[Bug] Drift eksctl pod identity association management between get/create/update

[nsagnett]

What were you trying to accomplish?

Create Pod identity Associations saving in other files than cluster config file, by using eksctl get/create/update podidentityassociation commands

What happened?

Command works fine, but when I compare eksctl get podidentityassociation output and fields which can be present (https://github.com/eksctl-io/eksctl/blob/main/examples/39-pod-identity-association.yaml), missing some potential crucial information (wellKnownPolicies, permissionPolicyARNs, ...)

How to reproduce it?

1. Create cluster with mentionned iam podIdentityAssociations

apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig
metadata:
  name: my-cluster
iam:
  podIdentityAssociations:
    - namespace: my-namespace
      serviceAccountName: my-sa
      roleName: my-role
      permissionPolicyARNs:
        - arn:aws:iam::112233445566:policy/my-policy
    - namespace: cert-manager
      serviceAccountName: cert-manager
      wellKnownPolicies:
        certManager: true

2. Launch eksctl get podidentityassociation --cluster my-cluster and save output.
3. You can see output doesn't mentioned some creation fields
4. If you launch eksctl update podidentityassociation --cluster my-cluster --namespace my-namespace --service-account-name my-sa --role-arn my-role-arn, my-role will be modify to remove permissionPolicyARNs and I can set it with update command
5. In the same time, for cert-manager exemple, wellKnownPolicies are missing from output from get command and we can't set it with update command

Logs

Anything else we need to know?

Versions

$ eksctl info
eksctl version: 0.212.0
kubectl version: v1.32.5
OS: linux

[github-actions]

Hello nsagnett 👋 Thank you for opening an issue in eksctl project. The team will review the issue and aim to respond within 1-5 business days. Meanwhile, please read about the Contribution and Code of Conduct guidelines here. You can find out more information about eksctl on our website

[nsagnett]

Hello,

Any news on this topic?

[sapphirew]

Thank you for reporting this issue to us. When you create a pod identity association with wellKnownPolicies and permissionPolicyARNs, eksctl creates an IAM role via CloudFormation with the specified policies attached, and also creates a pod identity association via the EKS API that only references the role ARN. The get command was only querying the EKS API. It does not query anything from the IAM API, since it's fundamentally impossible to reverse-engineer the original input from IAM API, since managed policies like AmazonEC2ContainerRegistryPowerUser could be generated either from permissionPolicyARNs or from a well-known policies

eksctl/pkg/cfn/builder/iam.go

Lines 457 to 465 in b7c02b3

	for _, arn := range rs.attachPolicyARNs {
	role.ManagedPolicyArns = append(role.ManagedPolicyArns, arn)
	}
	managedPolicies, customPolicies := createWellKnownPolicies(rs.wellKnownPolicies)
	for _, p := range managedPolicies {
	role.ManagedPolicyArns = append(role.ManagedPolicyArns, makePolicyARN(p.name))
	}

Unfortunately, you will have to maintain the original yaml you used for eksctl create podidentityassociation for now