From 2d5791a27cb25d654f79af7578ce5a3be0aaf218 Mon Sep 17 00:00:00 2001
From: Tanvir Tatla <tatlat@amazon.com>
Date: Fri, 6 Dec 2024 19:34:50 -0800
Subject: [PATCH] refactor aws iam in cli workflow (#9050)

---
 Makefile                                      |  4 +-
 cmd/eksctl-anywhere/cmd/createcluster.go      |  6 +-
 cmd/eksctl-anywhere/cmd/upgradecluster.go     |  5 +-
 pkg/awsiamauth/installer.go                   | 10 +-
 pkg/awsiamauth/installer_test.go              |  6 +-
 pkg/clustermanager/cluster_manager.go         | 22 +----
 pkg/clustermanager/cluster_manager_test.go    |  4 +-
 pkg/clustermanager/cluster_manager_wb_test.go |  2 +-
 .../mocks/client_and_networking.go            | 95 +------------------
 pkg/dependencies/factory.go                   |  3 +-
 pkg/task/task.go                              |  1 +
 pkg/workflows/interfaces/interfaces.go        |  8 +-
 pkg/workflows/interfaces/mocks/clients.go     | 81 ++++++++++------
 pkg/workflows/management/create.go            |  8 +-
 pkg/workflows/management/create_test.go       |  6 +-
 pkg/workflows/management/upgrade.go           |  8 +-
 pkg/workflows/management/upgrade_test.go      |  4 +
 .../management/write_cluster_config.go        |  2 +-
 pkg/workflows/workload/create.go              |  8 +-
 pkg/workflows/workload/create_test.go         |  6 +-
 pkg/workflows/workload/upgrade.go             |  8 +-
 pkg/workflows/workload/upgrade_test.go        |  6 +-
 pkg/workflows/workload/writeclusterconfig.go  |  2 +-
 test/e2e/awsiamauth.go                        | 15 +++
 test/e2e/vsphere_test.go                      | 29 ++++++
 25 files changed, 172 insertions(+), 177 deletions(-)

diff --git a/Makefile b/Makefile
index 664ef97ec992..c02f1c3311bb 100644
--- a/Makefile
+++ b/Makefile
@@ -560,14 +560,14 @@ mocks: ## Generate mocks
 	${MOCKGEN} -destination=pkg/providers/vsphere/setupuser/mocks/client.go -package=mocks "github.com/aws/eks-anywhere/pkg/providers/vsphere/setupuser" GovcClient
 	${MOCKGEN} -destination=pkg/govmomi/mocks/client.go -package=mocks "github.com/aws/eks-anywhere/pkg/govmomi" VSphereClient,VMOMIAuthorizationManager,VMOMIFinder,VMOMISessionBuilder,VMOMIFinderBuilder,VMOMIAuthorizationManagerBuilder
 	${MOCKGEN} -destination=pkg/filewriter/mocks/filewriter.go -package=mocks "github.com/aws/eks-anywhere/pkg/filewriter" FileWriter
-	${MOCKGEN} -destination=pkg/clustermanager/mocks/client_and_networking.go -package=mocks "github.com/aws/eks-anywhere/pkg/clustermanager" ClusterClient,AwsIamAuth,EKSAComponents,KubernetesClient,ClientFactory,ClusterApplier,CAPIClient
+	${MOCKGEN} -destination=pkg/clustermanager/mocks/client_and_networking.go -package=mocks "github.com/aws/eks-anywhere/pkg/clustermanager" ClusterClient,EKSAComponents,KubernetesClient,ClientFactory,ClusterApplier,CAPIClient
 	${MOCKGEN} -destination=pkg/gitops/flux/mocks/client.go -package=mocks "github.com/aws/eks-anywhere/pkg/gitops/flux" FluxClient,KubeClient,GitOpsFluxClient,GitClient,Templater
 	${MOCKGEN} -destination=pkg/task/mocks/task.go -package=mocks "github.com/aws/eks-anywhere/pkg/task" Task
 	${MOCKGEN} -destination=pkg/bootstrapper/mocks/client.go -package=mocks "github.com/aws/eks-anywhere/pkg/bootstrapper" KindClient,KubernetesClient
 	${MOCKGEN} -destination=pkg/bootstrapper/mocks/bootstrapper.go -package=mocks "github.com/aws/eks-anywhere/pkg/bootstrapper" ClusterClient
 	${MOCKGEN} -destination=pkg/git/providers/github/mocks/github.go -package=mocks "github.com/aws/eks-anywhere/pkg/git/providers/github" GithubClient
 	${MOCKGEN} -destination=pkg/git/mocks/git.go -package=mocks "github.com/aws/eks-anywhere/pkg/git" Client,ProviderClient
-	${MOCKGEN} -destination=pkg/workflows/interfaces/mocks/clients.go -package=mocks "github.com/aws/eks-anywhere/pkg/workflows/interfaces" Bootstrapper,ClusterManager,GitOpsManager,Validator,CAPIManager,EksdInstaller,EksdUpgrader,PackageManager,ClusterUpgrader,ClusterCreator,ClientFactory,EksaInstaller,ClusterDeleter,ClusterMover
+	${MOCKGEN} -destination=pkg/workflows/interfaces/mocks/clients.go -package=mocks "github.com/aws/eks-anywhere/pkg/workflows/interfaces" Bootstrapper,ClusterManager,GitOpsManager,Validator,CAPIManager,EksdInstaller,EksdUpgrader,PackageManager,ClusterUpgrader,ClusterCreator,ClientFactory,EksaInstaller,ClusterDeleter,ClusterMover,AwsIamAuth
 	${MOCKGEN} -destination=pkg/git/gogithub/mocks/client.go -package=mocks "github.com/aws/eks-anywhere/pkg/git/gogithub" Client
 	${MOCKGEN} -destination=pkg/git/gitclient/mocks/client.go -package=mocks "github.com/aws/eks-anywhere/pkg/git/gitclient" GoGit
 	${MOCKGEN} -destination=pkg/validations/mocks/docker.go -package=mocks "github.com/aws/eks-anywhere/pkg/validations" DockerExecutable
diff --git a/cmd/eksctl-anywhere/cmd/createcluster.go b/cmd/eksctl-anywhere/cmd/createcluster.go
index ca21409a2f21..77d762fe9a73 100644
--- a/cmd/eksctl-anywhere/cmd/createcluster.go
+++ b/cmd/eksctl-anywhere/cmd/createcluster.go
@@ -191,7 +191,8 @@ func (cc *createClusterOptions) createCluster(cmd *cobra.Command, _ []string) er
 		WithClusterApplier().
 		WithKubeconfigWriter(clusterSpec.Cluster).
 		WithClusterCreator(clusterSpec.Cluster).
-		WithClusterMover()
+		WithClusterMover().
+		WithAwsIamAuth(clusterSpec.Cluster)
 
 	if cc.timeoutOptions.noTimeouts {
 		factory.WithNoTimeouts()
@@ -258,12 +259,12 @@ func (cc *createClusterOptions) createCluster(cmd *cobra.Command, _ []string) er
 			deps.PackageManager,
 			deps.ClusterCreator,
 			deps.UnAuthKubectlClient,
+			deps.AwsIamAuth,
 		)
 		err = createWorkloadCluster.Run(ctx, clusterSpec, createValidations)
 
