(eks): awsAuth methods should account for role path

As described here and IAM role containing a Path won’t work on the aws-auth configmap and the path must be removed.

Currently passing a role that includes a path to any of the awsAuth methods of the cluster object (i.e awsAuth.addMastersRole) will produce a config map that will not allow the role to authenticate.

For example, creating a no-ingress Cloud9 environment and mapping the instance role, fails to authenticate with the default Instance role as it includes a Path by default (/service-role/)

Reproduction Steps

1. Create a CDK Stack with C9 environment with CONNECT_SSM connection type and an EKS cluster.
2. Add the Cloud9 role to the awsAuth as master to the EKS cluster.
3. Log into the Cloud9 instance.
4. Update kubeconfig using the instance role.
5. List nodes will fail with authentication error.

What did you expect to happen?

awsAuth interface should strip the path from the role arn when updating the aws-auth configmap, otherwise allow for a method to pass the arn as String. A method with a signature like:

public addMastersRole(role: string, username?: string): void

What actually happened?

Configmap entry created includes the role path (service-role) and there is not way to exclude it:

{"rolearn":"arn:aws:iam::123456789012:role/service-role/AWSCloud9SSMAccessRole","username":"arn:aws:iam::123456789012:role/service-role/AWSCloud9SSMAccessRole","groups":["system:masters"]}

Environment

• CDK CLI Version : 1.97.0
• Framework Version:
• Node.js Version: v14.16.1
• OS : Any
• Language (Version): TypeScript–>

Other

This is 🐛 Bug Report