IAM Roles for Service Accounts with AWS S3 OIDC - RKE2

I’m working through implementing IAM Roles for Service Accounts on a RKE2 deployment which requires updates to some of the arguments in the kube-apiserver.yaml file.

These arguments are as follows:

  - command:
    - kube-apiserver
    - --service-account-issuer=<OIDC provider URL>
    - --service-account-key-file=/var/lib/rancher/rke2/server/irsa/sa-signer-pkcs8.pub
    - --service-account-key-file=/var/lib/rancher/rke2/server/tls/service.key
    - --service-account-signing-key-file=/var/lib/rancher/rke2/server/irsa/sa-signer.key

What I am not sure of is if I need to keep the default service-account-key-file that comes with RKE2 deployments or if I can just replace it outright with the key I generate for the OIDC S3 bucket without breaking anything within RKE2.

Currently I use the RKE2 cloud enabled deployment here: https://github.com/rancherfederal/rke2-aws-tf/tree/master/examples/cloud-enabled and modify the kube-apiserver.yaml file with the following arguments.

  - "service-account-issuer=<OIDC provider URL>"
  - "api-audiences=https://kubernetes.default.svc.cluster.local,rke2,sts.amazon.com"
  - "service-account-key-file=/var/lib/rancher/rke2/server/irsa/sa-signer-pkcs8.pub"
#  - "service-account-key-file=/var/lib/rancher/rke2/server/tls/service.key"
  - "service-account-signing-key-file=/var/lib/rancher/rke2/server/irsa/sa-signer.key"

As you can see I have the default service-account-key-file commented out because the method for injecting those values in the kube-apiserver.yaml doesn’t seem to support specifying multiple service-account-key-files without one of them overwriting the other. (https://docs.rke2.io/install/install_options/server_config/)

In short, does the default service-account-key-file matter in the grand scheme of things if I replace it with my own?