 	} else if clusterSpec.Cluster.IsSelfManaged() {
 		logger.V(1).Info("Using the eksa controller to create the management cluster")
-
 		createMgmtCluster := management.NewCreate(
 			deps.Bootstrapper,
 			deps.UnAuthKubeClient,
@@ -276,6 +277,7 @@ func (cc *createClusterOptions) createCluster(cmd *cobra.Command, _ []string) er
 			deps.ClusterCreator,
 			deps.EksaInstaller,
 			deps.ClusterMover,
+			deps.AwsIamAuth,
 		)
 
 		err = createMgmtCluster.Run(ctx, clusterSpec, createValidations)
diff --git a/cmd/eksctl-anywhere/cmd/upgradecluster.go b/cmd/eksctl-anywhere/cmd/upgradecluster.go
index 27866be23897..90a2a4ac19a4 100644
--- a/cmd/eksctl-anywhere/cmd/upgradecluster.go
+++ b/cmd/eksctl-anywhere/cmd/upgradecluster.go
@@ -160,7 +160,8 @@ func (uc *upgradeClusterOptions) upgradeCluster(cmd *cobra.Command, args []strin
 		WithKubectl().
 		WithValidatorClients().
 		WithPackageManagerWithoutWait(clusterSpec, "", uc.managementKubeconfig).
-		WithUpgradeClusterDefaulter(upgradeCLIConfig)
+		WithUpgradeClusterDefaulter(upgradeCLIConfig).
+		WithAwsIamAuth(clusterSpec.Cluster)
 
 	if uc.timeoutOptions.noTimeouts {
 		factory.WithNoTimeouts()
@@ -214,6 +215,7 @@ func (uc *upgradeClusterOptions) upgradeCluster(cmd *cobra.Command, args []strin
 			deps.EksdInstaller,
 			deps.ClusterApplier,
 			deps.PackageManager,
+			deps.AwsIamAuth,
 		)
 
 		err = upgrade.Run(ctx, clusterSpec, managementCluster, upgradeValidations)
@@ -228,6 +230,7 @@ func (uc *upgradeClusterOptions) upgradeCluster(cmd *cobra.Command, args []strin
 			deps.ClusterApplier,
 			deps.EksdInstaller,
 			deps.PackageManager,
+			deps.AwsIamAuth,
 		)
 		err = upgradeWorkloadCluster.Run(ctx, workloadCluster, clusterSpec, upgradeValidations)
 	}
diff --git a/pkg/awsiamauth/installer.go b/pkg/awsiamauth/installer.go
index 1b7e57aa01e7..005f4ec0cce5 100644
--- a/pkg/awsiamauth/installer.go
+++ b/pkg/awsiamauth/installer.go
@@ -81,7 +81,7 @@ func (i *Installer) InstallAWSIAMAuth(
 		return fmt.Errorf("applying aws-iam-authenticator manifest: %v", err)
 	}
 
-	if err = i.GenerateKubeconfig(ctx, management, workload, spec); err != nil {
+	if err = i.GenerateWorkloadKubeconfig(ctx, management, workload, spec); err != nil {
 		return err
 	}
 	return nil
@@ -118,8 +118,8 @@ func (i *Installer) generateInstallerKubeconfig(clusterSpec *cluster.Spec, serve
 	return i.templateBuilder.GenerateKubeconfig(clusterSpec, i.clusterID, serverURL, tlsCert)
 }
 
-// GenerateKubeconfig generates the AWS IAM auth kubeconfig.
-func (i *Installer) GenerateKubeconfig(
+// GenerateWorkloadKubeconfig generates the AWS IAM auth kubeconfig.
+func (i *Installer) GenerateWorkloadKubeconfig(
 	ctx context.Context,
 	management, workload *types.Cluster,
 	spec *cluster.Spec,
@@ -160,8 +160,8 @@ func (i *Installer) GenerateKubeconfig(
 	return nil
 }
 
-// GenerateManagementAWSIAMKubeconfig generates the AWS IAM auth kubeconfig.
-func (i *Installer) GenerateManagementAWSIAMKubeconfig(
+// GenerateManagementKubeconfig generates the AWS IAM auth kubeconfig.
+func (i *Installer) GenerateManagementKubeconfig(
 	ctx context.Context,
 	cluster *types.Cluster,
 ) error {
diff --git a/pkg/awsiamauth/installer_test.go b/pkg/awsiamauth/installer_test.go
index be044dd7b7b4..26ebdd8a7aaf 100644
--- a/pkg/awsiamauth/installer_test.go
+++ b/pkg/awsiamauth/installer_test.go
@@ -355,7 +355,7 @@ func TestGenerateManagementAWSIAMKubeconfig(t *testing.T) {
 	installer := awsiamauth.NewInstaller(certs, clusterID, k8s, writer, kwriter)
 	kwriter.EXPECT().WriteKubeconfigContent(ctx, cluster.Name, secretValue, fileWriter)
 
-	err := installer.GenerateManagementAWSIAMKubeconfig(context.Background(), cluster)
+	err := installer.GenerateManagementKubeconfig(context.Background(), cluster)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -381,7 +381,7 @@ func TestGenerateManagementAWSIAMKubeconfigError(t *testing.T) {
 	kwriter := kubeconfigmocks.NewMockWriter(ctrl)
 	installer := awsiamauth.NewInstaller(certs, clusterID, k8s, writer, kwriter)
 
-	err := installer.GenerateManagementAWSIAMKubeconfig(context.Background(), cluster)
+	err := installer.GenerateManagementKubeconfig(context.Background(), cluster)
 	if err == nil {
 		t.Fatal(err)
 	}
@@ -410,7 +410,7 @@ func TestGenerateAWSIAMKubeconfigError(t *testing.T) {
 	installer := awsiamauth.NewInstaller(certs, clusterID, k8s, writer, kwriter)
 	kwriter.EXPECT().WriteKubeconfigContent(ctx, cluster.Name, secretValue, fileWriter).Return(errors.New("test"))
 
-	err := installer.GenerateManagementAWSIAMKubeconfig(context.Background(), cluster)
+	err := installer.GenerateManagementKubeconfig(context.Background(), cluster)
 	if err == nil {
 		t.Fatal(err)
 	}
diff --git a/pkg/clustermanager/cluster_manager.go b/pkg/clustermanager/cluster_manager.go
index 1d7ba538c181..4c1c2bedcff8 100644
--- a/pkg/clustermanager/cluster_manager.go
+++ b/pkg/clustermanager/cluster_manager.go
@@ -71,7 +71,6 @@ type ClusterManager struct {
 	retrier            *retrier.Retrier
 	writer             filewriter.FileWriter
 	diagnosticsFactory diagnostics.DiagnosticBundleFactory
-	awsIamAuth         AwsIamAuth
 
 	machineMaxWait                   time.Duration
 	machineBackoff                   time.Duration
@@ -100,14 +99,6 @@ type CAPIClient interface {
 	GetWorkloadKubeconfig(ctx context.Context, clusterName string, cluster *types.Cluster) ([]byte, error)
 }
 
