I tried creating an AWS IAM Role via the

aws-iam:index:RoleForServiceAccountsEks

resource. The Policy creations works but the Role is invalid. This is missing a StringEquals and the condition should use the oid-provider directly and not the ARN. Resource code

cert-manager-irsa:
    type: "aws-iam:index:RoleForServiceAccountsEks"
    options:
      dependsOn:
        - ${cluster}
    properties:
      role:
        name: "staging-cert-manager"
      tags:
        environment: stg
        project: stg
      oidcProviders:
        main:
          providerArn: ${cluster.core.oidcProvider.arn}
          namespaceServiceAccounts:
            - "cert-manager:cert-manager"
      policies:
        certManager:
            attach: true
            hostedZoneArns:
                - ${dns.outputs["staging.ARN"]}

Pulumi Preview details

+ aws:iam/role:Role: (create)
            [urn=urn:pulumi:eks::staging::aws-iam:index:RoleForServiceAccountsEks$aws:iam/role:Role::externalDns-irsa-role]
            assumeRolePolicy   : (json) {
                Statement: [
                    [0]: {
                        Action   : "sts:AssumeRoleWithWebIdentity"
                        Condition: {
                            : {
                                arn:aws:iam::<AWS_ACCOUNT>:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/<OIDC_PROVIDER_ID>:aud: "sts.amazonaws.com"
                                arn:aws:iam::<AWS_ACCOUNT>:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/<OIDC_PROVIDER_ID>:sub: "system:serviceaccount:cert-manager:cert-manager"
                            }
                        }
                        Effect   : "Allow"
                        Principal: {
                            Federated: "arn:aws:iam::<AWS_ACCOUNT>:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/<OIDC_PROVIDER_ID>"
                        }
                    }
                ]
                Version  : "2012-10-17"
            }