Fix SSO role ARN resolution for EKS access entries

DataGomes · DataGomes · commit dfabd516aa65 · 2026-04-05T08:21:46.000-07:00
SSO roles include a path prefix (e.g. /aws-reserved/sso.amazonaws.com/REGION/)
that EKS requires in access entries. The previous manual ARN construction
stripped this path, causing InvalidParameterException. Use `aws iam get-role`
to resolve the full canonical ARN.
diff --git a/deploy.sh b/deploy.sh
@@ -252,11 +252,12 @@ fi
 if [ -z "$BUILD_ID" ]; then
   # Resolve caller's IAM role ARN for EKS access grants.
   # For assumed-role ARNs (arn:aws:sts::ACCT:assumed-role/RoleName/session),
-  # convert to the IAM role ARN (arn:aws:iam::ACCT:role/RoleName).
+  # look up the full IAM role ARN via get-role. SSO roles include a path
+  # (e.g. /aws-reserved/sso.amazonaws.com/REGION/) that EKS requires.
   CALLER_ROLE_ARN=""
   if echo "$IDENTITY_ARN" | grep -q "assumed-role"; then
     ROLE_NAME="$(echo "$IDENTITY_ARN" | cut -d'/' -f2)"
-    CALLER_ROLE_ARN="arn:aws:iam::${ACCOUNT_ID}:role/${ROLE_NAME}"
+    CALLER_ROLE_ARN="$(aws iam get-role --role-name "$ROLE_NAME" --query 'Role.Arn' --output text 2>/dev/null || true)"
   fi
 
   ENV_OVERRIDES='[
