Trust
AWS does not trust Kubernetes service-account tokens directly. It trusts:
Issuer
The API server issuer must exactly match the public bridge URL because AWS
Caching
The bridge caches JWKS data because the cluster signing keys can rotate and AWS
Explanation
Background on trust, issuer matching, and cache behavior.