-type AwsIamAuth interface {
-	CreateAndInstallAWSIAMAuthCASecret(ctx context.Context, managementCluster *types.Cluster, workloadClusterName string) error
-	InstallAWSIAMAuth(ctx context.Context, management, workload *types.Cluster, spec *cluster.Spec) error
-	UpgradeAWSIAMAuth(ctx context.Context, cluster *types.Cluster, spec *cluster.Spec) error
-	GenerateKubeconfig(ctx context.Context, management, workload *types.Cluster, spec *cluster.Spec) error
-	GenerateManagementAWSIAMKubeconfig(ctx context.Context, cluster *types.Cluster) error
-}
-
 // EKSAComponents allows to manage the eks-a components installation in a cluster.
 type EKSAComponents interface {
 	Install(ctx context.Context, log logr.Logger, cluster *types.Cluster, managementComponents *cluster.ManagementComponents, spec *cluster.Spec) error
@@ -122,7 +113,7 @@ func DefaultRetrier() *retrier.Retrier {
 }
 
 // New constructs a new ClusterManager.
-func New(client ClientFactory, clusterClient ClusterClient, writer filewriter.FileWriter, diagnosticBundleFactory diagnostics.DiagnosticBundleFactory, awsIamAuth AwsIamAuth, eksaComponents EKSAComponents, opts ...ClusterManagerOpt) *ClusterManager {
+func New(client ClientFactory, clusterClient ClusterClient, writer filewriter.FileWriter, diagnosticBundleFactory diagnostics.DiagnosticBundleFactory, eksaComponents EKSAComponents, opts ...ClusterManagerOpt) *ClusterManager {
 	c := &ClusterManager{
 		eksaComponents:                   eksaComponents,
 		ClientFactory:                    client,
@@ -133,7 +124,6 @@ func New(client ClientFactory, clusterClient ClusterClient, writer filewriter.Fi
 		machineMaxWait:                   DefaultMaxWaitPerMachine,
 		machineBackoff:                   machineBackoff,
 		machinesMinWait:                  defaultMachinesMinWait,
-		awsIamAuth:                       awsIamAuth,
 		controlPlaneWaitTimeout:          DefaultControlPlaneWait,
 		controlPlaneWaitAfterMoveTimeout: DefaultControlPlaneWaitAfterMove,
 		externalEtcdWaitTimeout:          DefaultEtcdWait,
@@ -395,11 +385,6 @@ func (c *ClusterManager) waitForDeployments(ctx context.Context, deploymentsByNa
 	return nil
 }
 
-// GenerateWorkloadAWSIAMKubeconfig generates a kubeconfig for interacting with the cluster with aws-iam-authenticator client.
-func (c *ClusterManager) GenerateWorkloadAWSIAMKubeconfig(ctx context.Context, management, workload *types.Cluster, spec *cluster.Spec) error {
-	return c.awsIamAuth.GenerateKubeconfig(ctx, management, workload, spec)
-}
-
 func (c *ClusterManager) SaveLogsManagementCluster(ctx context.Context, spec *cluster.Spec, cluster *types.Cluster) error {
 	if cluster == nil {
 		return nil
@@ -835,11 +820,6 @@ func (c *ClusterManager) pauseReconcileForCluster(ctx context.Context, clusterCr
 	return nil
 }
 
-// GenerateManagementAWSIAMKubeconfig generates a kubeconfig for interacting with the cluster with aws-iam-authenticator client.
-func (c *ClusterManager) GenerateManagementAWSIAMKubeconfig(ctx context.Context, cluster *types.Cluster) error {
-	return c.awsIamAuth.GenerateManagementAWSIAMKubeconfig(ctx, cluster)
-}
-
 func (c *ClusterManager) GetCurrentClusterSpec(ctx context.Context, clus *types.Cluster, clusterName string) (*cluster.Spec, error) {
 	eksaCluster, err := c.clusterClient.GetEksaCluster(ctx, clus, clusterName)
 	if err != nil {
diff --git a/pkg/clustermanager/cluster_manager_test.go b/pkg/clustermanager/cluster_manager_test.go
index f2c00e0863ef..f55e8413f516 100644
--- a/pkg/clustermanager/cluster_manager_test.go
+++ b/pkg/clustermanager/cluster_manager_test.go
@@ -1024,7 +1024,6 @@ func newTest(t *testing.T, opts ...clustermanager.ClusterManagerOpt) *testSetup
 
 type clusterManagerMocks struct {
 	writer             *mockswriter.MockFileWriter
-	awsIamAuth         *mocksmanager.MockAwsIamAuth
 	client             *mocksmanager.MockClusterClient
 	provider           *mocksprovider.MockProvider
 	diagnosticsBundle  *mocksdiagnostics.MockDiagnosticBundle
@@ -1036,7 +1035,6 @@ func newClusterManager(t *testing.T, opts ...clustermanager.ClusterManagerOpt) (
 	mockCtrl := gomock.NewController(t)
 	m := &clusterManagerMocks{
 		writer:             mockswriter.NewMockFileWriter(mockCtrl),
-		awsIamAuth:         mocksmanager.NewMockAwsIamAuth(mockCtrl),
 		client:             mocksmanager.NewMockClusterClient(mockCtrl),
 		provider:           mocksprovider.NewMockProvider(mockCtrl),
 		diagnosticsFactory: mocksdiagnostics.NewMockDiagnosticBundleFactory(mockCtrl),
@@ -1068,7 +1066,7 @@ func newClusterManager(t *testing.T, opts ...clustermanager.ClusterManagerOpt) (
 	fakeClient := test.NewFakeKubeClient(dc, oc, b, r, ac, gc, er)
 	cf := mocksmanager.NewMockClientFactory(mockCtrl)
 	cf.EXPECT().BuildClientFromKubeconfig("").Return(fakeClient, nil).AnyTimes()
-	c := clustermanager.New(cf, m.client, m.writer, m.diagnosticsFactory, m.awsIamAuth, m.eksaComponents, opts...)
+	c := clustermanager.New(cf, m.client, m.writer, m.diagnosticsFactory, m.eksaComponents, opts...)
 
