Merge pull request #90 from nrosenberg1/sa-regional-endpoint

Add SA regional endpoint support

controllers/iamrole_controller.go

@@ -187,7 +187,18 @@ func (r *IamroleReconciler) HandleReconcile(ctx context.Context, req ctrl.Reques
 
 		}
 
-		if validation.CompareRole(ctx, *input, targetRole, *targetPolicy) {
+		// If IRSA is enabled, make sure the service account has the needed annotations
+		saConsistent := false
+		saExists, saName := utils.ParseIRSAAnnotation(ctx, iamRole)
+		if saExists {
+			// Get the service account in kubernetes
+			saSpec := k8s.NewK8sManagerClient(r.Client).GetServiceAccount(ctx, iamRole.Namespace, saName)
+			// If it exists, check the annotations are correct
+			if saSpec != nil {
+				saConsistent = validation.CompareRoleIRSA(ctx, saSpec, *config.Props)
+			}
+		}
+		if validation.CompareRole(ctx, *input, targetRole, *targetPolicy) && saConsistent {
 			log.Info("No change in the incoming policy compare to state of the world(external AWS IAM) policy")
 			r.UpdateStatus(ctx, iamRole, iammanagerv1alpha1.IamroleStatus{RetryCount: 0, RoleName: roleName, ErrorDescription: "", RoleID: aws.StringValue(targetRole.Role.RoleId), RoleARN: aws.StringValue(targetRole.Role.Arn), LastUpdatedTimestamp: iamRole.Status.LastUpdatedTimestamp, State: iammanagerv1alpha1.Ready})
 
@@ -248,9 +259,9 @@ func (r *IamroleReconciler) HandleReconcile(ctx context.Context, req ctrl.Reques
 
 		//OK. Successful!!
 		// Is this IRSA role? If yes, Create/update Service Account with required annotation
-		flag, saName := utils.ParseIRSAAnnotation(ctx, iamRole)
-		if flag {
-			if err := k8s.NewK8sManagerClient(r.Client).CreateOrUpdateServiceAccount(ctx, saName, iamRole.Namespace, resp.RoleARN); err != nil {
+		saFlag, saName := utils.ParseIRSAAnnotation(ctx, iamRole)
+		if saFlag {
+			if err := k8s.NewK8sManagerClient(r.Client).CreateOrUpdateServiceAccount(ctx, saName, iamRole.Namespace, resp.RoleARN, config.Props.IsIRSARegionalEndpointDisabled()); err != nil {
 				log.Error(err, "error in updating service account for IRSA role")
 				r.Recorder.Event(iamRole, v1.EventTypeWarning, string(iammanagerv1alpha1.Error), "Unable to create/update service account for IRSA role due to error "+err.Error())
 				return r.UpdateStatus(ctx, iamRole, iammanagerv1alpha1.IamroleStatus{RetryCount: iamRole.Status.RetryCount + 1, RoleName: roleName, ErrorDescription: err.Error(), State: iammanagerv1alpha1.Error, LastUpdatedTimestamp: metav1.Now()}, requeueTime)

docs/Configmap_Properties.md

@@ -8,7 +8,7 @@ This document explains configmap variables.
 | aws.accountId                     | AWS account ID where IAM roles are created|        |Optional            |
 | iam.managed.policies              | User managed IAM policies     |                    |Optional            |
 | iam.managed.permission.boundary.policy| User managed permission boundary policy|k8s-iam-manager-cluster-permission-boundary       |Required            |
-| webhook.enabled                   |  Enable webhook?              | `false             | Required           |
+| webhook.enabled                   |  Enable webhook?              | `false`             | Required           |
 | iam.role.max.limit.per.namespace  | Maximum number of roles per namespace |   1        | Required |
 | aws.region                        | AWS Region                    | `us-west-2`        | Required |
 | iam.default.trust.policy          | Default trust policy role. This must follow v1alpha1.AssumeRolePolicyDocument syntax|           | Optional |
@@ -17,6 +17,7 @@ This document explains configmap variables.
 | k8s.cluster.name                  | Name of the cluster           |                    | Optional | 
 | k8s.cluster.oidc.issuer.url       | OIDC issuer of the cluster    |                    | Optional |
 | iam.irsa.enabled                  | Enable IRSA option?           | `false`            | Optional |
+| [iam.irsa.regional.endpoint.disabled](#iamirsaregionalendpointdisabled)| Disable IRSA regional endpoint?| `false`          | Optional |
 
