diff --git a/controllers/awsmachinetemplate_controller.go b/controllers/awsmachinetemplate_controller.go
index 56a0eb3a..6c866792 100644
--- a/controllers/awsmachinetemplate_controller.go
+++ b/controllers/awsmachinetemplate_controller.go
@@ -278,7 +278,9 @@ func (r *AWSMachineTemplateReconciler) reconcileNormal(ctx context.Context, iamS
 
 			cloudFrontDomain := key.CloudFrontAlias(baseDomain)
 
-			err = iamService.ReconcileRolesForIRSA(accountID, cloudFrontDomain)
+			oldCloudFrontDomain := key.GetAdditionalIrsaDomain(awsMachineTemplate)
+
+			err = iamService.ReconcileRolesForIRSA(accountID, cloudFrontDomain, oldCloudFrontDomain)
 			if err != nil {
 				return ctrl.Result{}, errors.WithStack(err)
 			}
diff --git a/controllers/awsmanagedcontrolplane_controller.go b/controllers/awsmanagedcontrolplane_controller.go
index 4ac474d5..8e019fd9 100644
--- a/controllers/awsmanagedcontrolplane_controller.go
+++ b/controllers/awsmanagedcontrolplane_controller.go
@@ -157,7 +157,7 @@ func (r *AWSManagedControlPlaneReconciler) Reconcile(ctx context.Context, req ct
 		}
 
 		iamService.SetPrincipalRoleARN(eksRoleARN)
-		err = iamService.ReconcileRolesForIRSA(accountID, eksOpenIdDomain)
+		err = iamService.ReconcileRolesForIRSA(accountID, eksOpenIdDomain, "")
 		if err != nil {
 			return ctrl.Result{}, microerror.Mask(err)
 		}
diff --git a/pkg/iam/iam.go b/pkg/iam/iam.go
index b7caaef9..88684cc9 100644
--- a/pkg/iam/iam.go
+++ b/pkg/iam/iam.go
@@ -58,12 +58,13 @@ type IAMService struct {
 }
 
 type Route53RoleParams struct {
-	EC2ServiceDomain string
-	AccountID        string
-	CloudFrontDomain string
-	Namespace        string
-	ServiceAccount   string
-	PrincipalRoleARN string
+	EC2ServiceDomain           string
+	AccountID                  string
+	CloudFrontDomain           string
+	AdditionalCloudFrontDomain string
+	Namespace                  string
+	ServiceAccount             string
+	PrincipalRoleARN           string
 }
 
 func New(config IAMServiceConfig) (*IAMService, error) {
@@ -156,12 +157,12 @@ func (s *IAMService) ReconcileKiamRole() error {
 	return nil
 }
 
-func (s *IAMService) ReconcileRolesForIRSA(awsAccountID string, cloudFrontDomain string) error {
+func (s *IAMService) ReconcileRolesForIRSA(awsAccountID string, cloudFrontDomain string, oldCloudFrontDomain string) error {
 	s.log.Info("reconciling IAM roles for IRSA")
 
 	for _, roleTypeToReconcile := range getIRSARoles() {
 		var params Route53RoleParams
-		params, err := s.generateRoute53RoleParams(roleTypeToReconcile, awsAccountID, cloudFrontDomain)
+		params, err := s.generateRoute53RoleParams(roleTypeToReconcile, awsAccountID, cloudFrontDomain, oldCloudFrontDomain)
 		if err != nil {
 			s.log.Error(err, "failed to generate Route53 role parameters")
 			return err
@@ -177,7 +178,7 @@ func (s *IAMService) ReconcileRolesForIRSA(awsAccountID string, cloudFrontDomain
 	return nil
 }
 
-func (s *IAMService) generateRoute53RoleParams(roleTypeToReconcile string, awsAccountID string, cloudFrontDomain string) (Route53RoleParams, error) {
+func (s *IAMService) generateRoute53RoleParams(roleTypeToReconcile string, awsAccountID string, cloudFrontDomain string, additionalCloudFrontDomain string) (Route53RoleParams, error) {
 	namespace := "kube-system"
 	serviceAccount, err := getServiceAccount(roleTypeToReconcile)
 	if err != nil {
@@ -193,6 +194,10 @@ func (s *IAMService) generateRoute53RoleParams(roleTypeToReconcile string, awsAc
 		ServiceAccount:   serviceAccount,
 	}
 
+	if additionalCloudFrontDomain != "" {
+		params.AdditionalCloudFrontDomain = additionalCloudFrontDomain
+	}
+
 	return params, nil
 }
 
diff --git a/pkg/iam/route53_template.go b/pkg/iam/route53_template.go
index f5c31e82..5bf6dd4b 100644
--- a/pkg/iam/route53_template.go
+++ b/pkg/iam/route53_template.go
@@ -14,7 +14,20 @@ const trustIdentityPolicyIRSA = `{
           "{{.CloudFrontDomain}}:sub": "system:serviceaccount:{{.Namespace}}:{{.ServiceAccount}}"
         }
       }
+    }{{if .AdditionalCloudFrontDomain}},
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Federated": "arn:aws:iam::{{.AccountID}}:oidc-provider/{{.AdditionalCloudFrontDomain}}"
+      },
+      "Action": "sts:AssumeRoleWithWebIdentity",
+      "Condition": {
+        "StringEquals": {
+          "{{.AdditionalCloudFrontDomain}}:sub": "system:serviceaccount:{{.Namespace}}:{{.ServiceAccount}}"
+        }
+      }
     }
+    {{end}}
   ]
 }
 `
diff --git a/pkg/key/key.go b/pkg/key/key.go
index 2b94d939..7895b163 100644
--- a/pkg/key/key.go
+++ b/pkg/key/key.go
@@ -158,3 +158,16 @@ func GetAWSAccountID(awsClusterRoleIdentity *capa.AWSClusterRoleIdentity) (strin
 
 	return a.AccountID, nil
 }
+
+func GetAdditionalIrsaDomain(o v1.Object) string {
+	return GetAnnotation(o, "aws.giantswarm.io/irsa-additional-domain")
+}
+
+// GetAnnotation returns the value of the specified annotation.
+func GetAnnotation(o v1.Object, annotation string) string {
+	annotations := o.GetAnnotations()
+	if annotations == nil {
+		return ""
+	}
+	return annotations[annotation]
+}