 	return c, m
 }
diff --git a/pkg/clustermanager/cluster_manager_wb_test.go b/pkg/clustermanager/cluster_manager_wb_test.go
index b635fcf450dc..e6dd2bbc6488 100644
--- a/pkg/clustermanager/cluster_manager_wb_test.go
+++ b/pkg/clustermanager/cluster_manager_wb_test.go
@@ -62,7 +62,7 @@ func TestClusterManager_totalTimeoutForMachinesReadyWait(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			c := New(nil, nil, nil, nil, nil, nil, tt.opts...)
+			c := New(nil, nil, nil, nil, nil, tt.opts...)
 			g := NewWithT(t)
 			g.Expect(c.totalTimeoutForMachinesReadyWait(tt.replicas)).To(Equal(tt.want))
 		})
diff --git a/pkg/clustermanager/mocks/client_and_networking.go b/pkg/clustermanager/mocks/client_and_networking.go
index f1579405c950..bc74118c1bea 100644
--- a/pkg/clustermanager/mocks/client_and_networking.go
+++ b/pkg/clustermanager/mocks/client_and_networking.go
@@ -1,5 +1,5 @@
 // Code generated by MockGen. DO NOT EDIT.
-// Source: github.com/aws/eks-anywhere/pkg/clustermanager (interfaces: ClusterClient,AwsIamAuth,EKSAComponents,KubernetesClient,ClientFactory,ClusterApplier,CAPIClient)
+// Source: github.com/aws/eks-anywhere/pkg/clustermanager (interfaces: ClusterClient,EKSAComponents,KubernetesClient,ClientFactory,ClusterApplier,CAPIClient)
 
 // Package mocks is a generated GoMock package.
 package mocks
@@ -803,99 +803,6 @@ func (mr *MockClusterClientMockRecorder) WaitForManagedExternalEtcdReady(arg0, a
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "WaitForManagedExternalEtcdReady", reflect.TypeOf((*MockClusterClient)(nil).WaitForManagedExternalEtcdReady), arg0, arg1, arg2, arg3)
 }
 
-// MockAwsIamAuth is a mock of AwsIamAuth interface.
-type MockAwsIamAuth struct {
-	ctrl     *gomock.Controller
-	recorder *MockAwsIamAuthMockRecorder
-}
-
-// MockAwsIamAuthMockRecorder is the mock recorder for MockAwsIamAuth.
-type MockAwsIamAuthMockRecorder struct {
-	mock *MockAwsIamAuth
-}
-
-// NewMockAwsIamAuth creates a new mock instance.
-func NewMockAwsIamAuth(ctrl *gomock.Controller) *MockAwsIamAuth {
-	mock := &MockAwsIamAuth{ctrl: ctrl}
-	mock.recorder = &MockAwsIamAuthMockRecorder{mock}
-	return mock
-}
-
-// EXPECT returns an object that allows the caller to indicate expected use.
-func (m *MockAwsIamAuth) EXPECT() *MockAwsIamAuthMockRecorder {
-	return m.recorder
-}
-
-// CreateAndInstallAWSIAMAuthCASecret mocks base method.
-func (m *MockAwsIamAuth) CreateAndInstallAWSIAMAuthCASecret(arg0 context.Context, arg1 *types.Cluster, arg2 string) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "CreateAndInstallAWSIAMAuthCASecret", arg0, arg1, arg2)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// CreateAndInstallAWSIAMAuthCASecret indicates an expected call of CreateAndInstallAWSIAMAuthCASecret.
-func (mr *MockAwsIamAuthMockRecorder) CreateAndInstallAWSIAMAuthCASecret(arg0, arg1, arg2 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateAndInstallAWSIAMAuthCASecret", reflect.TypeOf((*MockAwsIamAuth)(nil).CreateAndInstallAWSIAMAuthCASecret), arg0, arg1, arg2)
-}
-
-// GenerateKubeconfig mocks base method.
-func (m *MockAwsIamAuth) GenerateKubeconfig(arg0 context.Context, arg1, arg2 *types.Cluster, arg3 *cluster.Spec) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "GenerateKubeconfig", arg0, arg1, arg2, arg3)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// GenerateKubeconfig indicates an expected call of GenerateKubeconfig.
-func (mr *MockAwsIamAuthMockRecorder) GenerateKubeconfig(arg0, arg1, arg2, arg3 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GenerateKubeconfig", reflect.TypeOf((*MockAwsIamAuth)(nil).GenerateKubeconfig), arg0, arg1, arg2, arg3)
-}
-
-// GenerateManagementAWSIAMKubeconfig mocks base method.
-func (m *MockAwsIamAuth) GenerateManagementAWSIAMKubeconfig(arg0 context.Context, arg1 *types.Cluster) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "GenerateManagementAWSIAMKubeconfig", arg0, arg1)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// GenerateManagementAWSIAMKubeconfig indicates an expected call of GenerateManagementAWSIAMKubeconfig.
-func (mr *MockAwsIamAuthMockRecorder) GenerateManagementAWSIAMKubeconfig(arg0, arg1 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GenerateManagementAWSIAMKubeconfig", reflect.TypeOf((*MockAwsIamAuth)(nil).GenerateManagementAWSIAMKubeconfig), arg0, arg1)
-}
-
-// InstallAWSIAMAuth mocks base method.
-func (m *MockAwsIamAuth) InstallAWSIAMAuth(arg0 context.Context, arg1, arg2 *types.Cluster, arg3 *cluster.Spec) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "InstallAWSIAMAuth", arg0, arg1, arg2, arg3)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// InstallAWSIAMAuth indicates an expected call of InstallAWSIAMAuth.
-func (mr *MockAwsIamAuthMockRecorder) InstallAWSIAMAuth(arg0, arg1, arg2, arg3 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "InstallAWSIAMAuth", reflect.TypeOf((*MockAwsIamAuth)(nil).InstallAWSIAMAuth), arg0, arg1, arg2, arg3)
-}
-
-// UpgradeAWSIAMAuth mocks base method.
-func (m *MockAwsIamAuth) UpgradeAWSIAMAuth(arg0 context.Context, arg1 *types.Cluster, arg2 *cluster.Spec) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "UpgradeAWSIAMAuth", arg0, arg1, arg2)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// UpgradeAWSIAMAuth indicates an expected call of UpgradeAWSIAMAuth.
-func (mr *MockAwsIamAuthMockRecorder) UpgradeAWSIAMAuth(arg0, arg1, arg2 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpgradeAWSIAMAuth", reflect.TypeOf((*MockAwsIamAuth)(nil).UpgradeAWSIAMAuth), arg0, arg1, arg2)
-}
-
 // MockEKSAComponents is a mock of EKSAComponents interface.
 type MockEKSAComponents struct {
 	ctrl     *gomock.Controller
diff --git a/pkg/dependencies/factory.go b/pkg/dependencies/factory.go
index 6921ae1cfc86..252cf10b2519 100644
--- a/pkg/dependencies/factory.go
+++ b/pkg/dependencies/factory.go
@@ -992,7 +992,7 @@ func (f *Factory) clusterManagerOpts(timeoutOpts *ClusterManagerTimeoutOptions)
 
