I'm trying to create a service account for a cluster autoscaler with an annotation using the following pulumi code: saCA, err := corev1.NewServiceAccount(ctx, clusterAutoScalerName, &corev1.ServiceAccountArgs{ Metadata: &metav1.ObjectMetaArgs{ Namespace: pulumi.String("kube-system"), Name: pulumi.String(clusterAutoScalerName), Annotations: pulumi.StringMap{ "eks.amazonaws.com/role-arn": clusterAutoScalerSARole.Arn, }, }, }) However, when I describe the service account, the Annotation is not there: ➜ infra git:(master) ✗ kubectl describe serviceaccount cluster-autoscaler -n kube-system Name: cluster-autoscaler-aws-cluster-autoscaler Namespace: kube-system Labels: app.kubernetes.io/instance=cluster-autoscaler app.kubernetes.io/managed-by=Helm app.kubernetes.io/name=aws-cluster-autoscaler helm.sh/chart=cluster-autoscaler-9.9.2 Annotations: meta.helm.sh/release-name: cluster-autoscaler meta.helm.sh/release-namespace: kube-system Image pull secrets: <none> Mountable secrets: cluster-autoscaler-aws-cluster-autoscaler-token-lvr88 Tokens: cluster-autoscaler-aws-cluster-autoscaler-token-lvr88 Events: <none> Anybody know what might be wrong?

Are you sure this was created by Pulumi? This one looks like it was created by Helm

Good question, I would think pulumi would error out if resource is already created by Helm. I created the serviceaccount first, so Helm might just provided annotation?

It’s hard to tell but if Pulumi had created it I imagine it would have had some of the normal Pulumi annotations.

You are right. There are 2 SAs one created by Helm and one created by Pulumi @bored-table-20691. I was looking at the one created by Helm. Thanks!!!

Excellent.