IAM - Role created by ACK IAM controller is immediately treated as a pre-existing resource not managed by ACK

[jwilkicki]

Describe the bug
Creating an IAM Role with the ACK IAM controller creates the role but then thinks it is not managing the role.

Steps to reproduce

1. Verify that intended IAM Role does not exist
2. Server side apply an IAM role like this:

apiVersion: iam.services.k8s.aws/v1alpha1
kind: Role
metadata:  
  name: my-cluster-s3-controller-role
  namespace: ack-system  
spec:
  assumeRolePolicyDocument: |-
    {
        "Statement": [
            {
                "Action": "sts:AssumeRoleWithWebIdentity",
                "Condition": {
                    "StringEquals": {
                        "oidc.eks.my-region.amazonaws.com/id/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:aud": "sts.amazonaws.com",
                        "oidc.eks.my-region.amazonaws.com/id/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:sub": "system:serviceaccount:ack-system:ack-s3-controller"
                    }
                },
                "Effect": "Allow",
                "Principal": {
                    "Federated": "arn:aws:iam::###########:oidc-provider/oidc.eks.my-region.amazonaws.com/id/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
                },
                "Sid": "AssumeRoleWithWebIdentity"
            }
        ],
        "Version": "2012-10-17"
    }
  description: Allow the ACK S3 Controller to manage S3 resources
  maxSessionDuration: 3600
  name: my-cluster-s3-controller-role
  path: /
  permissionsBoundary: >-
    arn:aws:iam::###########:policy/ack-iam-policies/my-cluster-AckS3Boundary
  policies:
    - arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess

1. IAM Role is confirmed created in AWS Console
2. Status of Role resource reads:

   status:
     ackResourceMetadata:
       arn: arn:aws:iam::###########:role/my-cluster-s3-controller-role
       ownerAccountID: '###########'
       region: my-region
     conditions:
       - lastTransitionTime: '2025-11-XXTXX:XX:XXZ'
         message: Resource already exists
         reason: >-
           This resource already exists but is not managed by ACK. To bring the
           resource under ACK management, you should explicitly adopt the resource
           by enabling the ResourceAdoption feature gate and populating the
           `services.k8s.aws/adoption-policy` and
           `services.k8s.aws/adoption-fields` annotations.
         status: 'True'
         type: ACK.Terminal
       - lastTransitionTime: '2025-11-XXTXX:XX:XXZ'
         message: Resource not synced
         reason: resource is in terminal condition
         status: 'False'
         type: ACK.ResourceSynced
     createDate: '2025-11-XXTXX:XX:XXZ'
     roleID: AAAAAAAAAAAAAAAAAAAAAAA
     roleLastUsed: {}

Expected outcome

Expected that ACK.ResourceSynced would be 'True'

Environment

• Kubernetes version - 1.31
• Using EKS (yes/no), if so version? Yes eks.43
• AWS service targeted (S3, RDS, etc.) IAM
• ACK IAM Controller version: 1.5.2

[github-actions]

Hello @jwilkicki 👋 Thank you for opening an issue in ACK! A maintainer will triage this issue soon.

We encourage community contributions, so if you're interested in tackling this yourself or suggesting a solution, please check out our Contribution and Code of Conduct guidelines.

You can find more information about ACK on our website.