--role-arn is the role which will be used by aws-iam-authenticator when you run kubectl to get a token and is only injected in to the generated config; it is not used for fetching EKS resources in any way by the command.

The error you are hitting is because the AWS credentials you're using to run the update-kubeconfig command don't have permissions to describe that cluster.

Your version of the AWS-CLI needs to be updated. At the very least you need to be running AWS-CLI version 1.16.156 as mentioned in the AWS Docs.

Amazon EKS uses the aws eks get-token command, available in version 1.16.156 or later of the AWS CLI or the AWS IAM Authenticator for Kubernetes with kubectl for cluster authentication.

You'll also need to make sure you have AWS IAM Authenticator installed in order to authenticate using roles.

Download the Amazon EKS-vended aws-iam-authenticator binary from Amazon S3. To download the ARM version, change amd64 to arm64 before running the command. curl -o aws-iam-authenticator https://amazon-eks.s3.us-west-2.amazonaws.com/1.17.7/2020-07-08/bin/linux/amd64/aws-iam-authenticator

Apply execute permissions to the binary. chmod +x ./aws-iam-authenticator

Copy the binary to a folder in your $PATH. We recommend creating a $HOME/bin/aws-iam-authenticator and ensuring that $HOME/bin comes first in your $PATH. mkdir -p $HOME/bin && cp ./aws-iam-authenticator $HOME/bin/aws-iam-authenticator && export PATH=$PATH:$HOME/bin

Add $HOME/bin to your PATH environment variable. echo 'export PATH=$PATH:$HOME/bin' >> ~/.bashrc

Test that the aws-iam-authenticator binary works. aws-iam-authenticator help