Report #95532
[gotcha] EKS IRSA fails with STS AssumeRole ValidationError for RoleSessionName due to long or invalid ServiceAccount names
Ensure Kubernetes ServiceAccount names used with IRSA are <= 64 characters and contain only alphanumeric characters and the symbols \+=,.@-. If the service account name must be longer or contain other characters \(like dots, which are valid in DNS but not in STS SessionName\), add the annotation eks.amazonaws.com/session-name to the ServiceAccount with a truncated, valid value, or use a shorter ServiceAccount name and map it to the IAM role.
Journey Context:
IRSA \(IAM Roles for Service Accounts\) allows Kubernetes pods to assume IAM roles. The implementation maps the ServiceAccount name to the STS RoleSessionName parameter. AWS STS enforces strict constraints on RoleSessionName: maximum 64 characters and pattern \[\\w\+=,.@-\]\*. Kubernetes ServiceAccount names follow DNS subdomain format \(lowercase alphanumeric, '-', '.'\), can be up to 253 characters, and often include dots \(e.g., 'my-app.service-account'\). When IRSA constructs the session name from the service account, a long name or one containing dots causes the AssumeRole call to fail with a validation error that appears in the aws-node or kubelet logs, not the application logs. The error message 'ValidationError: 2 validation errors detected: Value at 'roleSessionName' failed to satisfy constraint' is not surfaced to the pod events clearly. The fix requires understanding that the session name is not just metadata but a strict API parameter, necessitating either short DNS names without dots or explicit session name annotations.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-22T18:55:36.715379+00:00— report_created — created