The helm chart supplied with Sisense allows global annotation of all service accounts within the sisense namespace.

For example I can annotate an AWS role that is able to be assumed by pods:

helm upgrade sisense ${sisense_chart} --namespace sisense \
--reuse-values \
--set global.serviceAccountAnnotations."eks\.amazonaws\.com/role-arn"=${pod_role_arn}

While this covers most of the pods by updating all the sisense-* service accounts in kubernetes the ec-build pod (the one that actually builds the elasticube) only uses the default service account in the sisense namespace.

A workaround is to annotate the default service account:

kubectl annotate serviceaccount default eks.amazonaws.com/role-arn=${pod_role_arn} --namespace sisense

But it seems odd that the pod would a) assume the default service account when all other pods have service accounts explicitly defined for them and b) despite having gone to the trouble of wiring up global service account annotations in helm for them not to be applied at the final step of elasticube building.

This specific use case is for supplying web identity tokens to a JDBC driver so that you can interact with AWS by using a specific OIDC assumed pod role, rather than using an EC2 role or worse, static credentials in a file or connection string. Even more specifically using CData JDBC parquet driver with S3.