diff --git a/packages/aws-cdk-lib/aws-eks/lib/cluster-resource-provider.ts b/packages/aws-cdk-lib/aws-eks/lib/cluster-resource-provider.ts
index 60865e7ddfe27..7b7e7cbcf1a7c 100644
--- a/packages/aws-cdk-lib/aws-eks/lib/cluster-resource-provider.ts
+++ b/packages/aws-cdk-lib/aws-eks/lib/cluster-resource-provider.ts
@@ -14,7 +14,7 @@ export interface ClusterResourceProviderProps {
   /**
    * The IAM role to assume in order to interact with the cluster.
    */
-  readonly adminRole: iam.IRole;
+  readonly adminRole?: iam.IRole;
 
   /**
    * The VPC to provision the functions in.
@@ -115,8 +115,10 @@ export class ClusterResourceProvider extends NestedStack {
       securityGroups: props.securityGroup ? [props.securityGroup] : undefined,
     });
 
-    props.adminRole.grant(onEvent.role!, 'sts:AssumeRole');
-    props.adminRole.grant(isComplete.role!, 'sts:AssumeRole');
+    if (props.adminRole) {
+      props.adminRole.grant(onEvent.role!, 'sts:AssumeRole');
+      props.adminRole.grant(isComplete.role!, 'sts:AssumeRole');
+    }
   }
 
   /**
diff --git a/packages/aws-cdk-lib/aws-eks/lib/cluster-resource.ts b/packages/aws-cdk-lib/aws-eks/lib/cluster-resource.ts
index c450526357daf..9e8909ae30230 100644
--- a/packages/aws-cdk-lib/aws-eks/lib/cluster-resource.ts
+++ b/packages/aws-cdk-lib/aws-eks/lib/cluster-resource.ts
@@ -57,10 +57,7 @@ export class ClusterResource extends Construct {
       throw new Error('"roleArn" is required');
     }
 
-    this.adminRole = this.createAdminRole(props);
-
     const provider = ClusterResourceProvider.getOrCreate(this, {
-      adminRole: this.adminRole,
       subnets: props.subnets,
       vpc: props.vpc,
       environment: props.environment,
@@ -68,6 +65,8 @@ export class ClusterResource extends Construct {
       securityGroup: props.clusterHandlerSecurityGroup,
     });
 
+    this.adminRole = this.createAdminRole(provider.provider.isCompleteHandler?.role!, props);
+
     const resource = new CustomResource(this, 'Resource', {
       resourceType: CLUSTER_RESOURCE_TYPE,
       serviceToken: provider.serviceToken,
@@ -113,13 +112,13 @@ export class ClusterResource extends Construct {
     this.attrOpenIdConnectIssuer = Token.asString(resource.getAtt('OpenIdConnectIssuer'));
   }
 
-  private createAdminRole(props: ClusterResourceProps) {
+  private createAdminRole(principal: iam.IPrincipal, props: ClusterResourceProps) {
     const stack = Stack.of(this);
 
     // the role used to create the cluster. this becomes the administrator role
     // of the cluster.
     const creationRole = new iam.Role(this, 'CreationRole', {
-      assumedBy: new iam.AccountRootPrincipal(),
+      assumedBy: principal,
     });
 
     // the CreateCluster API will allow the cluster to assume this role, so we