How to protect kms:CreateGrant permission while encryption AWS EKS secrets

Question

I have to encrypt k8s secrets in AWS EKS cluster. To achieve this, I have created a KMS key with the following key policy which allows kms:CreateGrant permission to my IAM role only when the CreateGrant request is from AWS resource only (like eks, ec2, rds etc.)

But It is not working, instead I am getting below error :

User: arn:aws:sts::111122223333:assumed-role/my-iam-role/12345789768779880 is not authorized to perform: kms:CreateGrant on resource: arn:aws:kms:us-west-2:111122223333:key/my-kms-key-id because no resource-based policy allows the kms:CreateGrant action

KMS Key policy :

{
    "Version": "2012-10-17",
    "Id": "key-consolepolicy-3",
    "Statement":
    [
        {
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal":
            {
                "AWS":
                [
                    "arn:aws:iam::111122223333:role/my-iam-role",
                    "arn:aws:iam::111122223333:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
                ]
            },
            "Action":
            [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Allow attachment of persistent resources",
            "Effect": "Allow",
            "Principal":
            {
                "AWS":
                [
                    "arn:aws:iam::111122223333:role/my-iam-role",
                    "arn:aws:iam::111122223333:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
                ]
            },
            "Action":
            [
                "kms:CreateGrant",
                "kms:ListGrants",
                "kms:RevokeGrant"
            ],
            "Resource": "*",
            "Condition":
            {
                "Bool":
                {
                    "kms:GrantIsForAWSResource": "true"
                }
            }
        }
    ]
}

But when I try after removing the following condition from key-policy to allow CreateGrant permission, then It works.

"Condition":
{
     "Bool":
      {
            "kms:GrantIsForAWSResource": "true"
      }
}

Through this way, I am able to make it work, But it is not a good practise as It is less secure. I have explored around it on internet and found that the condition "kms:GrantIsForAWSResource" doesn't work for EKS secrets encryption using envelope encryption (KMS key). (Ref.Link - AWS doc)

SO,

• Can someone face this issue or similar use-case with AWS EKS ?
• How can I restrict the CreateGrant permission to be called only by EKS service ?

Note - I have also used condition kms:viaService with eks.amazonaws.com but It also didn't worked, I got the same error(mentioned above in the question)