Populate role ARN from stack outputs on NoChangeError in pod identity update

[cs-mehta]

Description

Fixes #8718.

When eksctl update podidentityassociation is run with a config that uses roleName (no explicit roleARN), and CloudFormation reports "nothing to update", the IAMRoleUpdater.Update method returns an empty string as the role ARN. If something else still needs updating on the EKS side (e.g. disableSessionTags), this empty ARN gets sent to UpdatePodIdentityAssociation, which fails with a misleading "Cross-account pass role is not allowed" error.

The problem is in the NoChangeError handler in iam_role_updater.go:

if errors.As(err, &noChangeErr) {
    return podIdentityAssociation.RoleARN, false, nil  // empty when using roleName
}

The success path correctly resolves the ARN from CFN stack outputs via populateRoleARN(rs, stack), but the no-change path skipped that. The stack from the earlier DescribeStack call is already in scope, so this fix just adds the same populateRoleARN call.

Trigger conditions (all four required):

1. Pod identity association exists with an eksctl-owned IAM stack
2. Config uses roleName + permissionPolicyARNs (no roleARN)
3. CFN returns NoChangeError
4. An EKS-side field still needs updating (e.g. disableSessionTags)

Checklist

• Added tests that cover your change (if possible)
• Added/modified documentation as required (such as the README.md, or the userdocs directory)
• Manually tested
• Made sure the title of the PR is a good description that can go into the release notes
• (Core team) Added labels for change area (e.g. area/nodegroup) and kind (e.g. kind/improvement)

[github-actions]

Hello cs-mehta 👋 Thank you for opening a Pull Request in eksctl project. The team will review the Pull Request and aim to respond within 1-10 business days. Meanwhile, please read about the Contribution and Code of Conduct guidelines here. You can find out more information about eksctl on our website