diff --git a/pkg/model/context.go b/pkg/model/context.go
index e3106d0c45..eb7e156f3d 100644
--- a/pkg/model/context.go
+++ b/pkg/model/context.go
@@ -200,7 +200,7 @@ func (b *KopsModelContext) CloudTagsForInstanceGroup(ig *kops.InstanceGroup) (ma
 func (b *KopsModelContext) CloudTagsForServiceAccount(name string, sa types.NamespacedName) map[string]string {
 	tags := b.CloudTags(name, false)
 	tags[awstasks.CloudTagServiceAccountName] = sa.Name
-	tags[awstasks.CloudTagServiceAccountNamespace] = sa.Namespace
+	tags[awstasks.CloudTagServiceAccountNamespace] = strings.ReplaceAll(sa.Namespace, "*", "wildcard")
 	return tags
 }
 
diff --git a/tests/integration/update_cluster/irsa/kubernetes.tf b/tests/integration/update_cluster/irsa/kubernetes.tf
index f3e8699dcc..70138e21db 100644
--- a/tests/integration/update_cluster/irsa/kubernetes.tf
+++ b/tests/integration/update_cluster/irsa/kubernetes.tf
@@ -433,7 +433,7 @@ resource "aws_iam_role" "myserviceaccount-test-wildcard-sa-minimal-example-com"
     "Name"                                      = "myserviceaccount.test-wildcard.sa.minimal.example.com"
     "kubernetes.io/cluster/minimal.example.com" = "owned"
     "service-account.kops.k8s.io/name"          = "myserviceaccount"
-    "service-account.kops.k8s.io/namespace"     = "test-*"
+    "service-account.kops.k8s.io/namespace"     = "test-wildcard"
   }
 }