ACK IAMRoleSelector not matching EKS cluster resource for cross-account role assumption #2726
Description
Describe the bug
I am attempting to create a resource in a target AWS account from a control cluster in a different account using ACK managed capability. An IAMRoleSelector is configured at the cluster level to map the namespace "production" to a cross-account IAM role. However, the ACK.IAMRoleSelected condition is not being set on the EKS cluster resource, and the capability is not attempting to assume the target role. I never seem to receive any of the ACK.IAMRoleSelected status conditions when describing the resource
Steps to reproduce
Created AmazonEKSCapabilityACKRole: arn:aws:iam::891377258XXX:role/AmazonEKSCapabilityACKRole
Created capabilities
Capability ARN: arn:aws:eks:ap-northeast-1:891377258XXX:capability/sswswswsw/ack/sswswswsw-ack/eecd974e-1840-4d68-fbe7-c027080ccac0
Capability role: arn:aws:iam::891377258XXX:role/AmazonEKSCapabilityACKRole
Status: Active
Capability name: sswswswsw-ack
Granted AssumeRole permissions to Controller for cross account access
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::381492002YYY:role/ACK-CrossAccount-Target"
}
]
}
In target account, I created ACK-CrossAccount-Target
arn:aws:iam::381492002YYY:role/ACK-CrossAccount-Target
Updated Trust relationship to allow Source role ARN
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::891377258XXX:role/AmazonEKSCapabilityACKRole"
},
"Action": "sts:AssumeRole"
}
]
}
Now that permissions are set, I created iamroleselector and mapped ACK-CrossAccount-Target role to "production" namespace
sa@3c06302bfbec downloads % kubectl describe iamroleselector
Name: production-account-config
Namespace:
Labels:
Annotations:
API Version: services.k8s.aws/v1alpha1
Kind: IAMRoleSelector
Metadata:
Creation Timestamp: 2025-12-18T01:23:31Z
Generation: 1
Resource Version: 37526908
UID: 5b22b2e2-01fe-4d70-99a6-7fa96f675e33
Spec:
Arn: arn:aws:iam::381492002YYY:role/ACK-CrossAccount-Target
Namespace Selector:
Names:
production
Events:
sa@3c06302bfbec downloads % kubectl describe bucket cross-account-bucket2 -n production
Name: cross-account-bucket2
Namespace: production
Labels:
Annotations:
API Version: s3.services.k8s.aws/v1alpha1
Kind: Bucket
Metadata:
Creation Timestamp: 2025-12-18T00:53:56Z
Finalizers:
finalizers.s3.services.k8s.aws/Bucket
Generation: 1
Resource Version: 37651930
UID: b69e0cfa-7b85-4d1e-982c-7101d182d269
Spec:
Name: my-bucket-in-target-account
Status:
Ack Resource Metadata:
Arn: arn:aws:s3:::my-bucket-in-target-account
Owner Account ID: 891377258XXX
Region: ap-northeast-1
Conditions:
Last Transition Time: 2025-12-18T11:27:06Z
Message: Resource synced successfully
Reason:
Status: True
Type: ACK.ResourceSynced >>>>>>>>>>>>>>>>>> ACK.IAMRoleSelected status conditions is not seen in this case as well
Last Transition Time: 2025-12-18T11:27:06Z
Message: Resource synced successfully
Reason:
Status: True
Type: Ready
Location: http://my-bucket-in-target-account.s3.amazonaws.com/
Events:
Expected outcome
A concise description of what you expected to happen.
Environment
- Kubernetes version
- 1.33
- Using EKS (yes/no), if so version?
- Yes, 1.33, Platform version: eks.23
- AWS service targeted (S3, RDS, etc.)
- S3