: ZZZZZZ
  namespace: AAAAAAAA

...then annotate it using kubectl annotate serviceaccount -n aws-lb-controller eks.amazon.com/role-arn: arn:aws:iam::XXXXXXXXXXXX:role/YYYYYY, then create a pod that uses the service account, the latter is then injected with the environment variables as expected.

What you expected to happen:

The pods that use the service account should have the AWS environment variables mounted regardless of how the SA's annotations were added (apply or annotate)

How to reproduce it (as minimally and precisely as possible):

1. Create an EKS cluster
2. Create a service account and matching role as per this AWS guide BUT, instead of annotating the service account using kubectl annotate, use kubectl apply.

Anything else we need to know?:

Environment:

• AWS Region: us-west-2
• EKS Platform version (if using EKS, run aws eks describe-cluster --name <name> --query cluster.platformVersion): eks.3
• Kubernetes version (if using EKS, run aws eks describe-cluster --name <name> --query cluster.version): 1.28
• Webhook Version: ???

[relaxdiego]

This was due to a typo in the annotation:

eks.amazon.com/role-arn: arn:aws:iam::XXXXXXXXXXXX:role/YYYYYY

When it should be

eks.amazonaws.com/role-arn: arn:aws:iam::XXXXXXXXXXXX:role/YYYYYY