 // WithClusterManager builds a cluster manager based on the cluster config and timeout options.
 func (f *Factory) WithClusterManager(clusterConfig *v1alpha1.Cluster, timeoutOpts *ClusterManagerTimeoutOptions) *Factory {
-	f.WithClusterctl().WithWriter().WithDiagnosticBundleFactory().WithAwsIamAuth(clusterConfig).WithFileReader().WithUnAuthKubeClient().WithKubernetesRetrierClient().WithEKSAInstaller()
+	f.WithClusterctl().WithWriter().WithDiagnosticBundleFactory().WithFileReader().WithUnAuthKubeClient().WithKubernetesRetrierClient().WithEKSAInstaller()
 
 	f.buildSteps = append(f.buildSteps, func(ctx context.Context) error {
 		if f.dependencies.ClusterManager != nil {
@@ -1009,7 +1009,6 @@ func (f *Factory) WithClusterManager(clusterConfig *v1alpha1.Cluster, timeoutOpt
 			client,
 			f.dependencies.Writer,
 			f.dependencies.DignosticCollectorFactory,
-			f.dependencies.AwsIamAuth,
 			f.dependencies.EksaInstaller,
 			f.clusterManagerOpts(timeoutOpts)...,
 		)
diff --git a/pkg/task/task.go b/pkg/task/task.go
index 118e6176f910..7807f6003588 100644
--- a/pkg/task/task.go
+++ b/pkg/task/task.go
@@ -53,6 +53,7 @@ type CommandContext struct {
 	BackupClusterStateDir string
 	ForceCleanup          bool
 	ClusterMover          interfaces.ClusterMover
+	IamAuth               interfaces.AwsIamAuth
 }
 
 func (c *CommandContext) SetError(err error) {
diff --git a/pkg/workflows/interfaces/interfaces.go b/pkg/workflows/interfaces/interfaces.go
index 5105a1b1ec1d..a34ca9a1d4fa 100644
--- a/pkg/workflows/interfaces/interfaces.go
+++ b/pkg/workflows/interfaces/interfaces.go
@@ -41,8 +41,6 @@ type ClusterManager interface {
 	GetCurrentClusterSpec(ctx context.Context, cluster *types.Cluster, clusterName string) (*cluster.Spec, error)
 	Upgrade(ctx context.Context, cluster *types.Cluster, currentManagementComponents, newManagementComponents *cluster.ManagementComponents, newSpec *cluster.Spec) (*types.ChangeDiff, error)
 	CreateRegistryCredSecret(ctx context.Context, mgmt *types.Cluster) error
-	GenerateWorkloadAWSIAMKubeconfig(ctx context.Context, management, workload *types.Cluster, spec *cluster.Spec) error
-	GenerateManagementAWSIAMKubeconfig(ctx context.Context, cluster *types.Cluster) error
 	ResumeEKSAControllerReconcile(ctx context.Context, cluster *types.Cluster, clusterSpec *cluster.Spec, provider providers.Provider) error
 	AllowDeleteWhilePaused(ctx context.Context, cluster *types.Cluster, clusterSpec *cluster.Spec) error
 }
@@ -109,8 +107,8 @@ type ClusterMover interface {
 	Move(ctx context.Context, spec *cluster.Spec, srcClient, dstClient kubernetes.Client) error
 }
 
-// AwsIamAuth is responsible for managing iam kubeconfigs.
+// AwsIamAuth is responsible for generating iam kubeconfigs.
 type AwsIamAuth interface {
-	GenerateKubeconfig(ctx context.Context, management, workload *types.Cluster, spec *cluster.Spec) error
-	GenerateManagementAWSIAMKubeconfig(ctx context.Context, cluster *types.Cluster) error
+	GenerateWorkloadKubeconfig(ctx context.Context, management, workload *types.Cluster, spec *cluster.Spec) error
+	GenerateManagementKubeconfig(ctx context.Context, cluster *types.Cluster) error
 }
diff --git a/pkg/workflows/interfaces/mocks/clients.go b/pkg/workflows/interfaces/mocks/clients.go
index 3ed23a428178..adc033e74450 100644
--- a/pkg/workflows/interfaces/mocks/clients.go
+++ b/pkg/workflows/interfaces/mocks/clients.go
@@ -1,5 +1,5 @@
 // Code generated by MockGen. DO NOT EDIT.
-// Source: github.com/aws/eks-anywhere/pkg/workflows/interfaces (interfaces: Bootstrapper,ClusterManager,GitOpsManager,Validator,CAPIManager,EksdInstaller,EksdUpgrader,PackageManager,ClusterUpgrader,ClusterCreator,ClientFactory,EksaInstaller,ClusterDeleter,ClusterMover)
+// Source: github.com/aws/eks-anywhere/pkg/workflows/interfaces (interfaces: Bootstrapper,ClusterManager,GitOpsManager,Validator,CAPIManager,EksdInstaller,EksdUpgrader,PackageManager,ClusterUpgrader,ClusterCreator,ClientFactory,EksaInstaller,ClusterDeleter,ClusterMover,AwsIamAuth)
 
 // Package mocks is a generated GoMock package.
 package mocks
@@ -197,34 +197,6 @@ func (mr *MockClusterManagerMockRecorder) CreateRegistryCredSecret(arg0, arg1 in
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateRegistryCredSecret", reflect.TypeOf((*MockClusterManager)(nil).CreateRegistryCredSecret), arg0, arg1)
 }
 