 
 ## `iam.role.pattern`
@@ -53,3 +54,12 @@ will have left over unused IAM roles in your account.
 
 Get these settings right from the beginning, or be prepared to clean up the left
 over roles.
+
+## `iam.irsa.regional.endpoint.disabled`
+_Default_: `"false"`
+
+Information about Service Account regional endpoints can be found 
+[here](https://github.com/aws/amazon-eks-pod-identity-webhook#aws_sts_regional_endpoints-injection).
+By default, iam-manager will inject `eks.amazonaws.com/sts-regional-endpoints: "true"` as an annotation on service
+accounts specified in IamRoles. Setting this property to `"true"` will disable this injection and remove the annotation so endpoint will default
+back to global endpoint in us-east-1.

go.mod

@@ -10,9 +10,9 @@ require (
 	github.com/onsi/gomega v1.8.1
 	github.com/pborman/uuid v1.2.0
 	github.com/pkg/errors v0.8.1
-	golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 // indirect
-	golang.org/x/sys v0.0.0-20220307203707-22a9840ba4d7 // indirect
-	golang.org/x/tools v0.1.9 // indirect
+	golang.org/x/crypto v0.0.0-20210921155107-089bfa567519 // indirect
+	golang.org/x/sys v0.0.0-20220406163625-3f8b81556e12 // indirect
+	golang.org/x/tools v0.1.10 // indirect
 	gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15
 	k8s.io/api v0.17.2
 	k8s.io/apimachinery v0.17.2

go.sum

@@ -333,6 +333,8 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550 h1:ObdrDkeb4kJdCP557AjRjq
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 h1:psW17arqaxU48Z5kZ0CQnkZWQJsqcURM6tKiBApRjXI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519 h1:7I4JAnoQBe7ZtJcBaYHi5UtiO8tQHbUSXxL+pnGRANg=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190125153040-c74c464bbbf2/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190312203227-4b39c73a6495/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -354,6 +356,8 @@ golang.org/x/mod v0.4.2 h1:Gz96sIWK3OalVv/I/qNygP42zyoKp3xptRVCWRFEBvo=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.5.1 h1:OJxoQ/rynoF0dcCdI7cLPktw/hR2cueqYfjm43oqK38=
 golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
+golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3 h1:kQgndtyPBW/JIYERgdxfwMYh3AVStj88WQTlNDi2a+o=
+golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3/go.mod h1:3p9vT2HGsQu2K1YbXdKPJLVgG5VJdoTa1poYQBtP1AY=
 golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -373,6 +377,7 @@ golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20191004110552-13f9640d40b9/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974 h1:IX6qOQeG5uLjB/hjjwjedwfjND0hgjPMMyO1RoIXQNI=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4 h1:4nGaVu0QrbjT/AK2PRLuQfQuh6DJve+pELhqTdAj3x0=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f h1:OfiFi4JbukWwe3lzw+xunroH1mnC1e2Gy5cxNJApiSY=
@@ -417,11 +422,15 @@ golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210514084401-e8d321eab015 h1:hZR0X1kPW+nwyJ9xRxqZk1vx5RUObAPBdKVvXPDUH/E=
 golang.org/x/sys v0.0.0-20210514084401-e8d321eab015/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211019181941-9d821ace8654/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220227234510-4e6760a101f9 h1:nhht2DYV/Sn3qOayu8lM+cU1ii9sTLUeBQwQQfUHtrs=
 golang.org/x/sys v0.0.0-20220227234510-4e6760a101f9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220307203707-22a9840ba4d7 h1:8IVLkfbr2cLhv0a/vKq4UFUcJym8RmDoDboxCFWEjYE=
 golang.org/x/sys v0.0.0-20220307203707-22a9840ba4d7/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220406163625-3f8b81556e12 h1:QyVthZKMsyaQwBTJE04jdNN0Pp5Fn9Qga0mrgxyERQM=
+golang.org/x/sys v0.0.0-20220406163625-3f8b81556e12/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1 h1:v+OssWQX+hTHEmOBgwxdZxK4zHq3yOs8F9J7mk0PY8E=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -462,6 +471,8 @@ golang.org/x/tools v0.1.1 h1:wGiQel/hW0NnEkJUk8lbzkX2gFJU6PFxf1v5OlCfuOs=
 golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.9 h1:j9KsMiaP1c3B0OTQGth0/k+miLGTgLsAFUCrF2vLcF8=
 golang.org/x/tools v0.1.9/go.mod h1:nABZi5QlRsZVlzPpHl034qft6wpY4eDcsTt5AaioBiU=
+golang.org/x/tools v0.1.10 h1:QjFRCZxdOhBJ/UNgnBZLbNV13DlbnK0quyivTnXJM20=
+golang.org/x/tools v0.1.10/go.mod h1:Uh6Zz+xoGYZom868N8YTex3t7RhtHDBrE8Gzo9bV56E=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=

