AWSFargateProfile reconciliation fails when trying to ensure policies are attached using Cloudformation IAM Role

[adammw]

/kind bug

What steps did you take and what happened:
Unsure of exactly how the policies became detached from the IAM roles in the first place, but once they did, the controller refused to be able to attach them with the reconciler permissions error:

error ensuring policies are attached: [arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy]:
        error getting policy arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy:
        AccessDenied: User: arn:aws:sts::12345:assumed-role/compute-controllers.cluster-api-provider-aws.sigs.k8s.io/12345
        is not authorized to perform: iam:GetPolicy on resource: policy arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy
        because no identity-based policy allows the iam:GetPolicy action

The controller role only has permission to iam:GetPolicy on arn:aws:iam::aws:policy/AmazonEKSClusterPolicy, and does not have iam:AttachRolePolicy permissions.

What did you expect to happen:
The controller could reattach the policies without failure.

Anything else you would like to add:

Environment:

• Cluster-api-provider-aws version:
• Kubernetes version: (use kubectl version): v1.30.6-eks-7f9249a
• OS (e.g. from /etc/os-release):

[k8s-ci-robot]

This issue is currently awaiting triage.

If CAPA/CAPI contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.