-// GenerateManagementAWSIAMKubeconfig mocks base method.
-func (m *MockClusterManager) GenerateManagementAWSIAMKubeconfig(arg0 context.Context, arg1 *types.Cluster) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "GenerateManagementAWSIAMKubeconfig", arg0, arg1)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// GenerateManagementAWSIAMKubeconfig indicates an expected call of GenerateManagementAWSIAMKubeconfig.
-func (mr *MockClusterManagerMockRecorder) GenerateManagementAWSIAMKubeconfig(arg0, arg1 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GenerateManagementAWSIAMKubeconfig", reflect.TypeOf((*MockClusterManager)(nil).GenerateManagementAWSIAMKubeconfig), arg0, arg1)
-}
-
-// GenerateWorkloadAWSIAMKubeconfig mocks base method.
-func (m *MockClusterManager) GenerateWorkloadAWSIAMKubeconfig(arg0 context.Context, arg1, arg2 *types.Cluster, arg3 *cluster.Spec) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "GenerateWorkloadAWSIAMKubeconfig", arg0, arg1, arg2, arg3)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// GenerateWorkloadAWSIAMKubeconfig indicates an expected call of GenerateWorkloadAWSIAMKubeconfig.
-func (mr *MockClusterManagerMockRecorder) GenerateWorkloadAWSIAMKubeconfig(arg0, arg1, arg2, arg3 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GenerateWorkloadAWSIAMKubeconfig", reflect.TypeOf((*MockClusterManager)(nil).GenerateWorkloadAWSIAMKubeconfig), arg0, arg1, arg2, arg3)
-}
-
 // GetCurrentClusterSpec mocks base method.
 func (m *MockClusterManager) GetCurrentClusterSpec(arg0 context.Context, arg1 *types.Cluster, arg2 string) (*cluster.Spec, error) {
 	m.ctrl.T.Helper()
@@ -983,3 +955,54 @@ func (mr *MockClusterMoverMockRecorder) Move(arg0, arg1, arg2, arg3 interface{})
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Move", reflect.TypeOf((*MockClusterMover)(nil).Move), arg0, arg1, arg2, arg3)
 }
+
+// MockAwsIamAuth is a mock of AwsIamAuth interface.
+type MockAwsIamAuth struct {
+	ctrl     *gomock.Controller
+	recorder *MockAwsIamAuthMockRecorder
+}
+
+// MockAwsIamAuthMockRecorder is the mock recorder for MockAwsIamAuth.
+type MockAwsIamAuthMockRecorder struct {
+	mock *MockAwsIamAuth
+}
+
+// NewMockAwsIamAuth creates a new mock instance.
+func NewMockAwsIamAuth(ctrl *gomock.Controller) *MockAwsIamAuth {
+	mock := &MockAwsIamAuth{ctrl: ctrl}
+	mock.recorder = &MockAwsIamAuthMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use.
+func (m *MockAwsIamAuth) EXPECT() *MockAwsIamAuthMockRecorder {
+	return m.recorder
+}
+
+// GenerateManagementKubeconfig mocks base method.
+func (m *MockAwsIamAuth) GenerateManagementKubeconfig(arg0 context.Context, arg1 *types.Cluster) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GenerateManagementKubeconfig", arg0, arg1)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// GenerateManagementKubeconfig indicates an expected call of GenerateManagementKubeconfig.
+func (mr *MockAwsIamAuthMockRecorder) GenerateManagementKubeconfig(arg0, arg1 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GenerateManagementKubeconfig", reflect.TypeOf((*MockAwsIamAuth)(nil).GenerateManagementKubeconfig), arg0, arg1)
+}
+
+// GenerateWorkloadKubeconfig mocks base method.
+func (m *MockAwsIamAuth) GenerateWorkloadKubeconfig(arg0 context.Context, arg1, arg2 *types.Cluster, arg3 *cluster.Spec) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GenerateWorkloadKubeconfig", arg0, arg1, arg2, arg3)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// GenerateWorkloadKubeconfig indicates an expected call of GenerateWorkloadKubeconfig.
+func (mr *MockAwsIamAuthMockRecorder) GenerateWorkloadKubeconfig(arg0, arg1, arg2, arg3 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GenerateWorkloadKubeconfig", reflect.TypeOf((*MockAwsIamAuth)(nil).GenerateWorkloadKubeconfig), arg0, arg1, arg2, arg3)
+}
diff --git a/pkg/workflows/management/create.go b/pkg/workflows/management/create.go
index 8679d9a8c351..c047e63407b6 100644
--- a/pkg/workflows/management/create.go
+++ b/pkg/workflows/management/create.go
@@ -23,6 +23,7 @@ type Create struct {
 	clusterCreator interfaces.ClusterCreator
 	eksaInstaller  interfaces.EksaInstaller
 	clusterMover   interfaces.ClusterMover
+	iamAuth        interfaces.AwsIamAuth
 }
 
 // NewCreate builds a new create construct.
@@ -34,8 +35,9 @@ func NewCreate(bootstrapper interfaces.Bootstrapper,
 	clusterCreator interfaces.ClusterCreator,
 	eksaInstaller interfaces.EksaInstaller,
 	mover interfaces.ClusterMover,
+	iamAuth interfaces.AwsIamAuth,
 ) *Create {
-	return &Create{
+	createWorkflow := &Create{
 		bootstrapper:   bootstrapper,
 		clientFactory:  clientFactory,
 		provider:       provider,
@@ -47,7 +49,10 @@ func NewCreate(bootstrapper interfaces.Bootstrapper,
 		clusterCreator: clusterCreator,
 		eksaInstaller:  eksaInstaller,
 		clusterMover:   mover,
+		iamAuth:        iamAuth,
 	}
+
+	return createWorkflow
 }
 
 // Run runs all the create management cluster tasks.
@@ -66,6 +71,7 @@ func (c *Create) Run(ctx context.Context, clusterSpec *cluster.Spec, validator i
 		ClusterCreator: c.clusterCreator,
 		EksaInstaller:  c.eksaInstaller,
 		ClusterMover:   c.clusterMover,
+		IamAuth:        c.iamAuth,
 	}
 
 	return task.NewTaskRunner(&setupAndValidateCreate{}, c.writer).RunTask(ctx, commandContext)
diff --git a/pkg/workflows/management/create_test.go b/pkg/workflows/management/create_test.go
index 2c6e3abbeae5..2ccb3e6f9fea 100644
--- a/pkg/workflows/management/create_test.go
+++ b/pkg/workflows/management/create_test.go
@@ -48,6 +48,7 @@ type createTestSetup struct {
 	client               *clientmocks.MockClient
 	clientFactory        *mocks.MockClientFactory
 	mover                *mocks.MockClusterMover
+	iamAuth              *mocks.MockAwsIamAuth
 }
 
 func newCreateTest(t *testing.T) *createTestSetup {
@@ -71,6 +72,7 @@ func newCreateTest(t *testing.T) *createTestSetup {
 	client := clientmocks.NewMockClient(mockCtrl)
 	clientFactory := mocks.NewMockClientFactory(mockCtrl)
 	mover := mocks.NewMockClusterMover(mockCtrl)
+	iam := mocks.NewMockAwsIamAuth(mockCtrl)
 
 	workflow := management.NewCreate(
 		bootstrapper,
@@ -84,6 +86,7 @@ func newCreateTest(t *testing.T) *createTestSetup {
 		clusterCreator,
 		eksaInstaller,
 		mover,
+		iam,
 	)
 
 	for _, e := range featureEnvVars {
@@ -121,6 +124,7 @@ func newCreateTest(t *testing.T) *createTestSetup {
 		clusterSpec:          clusterSpec,
 		client:               client,
 		mover:                mover,
+		iamAuth:              iam,
 	}
 }
 
@@ -908,7 +912,7 @@ func TestCreateWriteConfigAWSIAMFailure(t *testing.T) {
 	test.expectDatacenterConfig()
 	test.expectMachineConfigs()
 
-	test.clusterManager.EXPECT().GenerateManagementAWSIAMKubeconfig(test.ctx, test.workloadCluster).Return(errors.New("test"))
+	test.iamAuth.EXPECT().GenerateManagementKubeconfig(test.ctx, test.workloadCluster).Return(errors.New("test"))
 
 	test.clusterManager.EXPECT().SaveLogsManagementCluster(
 		test.ctx, test.clusterSpec, test.bootstrapCluster,
diff --git a/pkg/workflows/management/upgrade.go b/pkg/workflows/management/upgrade.go
index 001336c0feb6..b5b488b73a2d 100644
--- a/pkg/workflows/management/upgrade.go
+++ b/pkg/workflows/management/upgrade.go
@@ -25,6 +25,7 @@ type Upgrade struct {
 	upgradeChangeDiff *types.ChangeDiff
 	clusterUpgrader   interfaces.ClusterUpgrader
 	packageManager    interfaces.PackageManager
+	iamAuth           interfaces.AwsIamAuth
 }
 
