IAM Role should be able to use a mix of customer managed and AWS managed polices

[starlightromero]

Describe the bug
Currently a Role resource, can only use either policies or PolicyRefs. PolicyRefs would come from customer managed policies that are also created in the cluster while policies would be AWS managed policies. When trying to use both, the following error is thrown:

status:
  conditions:
  - lastTransitionTime: "2025-04-09T21:58:24Z"
    message: Reference resolution failed
    reason: 'both resource reference wrapper and ID cannot be used together: Policies,PolicyRefs'
    status: Unknown
    type: ACK.ReferencesResolved

Steps to reproduce

apiVersion: iam.services.k8s.aws/v1alpha1
kind: Role
metadata:
  name: karpenter-node
  namespace: karpenter-system
spec:
  assumeRolePolicyDocument: |
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "EKSNodeAssumeRole",
                "Effect": "Allow",
                "Principal": {
                    "Service": "ec2.amazonaws.com"
                },
                "Action": "sts:AssumeRole"
            }
        ]
    }
  name: karpenter-node
  policies:
  - AmazonEC2ContainerRegistryReadOnly
  - AmazonEKS_CNI_Policy
  - AmazonEKSWorkerNodePolicy
  policyRefs:
  - from:
      name: karpenter-node
      namespace: karpenter-system

Expected outcome
I would expect, similar to in the AWS console, a IAM Role can use both customer managed and AWS managed policies.

Environment

• Kubernetes version
  • 1.31
• Using EKS (yes/no), if so version?
  • v1.31.6-eks-bc803b4
• AWS service targeted (S3, RDS, etc.)
  • IAM

[github-actions]

Hello @starlightromero 👋 Thank you for opening an issue in ACK! A maintainer will triage this issue soon.

We encourage community contributions, so if you're interested in tackling this yourself or suggesting a solution, please check out our Contribution and Code of Conduct guidelines.

You can find more information about ACK on our website.

[michaelhtm]

Hi @starlightromero
In ACK, the references such as policyRefs resolve to policies in the controller before building the sdk input and calling the apis.
One way you can override avoid the error would be to adopt the managed policies as read-only, and reference them from role.
More info here: https://aws-controllers-k8s.github.io/community/docs/user-docs/features/#readonlyresources

If you already know the arn of the custom policy, you can always use that in policies

[michaelhtm]

@starlightromero is this issue resolved for you?

[starlightromero]

Yes, I can use the ARN directly in policies so I am not blocked. But being able to use both policies and policyRefs would be ideal since using policyRefs creates a resource relationship between the Policy and Role Kubernetes resources that the ACK controller knows about and can manage.

[michaelhtm]

Currently in ACK, references (policyRefs) are resolved into ARNs and stored in Spec.Policies. This makes it easier to compare them with the ARNs in AWS, and make an update.
https://github.com/aws-controllers-k8s/iam-controller/blob/52217f7d94523811dd2a698089381ef7187cd54f/pkg/resource/role/references.go#L203-L207

Before patching the final form into the cluster, we then remove the resolved references, in this case the policyArns in Spec.Policies to ensure we don't change your defined Spec.
https://github.com/aws-controllers-k8s/iam-controller/blob/52217f7d94523811dd2a698089381ef7187cd54f/pkg/resource/role/references.go#L37-L49

When we clear the resolved references, we don't know which ones are coming from references, and which ones are defined by the user.

Maybe we can add a new field where you can define managed Policies tho..Would that be a better solution?

If not, you can always use adopt and read-only features, to import the ManagedPolicies in your cluster and use PolicyRefs

[starlightromero]

I think the managed policies field would work but perhaps that's not the most ideal for the project. You bring up a good point with adopt and read-only. Perhaps this is a better pattern for Managed Policies. I'm open to other opinions and feedback

[ack-bot]

Issues go stale after 180d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 60d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/aws-controllers-k8s/community.
/lifecycle stale