diff --git a/CHANGELOG.md b/CHANGELOG.md
index cb09476..4749f9e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,6 +14,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### **Changed**
 
 - pin external gh actions to hash
+- fix eks cluster admin role trust policy
 
 ### **Removed**
 
diff --git a/modules/compute/eks/stack.py b/modules/compute/eks/stack.py
index 5e9e941..f40ad63 100755
--- a/modules/compute/eks/stack.py
+++ b/modules/compute/eks/stack.py
@@ -526,6 +526,15 @@ def _create_eks_cluster(
             ],
         )
 
+        # Grant kubectl handler role explicit assume of cluster admin role
+        cluster_admin_role.assume_role_policy.add_statements(
+            iam.PolicyStatement(
+                effect=iam.Effect.ALLOW,
+                actions=["sts:AssumeRole"],
+                principals=[eks_cluster.kubectl_lambda_role.role_arn],
+            )
+        )
+
         # Whitelist traffic between Codebuild SG and EKS SG when the APIServer is private
         if eks_compute_config.get("eks_api_endpoint_private") and codebuild_sg_id:
             codebuild_sg = ec2.SecurityGroup.from_security_group_id(self, "eks-codebuild-sg", codebuild_sg_id)
@@ -628,6 +637,9 @@ def _create_cluster_admin_role(self, project_name, deployment_name, module_name,
                 conditions={
                     "ArnLike": {
                         "aws:PrincipalArn": (
+                            # NOTE: this is known to cause issues when using long deployment names
+                            # for resources with autogenerated names that may be truncated to not fit the pattern
+                            # such as kubectl handler role
                             f"arn:{self._partition}:iam::{account}:role/{project_name}-{deployment_name}-*"
                         )
                     }