 // NewUpgrade builds a new upgrade construct.
@@ -37,9 +38,10 @@ func NewUpgrade(clientFactory interfaces.ClientFactory, provider providers.Provi
 	eksdInstaller interfaces.EksdInstaller,
 	clusterUpgrade interfaces.ClusterUpgrader,
 	packageManager interfaces.PackageManager,
+	iamAuth interfaces.AwsIamAuth,
 ) *Upgrade {
 	upgradeChangeDiff := types.NewChangeDiff()
-	return &Upgrade{
+	upgradeWorkflow := &Upgrade{
 		clientFactory:     clientFactory,
 		provider:          provider,
 		clusterManager:    clusterManager,
@@ -51,7 +53,10 @@ func NewUpgrade(clientFactory interfaces.ClientFactory, provider providers.Provi
 		upgradeChangeDiff: upgradeChangeDiff,
 		clusterUpgrader:   clusterUpgrade,
 		packageManager:    packageManager,
+		iamAuth:           iamAuth,
 	}
+
+	return upgradeWorkflow
 }
 
 // Run Upgrade implements upgrade functionality for management cluster's upgrade operation.
@@ -71,6 +76,7 @@ func (c *Upgrade) Run(ctx context.Context, clusterSpec *cluster.Spec, management
 		UpgradeChangeDiff: c.upgradeChangeDiff,
 		ClusterUpgrader:   c.clusterUpgrader,
 		PackageManager:    c.packageManager,
+		IamAuth:           c.iamAuth,
 	}
 	if features.IsActive(features.CheckpointEnabled()) {
 		return task.NewTaskRunner(&setupAndValidateUpgrade{}, c.writer, task.WithCheckpointFile()).RunTask(ctx, commandContext)
diff --git a/pkg/workflows/management/upgrade_test.go b/pkg/workflows/management/upgrade_test.go
index dc42c4a9a324..5e70a1d4e02f 100644
--- a/pkg/workflows/management/upgrade_test.go
+++ b/pkg/workflows/management/upgrade_test.go
@@ -51,6 +51,7 @@ type upgradeManagementTestSetup struct {
 	managementStatePath         string
 	management                  *management.Upgrade
 	packages                    *mocks.MockPackageManager
+	iamAuth                     *mocks.MockAwsIamAuth
 }
 
 func newUpgradeManagementTest(t *testing.T) *upgradeManagementTestSetup {
@@ -69,6 +70,7 @@ func newUpgradeManagementTest(t *testing.T) *upgradeManagementTestSetup {
 	machineConfigs := []providers.MachineConfig{&v1alpha1.VSphereMachineConfig{}}
 	clusterUpgrader := mocks.NewMockClusterUpgrader(mockCtrl)
 	packageUpgrader := mocks.NewMockPackageManager(mockCtrl)
+	iam := mocks.NewMockAwsIamAuth(mockCtrl)
 	management := management.NewUpgrade(
 		clientFactory,
 		provider,
@@ -80,6 +82,7 @@ func newUpgradeManagementTest(t *testing.T) *upgradeManagementTestSetup {
 		eksdInstaller,
 		clusterUpgrader,
 		packageUpgrader,
+		iam,
 	)
 
 	for _, e := range featureEnvVars {
@@ -123,6 +126,7 @@ func newUpgradeManagementTest(t *testing.T) *upgradeManagementTestSetup {
 		currentClusterSpec:          currentClusterSpec,
 		newClusterSpec:              newClusterSpec,
 		managementStatePath:         fmt.Sprintf("%s-backup-%s", "management", time.Now().Format("2006-01-02T15_04_05")),
+		iamAuth:                     iam,
 	}
 }
 
diff --git a/pkg/workflows/management/write_cluster_config.go b/pkg/workflows/management/write_cluster_config.go
index e0790e4172b3..3e5c7e43f830 100644
--- a/pkg/workflows/management/write_cluster_config.go
+++ b/pkg/workflows/management/write_cluster_config.go
@@ -52,7 +52,7 @@ func (s *writeCreateClusterConfig) Run(ctx context.Context, commandContext *task
 
 	if commandContext.ClusterSpec.AWSIamConfig != nil {
 		logger.Info("Generating the aws iam kubeconfig file")
-		err = commandContext.ClusterManager.GenerateManagementAWSIAMKubeconfig(ctx, commandContext.WorkloadCluster)
+		err = commandContext.IamAuth.GenerateManagementKubeconfig(ctx, commandContext.WorkloadCluster)
 		if err != nil {
 			commandContext.SetError(err)
 			return &workflows.CollectDiagnosticsTask{}
diff --git a/pkg/workflows/workload/create.go b/pkg/workflows/workload/create.go
index e7aa5146b746..b8f9a048550c 100644
--- a/pkg/workflows/workload/create.go
+++ b/pkg/workflows/workload/create.go
@@ -20,6 +20,7 @@ type Create struct {
 	eksdInstaller    interfaces.EksdInstaller
 	clusterCreator   interfaces.ClusterCreator
 	packageInstaller interfaces.PackageManager
+	iamAuth          interfaces.AwsIamAuth
 }
 
 // NewCreate builds a new create construct.
@@ -30,8 +31,9 @@ func NewCreate(provider providers.Provider,
 	packageInstaller interfaces.PackageManager,
 	clusterCreator interfaces.ClusterCreator,
 	clientFactory interfaces.ClientFactory,
+	iamAuth interfaces.AwsIamAuth,
 ) *Create {
-	return &Create{
+	createWorkflow := &Create{
 		provider:         provider,
 		clusterManager:   clusterManager,
 		gitOpsManager:    gitOpsManager,
@@ -40,7 +42,10 @@ func NewCreate(provider providers.Provider,
 		clusterCreator:   clusterCreator,
 		packageInstaller: packageInstaller,
 		clientFactory:    clientFactory,
+		iamAuth:          iamAuth,
 	}
+
+	return createWorkflow
 }
 
 // Run executes the tasks to create a workload cluster.
@@ -55,6 +60,7 @@ func (c *Create) Run(ctx context.Context, clusterSpec *cluster.Spec, validator i
 		Validations:       validator,
 		ManagementCluster: clusterSpec.ManagementCluster,
 		ClusterCreator:    c.clusterCreator,
+		IamAuth:           c.iamAuth,
 	}
 
 	return task.NewTaskRunner(&setAndValidateCreateWorkloadTask{}, c.writer).RunTask(ctx, commandContext)
diff --git a/pkg/workflows/workload/create_test.go b/pkg/workflows/workload/create_test.go
index c67c8e200f26..a5338f9e0ad0 100644
--- a/pkg/workflows/workload/create_test.go
+++ b/pkg/workflows/workload/create_test.go
@@ -46,6 +46,7 @@ type createTestSetup struct {
 	managementComponents *cluster.ManagementComponents
 	client               *clientmocks.MockClient
 	clientFactory        *mocks.MockClientFactory
+	iamAuth              *mocks.MockAwsIamAuth
 }
 
 func newCreateTest(t *testing.T) *createTestSetup {
@@ -66,6 +67,7 @@ func newCreateTest(t *testing.T) *createTestSetup {
 	clientFactory := mocks.NewMockClientFactory(mockCtrl)
 
 	validator := mocks.NewMockValidator(mockCtrl)
+	iam := mocks.NewMockAwsIamAuth(mockCtrl)
 
 	clusterSpec := test.NewClusterSpec(func(s *cluster.Spec) {
 		s.Cluster.Name = "test-cluster"
@@ -81,6 +83,7 @@ func newCreateTest(t *testing.T) *createTestSetup {
 		packageInstaller,
 		clusterUpgrader,
 		clientFactory,
+		iam,
 	)
 
 	for _, e := range featureEnvVars {
@@ -111,6 +114,7 @@ func newCreateTest(t *testing.T) *createTestSetup {
 		managementComponents: managementComponents,
 		clientFactory:        clientFactory,
 		client:               client,
+		iamAuth:              iam,
 	}
 }
 
