Support IAM Roles for Service Accounts
AWS has rolled out a new EKS feature called IAM Roles for Service Accounts. It allows pods on Kubernetes to assume roles based on the service account they run under and is supposed to be the official answer to tools like kiam. All that is required to get this feature working is an upgrade of the aws-sdk to a supported version - this adds the new web identity credential provider to the default chain.
We'd like to migrate to this official implementation, but GitLab needs to upgrade the underlying AWS SDK first. A quick look through the repository makes me believe that the Ruby version needs to be updated to at least 2.11.345, the Node.js version used already is supported. The Helm chart to deploy GitLab should also be fine as is, since we can set a service account name via the shared secrets chart.