Assume a service account role in EKS

I have created an EKS cluster using eksctl. I am following these steps to establish connectivity to AWS services like S3, cloudwatch using spring-boot.

1. Create EKS using eksctl - This has my service account details and OIDC enabled.
2. List the service accounts to see if they were created fine
3. Create a deployment using the account name
4. Create a service

I am seeing a 403 in the logs:

User: arn:aws:sts:account_id/nodegroup_rule_created_by_eks is not authorized to perform: 
cloudformation:DescribeStackResources because no identity-based policy allows 
the cloudformation:DescribeStackResources action (Service: AmazonCloudFormation; Status Code: 403; 
Error Code: AccessDenied; Request ID: xxxx)

Can I get some help here to troubleshoot this issue, please?

---

What I have figured out after posting this issue is my node which is provisioned by eksctl, has been applied with rules. This is the rule which my app is picking up due to the default CredentialChain.

What I haven't still figured out is how do I enable the apps in the pod to assume a service account role.

---

Here are relevant snippets from the yaml.

cluster-config.yaml file:

iam:
  withOIDC: true
  serviceAccounts:
    - metadata:
        name: backend-stage-iam-role
        namespace: backend-stage
        labels: { aws-usage: "all-backend-allow" }
      attachPolicyARNs:
        - "arn:aws:iam::MY_CUSTOM_RULE_WHICH_ALLOWS_S3_LIST_GET_PUT"

deployment.yaml

spec:
  replicas: 8
  selector:
    matchLabels:
      app: my-app
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: my-app
    spec:
      serviceAccountName: backend-stage-iam-role

When describing the pod, I see that there exists an environment variable :

AWS_ROLE_ARN: arn:aws:iam::MY_CUSTOM_RULE_WHICH_ALLOWS_S3_LIST_GET_PUT

I am still to figure out how can I apply this role to the pod?