internal/config/constants.go

@@ -57,6 +57,9 @@ const (
 
 	//propertyDefaultTrustPolicy can be used to provide default trust policy
 	propertyDefaultTrustPolicy = "iam.default.trust.policy"
+
+	//propertyIRSAaRegionalEndpointDisabled can be used to disable sts regional endpoints for service accounts, and use global endpoint in us-east-1 instead
+	propertyIRSARegionalEndpointDisabled = "iam.irsa.regional.endpoint.disabled"
 )
 
 const (
@@ -69,4 +72,6 @@ const (
 	IamManagerPrivilegedNamespaceAnnotation = "iammanager.keikoproj.io/privileged"
 
 	IamManagerTagsAnnotation = "iammanager.keikoproj.io/tags"
+
+	IRSARegionalEndpointAnnotation = "eks.amazonaws.com/sts-regional-endpoints"
 )

internal/config/properties.go

@@ -34,6 +34,7 @@ type Properties struct {
 	clusterOIDCIssuerUrl            string
 	defaultTrustPolicy              string
 	iamRolePattern                  string
+	isIRSARegionalEndpointDisabled  string
 }
 
 func init() {
@@ -83,6 +84,7 @@ func LoadProperties(env string, cm ...*v1.ConfigMap) error {
 			clusterOIDCIssuerUrl:            os.Getenv("CLUSTER_OIDC_ISSUER_URL"),
 			defaultTrustPolicy:              os.Getenv("DEFAULT_TRUST_POLICY"),
 			iamRolePattern:                  os.Getenv("IAM_ROLE_PATTERN"),
+			isIRSARegionalEndpointDisabled:  os.Getenv("IRSA_REGIONAL_ENDPOINT_DISABLED"),
 		}
 		return nil
 	}
@@ -204,6 +206,13 @@ func LoadProperties(env string, cm ...*v1.ConfigMap) error {
 	}
 	Props.clusterOIDCIssuerUrl = oidcUrl
 
+	isIRSARegionalEndpointDisabled := cm[0].Data[propertyIRSARegionalEndpointDisabled]
+	if isIRSARegionalEndpointDisabled == "true" {
+		Props.isIRSARegionalEndpointDisabled = "true"
+	} else {
+		Props.isIRSARegionalEndpointDisabled = "false"
+	}
+
 	return nil
 }
 
@@ -263,6 +272,14 @@ func (p *Properties) IsIRSAEnabled() bool {
 	return resp
 }
 
