Please fill in the following information:

Issue description

Copied/pasted from https://docs.google.com/document/d/1eCBDwI-n3EFUJ-43ptgpT3b6MMbjhpvHtdF9RAaNv6g/edit#heading=h.o4vox72suofu

Why would an admin want to leverage the IAM ACK to create policy and role documents? It’s even more tedious and requires more effort to use the role.iam.services.k8s.aws CR than to just create the role with aws cli or aws console.  You’d think the CR would help simplify the creation of those.

• • Consider the manifest in step 6.3 as an example
• [ablum] it looks like things fall apart in step 7.4 when the smoody user must know the ROLE_ARN to use to annotate the serviceaccount.  This normally wouldn’t be something the developer would have and was one of the “selling points” of using ACK with developers to begin with.

[ec2-user@ip-10-2-0-118 ~]$ oc whoami

smoody

[ec2-user@ip-10-2-0-118 ~]$ oc get role.iam.services.k8s.aws -n services-ack-infra-admin

Error from server (Forbidden): roles.iam.services.k8s.aws is forbidden: User "smoody" cannot list resource "roles" in API group "iam.services.k8s.aws" in the namespace "services-ack-infra-admin"

Steps to reproduce:

Workaround:

Expected result: