When running eksctl utils migrate-to-pod-identity --approve without the --remove-oidc-provider-trust-relationship flag, eksctl adds a new trust relationship for the pods.eks.amazonaws.com principal without removing the service account's role annotation, but a subsequent rerun causes it to fail with this error:

Error: creating pod identity association for service account "test" in namespace "kube-system": operation error EKS: CreatePodIdentityAssociation, https response error StatusCode: 409, RequestID: <redacted>, ResourceInUseException: Association already exists: <redacted>

Sample config:

---
apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig

metadata:
  name: test
  region: us-west-2

iam:
  withOIDC: true
  serviceAccounts:
    - metadata:
        name: test
        namespace: kube-system
      wellKnownPolicies:
        awsLoadBalancerController: true

Steps to reproduce

1. Create IAM service accounts
2. Run eksctl utils migrate-to-pod-identity -f cluster.yaml --approve
3. Run eksctl utils migrate-to-pod-identity -f cluster.yaml --approve again