+func (p *Properties) IsIRSARegionalEndpointDisabled() bool {
+	resp := false
+	if p.isIRSARegionalEndpointDisabled == "true" {
+		resp = true
+	}
+	return resp
+}
+
 func (p *Properties) ClusterName() string {
 	return p.clusterName
 }

internal/config/properties_test.go

@@ -130,13 +130,15 @@ func (s *PropertiesSuite) TestLoadPropertiesSuccessWithCustom(c *check.C) {
 			"controller.desired.frequency":           "30",
 			"iam.role.max.limit.per.namespace":       "5",
 			"iam.role.pattern":                       "pfx-{{ .ObjectMeta.Name }}",
+			"iam.irsa.regional.endpoint.disabled":    "true",
 		},
 	}
 	err := LoadProperties("", cm)
 	c.Assert(err, check.IsNil)
 	c.Assert(Props.MaxRolesAllowed(), check.Equals, 5)
 	c.Assert(Props.ControllerDesiredFrequency(), check.Equals, 30)
 	c.Assert(Props.IamRolePattern(), check.Equals, "pfx-{{ .ObjectMeta.Name }}")
+	c.Assert(Props.IsIRSARegionalEndpointDisabled(), check.Equals, true)
 }
 
 func (s *PropertiesSuite) TestGetAllowedPolicyAction(c *check.C) {
@@ -204,3 +206,8 @@ func (s *PropertiesSuite) TestControllerDefaultTrustPolicy(c *check.C) {
 	value := Props.DefaultTrustPolicy()
 	c.Assert(value, check.Equals, def)
 }
+
+func (s *PropertiesSuite) TestIsIRSARegionalEndpointDisabled(c *check.C) {
+	value := Props.IsIRSARegionalEndpointDisabled()
+	c.Assert(value, check.Equals, false)
+}

internal/utils/utils.go

@@ -198,3 +198,8 @@ func ParsePrivilegedAnnotation(ctx context.Context, ns *v1.Namespace) bool {
 func ParseTagsAnnotation(ctx context.Context, iamRole *iammanagerv1alpha1.Iamrole) (bool, string) {
 	return parseAnnotations(ctx, config.IamManagerTagsAnnotation, iamRole.Annotations)
 }
+
+//ParseTagsAnnotation parses IamRole tags annotation and responds if annotation exists
+func ParseIRSARegionalEndpointAnnotation(ctx context.Context, sa *v1.ServiceAccount) (bool, string) {
+	return parseAnnotations(ctx, config.IRSARegionalEndpointAnnotation, sa.Annotations)
+}

pkg/k8s/client.go

@@ -184,3 +184,18 @@ func (c *Client) SetUpEventHandler(ctx context.Context) record.EventRecorder {
 	log.V(1).Info("Successfully added event broadcaster")
 	return eventBroadcaster.NewRecorder(scheme.Scheme, v1.EventSource{Component: "iam-manager"})
 }
+
+//GetServiceAccount returns the service account with a given name in a given namespace
+func (c *Client) GetServiceAccount(ctx context.Context, ns string, name string) *v1.ServiceAccount {
+	log := log.Logger(ctx, "k8s", "client", "GetServiceAccount")
+	log.WithValues("namespace", ns)
+	log.Info("Retrieving service account")
+	sa := &v1.ServiceAccount{}
+	err := c.rCl.Get(ctx, client.ObjectKey{Name: name, Namespace: ns}, sa)
+	if err != nil {
+		log.Info("unable to get service account", "saName", name, "namespace", ns)
+		return nil
+	}
+
+	return sa
+}

pkg/k8s/rbac.go

@@ -12,7 +12,7 @@ import (
 )
 
