capa-iam-operator is creating unique IAM roles for each CAPA cluster, it watches AWSMachineTemplate CRs and reads AWSMachineTemplate.spec.template.spec.iamInstanceProfile for ControlPlane and AWSMachinePool CRs and reads AWSMachinePool.spec.awsLaunchTemplate.iamInstanceProfile.
If the IAM role in CR is found in the AWS API it will skip the creation, if its missing it will create a new one from a template.
In addition to the IAM role for Control plane nodes, capa-iam-operator wil also create IAM role for kiam app and Route53 role for external-dns app.
You can disable creating KIAM and Route53 roles via arguments --enable-kiam-role=false and --enable-route53-role=false. Route53 role will be only created if KIAm role is enabled, as it depends on it.
For each AWSMachinePool CR, a separate IAM role will be created.