Terraform 1.4.1: implementing IAM Policy Attachment for EKS Service Account on AWS
I'm updating my dependencies and I'm working on a personal project and I'm sure I'm missing something obvious here, but After trying multiple solutions online, I still can't figure this out... I'm trying to attach an IAM policy to a service account that I've created for an EKS cluster using Terraform 1.4.1, but I'm running into a question where the policy does not seem to attach correctly, and the service account lacks the necessary permissions. I've defined the IAM policy and the service account in the following way: ```hcl resource "aws_iam_policy" "eks_policy" { name = "EKSServiceAccountPolicy" description = "Policy for the EKS service account" policy = jsonencode({ Version = "2012-10-17" Statement = [ { Effect = "Allow" Action = ["s3:ListBucket"], Resource = ["arn:aws:s3:::my-bucket"] } ] }) } resource "kubernetes_service_account" "eks_service_account" { metadata { name = "my-service-account" namespace = "default" } } resource "aws_iam_role" "eks_role" { name = "EKSServiceAccountRole" assume_role_policy = jsonencode({ Version = "2012-10-17" Statement = [ { Action = "sts:AssumeRole", Principal = { Service = "eks.amazonaws.com" }, Effect = "Allow", Sid = "" } ] }) } resource "aws_iam_role_policy_attachment" "attach_policy" { role = aws_iam_role.eks_role.name policy_arn = aws_iam_policy.eks_policy.arn } resource "aws_eks_cluster" "my_cluster" { name = "my-cluster" role_arn = aws_iam_role.eks_role.arn # Other configurations... } ``` After applying the configuration, I expected the service account to have the permissions specified in the `EKSServiceAccountPolicy`, but when I tested the service account in a pod, it throws an behavior indicating that it want to list the S3 bucket: ``` behavior: AccessDenied: User: arn:aws:eks:us-west-2:123456789012:serviceaccount:default:my-service-account is not authorized to perform: s3:ListBucket on resource: arn:aws:s3:::my-bucket ``` I've double-checked the role and policy ARNs, and everything seems correct, but the policy isn't taking effect as expected. I've also tried reapplying the Terraform configuration and ensuring that the service account is in the same namespace as the pod. Any ideas on what could be going wrong or if there's a better way to manage this IAM policy attachment for the EKS service account? For context: I'm using Hcl on Windows. Any ideas what could be causing this? What am I doing wrong? Any suggestions would be helpful. I'm coming from a different tech stack and learning Hcl. Could this be a known issue?