 //CreateServiceAccount adds the service account
-func (c *Client) CreateOrUpdateServiceAccount(ctx context.Context, saName string, ns string, roleARN string) error {
+func (c *Client) CreateOrUpdateServiceAccount(ctx context.Context, saName string, ns string, roleARN string, regionalEndpointDisabled bool) error {
 	log := log.Logger(ctx, "pkg.k8s", "rbac", "CreateOrUpdateServiceAccount")
 
 	sa := &corev1.ServiceAccount{
@@ -24,6 +24,10 @@ func (c *Client) CreateOrUpdateServiceAccount(ctx context.Context, saName string
 			},
 		},
 	}
+	if !regionalEndpointDisabled {
+		sa.ObjectMeta.Annotations["eks.amazonaws.com/sts-regional-endpoints"] = "true"
+	}
+
 	//_, err := c.cl.CoreV1().ServiceAccounts(ns).Create(sa)
 	log.V(1).Info("Service Account creation is in progress")
 	err := c.rCl.Create(ctx, sa)

pkg/validation/validate.go

@@ -8,9 +8,11 @@ import (
 	"github.com/aws/aws-sdk-go/service/iam"
 	"github.com/keikoproj/iam-manager/api/v1alpha1"
 	"github.com/keikoproj/iam-manager/internal/config"
+	"github.com/keikoproj/iam-manager/internal/utils"
 	"github.com/keikoproj/iam-manager/pkg/awsapi"
 	"github.com/keikoproj/iam-manager/pkg/log"
 	"github.com/pkg/errors"
+	"k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"net/url"
 	"reflect"
@@ -124,6 +126,21 @@ func CompareRole(ctx context.Context, request awsapi.IAMRoleRequest, targetRole
 	return true
 }
 
+//CompareRole function compares input role to target role
+func CompareRoleIRSA(ctx context.Context, sa *v1.ServiceAccount, props config.Properties) bool {
+	// Check if sts-regional-endpoint annotation is set to the expected value
+	exists, val := utils.ParseIRSARegionalEndpointAnnotation(ctx, sa)
+	// If the regional endpoint disabled flag is not set, make sure the annotation exists and is set to true
+	if !props.IsIRSARegionalEndpointDisabled() && (!exists || val != "true") {
+		return false
+		// If the regional endpoint disabled flag is set to true, make sure the annotation either doesn't exist or is set to false
+	} else if props.IsIRSARegionalEndpointDisabled() && (exists && val != "false") {
+		return false
+	}
+
+	return true
+}
+
 //ComparePermissionPolicy compares role policy from request and response
 func ComparePermissionPolicy(ctx context.Context, request string, target string) bool {
 	log := log.Logger(ctx, "pkg.validation", "ComparePermissionPolicy")

pkg/validation/validate_test.go

@@ -11,6 +11,8 @@ import (
 	"github.com/keikoproj/iam-manager/pkg/awsapi"
 	"github.com/keikoproj/iam-manager/pkg/validation"
 	"gopkg.in/check.v1"
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"testing"
 )
 
@@ -477,6 +479,33 @@ func (s *ValidateSuite) TestCompareTagsFailure(c *check.C) {
 	c.Assert(flag, check.Equals, false)
 }
 
+func (s *ValidateSuite) TestCompareRoleIRSASuccess(c *check.C) {
+	sa := v1.ServiceAccount{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test-sa",
+			Namespace: "test-ns",
+			Annotations: map[string]string{
+				"eks.amazonaws.com/sts-regional-endpoints": "true",
+			},
+		},
+	}
+
+	flag := validation.CompareRoleIRSA(s.ctx, &sa, config.Properties{})
+	c.Assert(flag, check.Equals, true)
+}
+
+func (s *ValidateSuite) TestCompareRoleIRSAFailure(c *check.C) {
+	sa := v1.ServiceAccount{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test-sa",
+			Namespace: "test-ns",
+		},
+	}
+
+	flag := validation.CompareRoleIRSA(s.ctx, &sa, config.Properties{})
+	c.Assert(flag, check.Equals, false)
+}
+
 func (s *ValidateSuite) TestContainsStringSuccess(c *check.C) {
 	resp := validation.ContainsString([]string{"iamrole.finalizers.iammanager.keikoproj.io", "iamrole.finalizers2.iammanager.keikoproj.io"}, "iamrole.finalizers.iammanager.keikoproj.io")
 	c.Assert(resp, check.Equals, true)