The Service account for Pod identity agent is not getting the required details to work

[vipan06]

What happened: We are using EKS pod identity agent to grant RDS access for a pod. For testing purpose, we have attached S3 full access to the IAM role and when we run aws s3 ls command from pod it says :

Further on investigation, we found the below error:

The pod is deployed in namespace vipan and the service account is pod-identity. When we describe the sa, it is empty.

We followed this doc https://docs.aws.amazon.com/eks/latest/userguide/pod-id-agent-setup.html to setup the EKS pod identity and ideally, AWS or EKS should add the details in the Service account. What you expected to happen: The pod should be able to access the S3. How to reproduce it (as minimally and precisely as possible): Setup the EKS pod identity agent following the doc https://docs.aws.amazon.com/eks/latest/userguide/pod-id-agent-setup.html Installed the add-on + Created an VPC endpoint for eks-auth + Created a role, namespace, service account + Attached that SA to a pod Anything else we need to know?: NA Environment:

• AWS Region: eu-central-1
• EKS Platform version (if using EKS, run aws eks describe-cluster --name <name> --query cluster.platformVersion): eks.5
• Kubernetes version (if using EKS, run aws eks describe-cluster --name <name> --query cluster.version): 1.29
• Webhook Version: Amazon EKS Pod Identity Agent v1.2.0-eksbuild.1

[jeevanions]

By the looks of it you don't have the token inject by the Webhook. The amazon-eks-pod-identity webhook adds the token in this file /var/run/secrets/eks.amazonaws.com/serviceaccount/token Please check these env vars is populated AWS_WEB_IDENTITY_TOKEN_FILE and AWS_ROLE_ARN. If you don't see these env vars that means the webhook is not doing what it supposed to do. Then next place to look is the Service Account itself. Make sure that you have right annotation.