Ability to extract namespace and/or service account name to use as variable in policy

[yarozen]

What would you like to be added:
I want to provide pods using a specific service account to read/write to an S3 folder name that is derived from either the namespace or the service account name.
For example, creating IAM role with the following policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:*Object"
            ],
            "Resource": "arn:aws:s3:::<BUKCET_NAME>/${oidc.eks.<REGION>.amazonaws.com/id/<CLUSTER_ID:sub}/*"
        }
    ]
}

The problem here is that ${oidc.eks.<REGION>.amazonaws.com/id/<CLUSTER_ID:sub} is resolved to system:serviceaccount:<NAMESPACE>:<SERVICE_ACCOUNT> and I want to somehow extract only the namespace or service account name and use that as the folder prefix.

If I was able to substring the sub to its different sections that would provide me with what I need.
For example:
${OIDC_PROVIDER}:sub": "system:serviceaccount:<my-namespace>:<my-service-account>
${OIDC_PROVIDER}:sub:namespace": "<my-namespace>
${OIDC_PROVIDER}:sub:serviceaccount": "<my-service-account>

Why is this needed:
Provide a single role that can serve multiple service accounts (I have thousands and I would hit the role limit quota if I will create a dedicated role per service account)