@@ -176,7 +180,7 @@ func (c *createTestSetup) expectInstallGitOpsManager(err error) {
 }
 
 func (c *createTestSetup) expectAWSIAMAuthKubeconfig(err error) {
-	c.clusterManager.EXPECT().GenerateWorkloadAWSIAMKubeconfig(
+	c.iamAuth.EXPECT().GenerateWorkloadKubeconfig(
 		c.ctx, c.clusterSpec.ManagementCluster, c.workloadCluster, c.clusterSpec).Return(err)
 }
 
diff --git a/pkg/workflows/workload/upgrade.go b/pkg/workflows/workload/upgrade.go
index db955c59b99c..ef0d6f176b3d 100644
--- a/pkg/workflows/workload/upgrade.go
+++ b/pkg/workflows/workload/upgrade.go
@@ -21,6 +21,7 @@ type Upgrade struct {
 	eksdInstaller    interfaces.EksdInstaller
 	clusterUpgrader  interfaces.ClusterUpgrader
 	packageInstaller interfaces.PackageManager
+	iamAuth          interfaces.AwsIamAuth
 }
 
 // NewUpgrade builds a new upgrade construct.
@@ -31,8 +32,9 @@ func NewUpgrade(clientFactory interfaces.ClientFactory,
 	clusterUpgrader interfaces.ClusterUpgrader,
 	eksdInstaller interfaces.EksdInstaller,
 	packageInstaller interfaces.PackageManager,
+	iamAuth interfaces.AwsIamAuth,
 ) *Upgrade {
-	return &Upgrade{
+	upgradeWorkflow := &Upgrade{
 		clientFactory:    clientFactory,
 		provider:         provider,
 		clusterManager:   clusterManager,
@@ -41,7 +43,10 @@ func NewUpgrade(clientFactory interfaces.ClientFactory,
 		eksdInstaller:    eksdInstaller,
 		clusterUpgrader:  clusterUpgrader,
 		packageInstaller: packageInstaller,
+		iamAuth:          iamAuth,
 	}
+
+	return upgradeWorkflow
 }
 
 // Run Upgrade implements upgrade functionality for workload cluster's upgrade operation.
@@ -57,6 +62,7 @@ func (c *Upgrade) Run(ctx context.Context, cluster *types.Cluster, clusterSpec *
 		ManagementCluster: clusterSpec.ManagementCluster,
 		WorkloadCluster:   cluster,
 		ClusterUpgrader:   c.clusterUpgrader,
+		IamAuth:           c.iamAuth,
 	}
 
 	return task.NewTaskRunner(&setAndValidateUpgradeWorkloadTask{}, c.writer).RunTask(ctx, commandContext)
diff --git a/pkg/workflows/workload/upgrade_test.go b/pkg/workflows/workload/upgrade_test.go
index ea51a00dba4c..7f6c6a6eb155 100644
--- a/pkg/workflows/workload/upgrade_test.go
+++ b/pkg/workflows/workload/upgrade_test.go
@@ -44,6 +44,7 @@ type upgradeTestSetup struct {
 	workloadCluster       *types.Cluster
 	workload              *workload.Upgrade
 	backupClusterStateDir string
+	iamAuth               *mocks.MockAwsIamAuth
 }
 
 func newUpgradeTest(t *testing.T) *upgradeTestSetup {
@@ -63,6 +64,7 @@ func newUpgradeTest(t *testing.T) *upgradeTestSetup {
 	clusterUpgrader := mocks.NewMockClusterUpgrader(mockCtrl)
 
 	validator := mocks.NewMockValidator(mockCtrl)
+	iam := mocks.NewMockAwsIamAuth(mockCtrl)
 
 	workload := workload.NewUpgrade(
 		clientFactory,
@@ -73,6 +75,7 @@ func newUpgradeTest(t *testing.T) *upgradeTestSetup {
 		clusterUpgrader,
 		eksdInstaller,
 		packageInstaller,
+		iam,
 	)
 
 	for _, e := range featureEnvVars {
@@ -111,6 +114,7 @@ func newUpgradeTest(t *testing.T) *upgradeTestSetup {
 		}),
 		workloadCluster:       &types.Cluster{Name: "workload"},
 		backupClusterStateDir: fmt.Sprintf("%s-backup-%s", "workload", time.Now().Format("2006-01-02T15_04_05")),
+		iamAuth:               iam,
 	}
 }
 
@@ -136,7 +140,7 @@ func (c *upgradeTestSetup) expectWriteWorkloadClusterConfig(err error) {
 }
 
 func (c *upgradeTestSetup) expectWithoutAWSIAMAuthKubeconfig(err error) {
-	c.clusterManager.EXPECT().GenerateWorkloadAWSIAMKubeconfig(
+	c.iamAuth.EXPECT().GenerateWorkloadKubeconfig(
 		c.ctx, c.clusterSpec.ManagementCluster, c.workloadCluster, c.clusterSpec).Return(err).Times(0)
 }
 
diff --git a/pkg/workflows/workload/writeclusterconfig.go b/pkg/workflows/workload/writeclusterconfig.go
index f51e83baa0be..7003440feca2 100644
--- a/pkg/workflows/workload/writeclusterconfig.go
+++ b/pkg/workflows/workload/writeclusterconfig.go
@@ -23,7 +23,7 @@ func (s *writeClusterConfig) Run(ctx context.Context, commandContext *task.Comma
 	// Generate AWS IAM kubeconfig only for cluster creation step
 	if commandContext.CurrentClusterSpec == nil && commandContext.ClusterSpec.AWSIamConfig != nil {
 		logger.Info("Generating the aws iam kubeconfig file")
-		err = commandContext.ClusterManager.GenerateWorkloadAWSIAMKubeconfig(ctx, commandContext.ManagementCluster, commandContext.WorkloadCluster, commandContext.ClusterSpec)
+		err = commandContext.IamAuth.GenerateWorkloadKubeconfig(ctx, commandContext.ManagementCluster, commandContext.WorkloadCluster, commandContext.ClusterSpec)
 		if err != nil {
 			commandContext.SetError(err)
 			logger.Error(err, "Generating the aws iam kubeconfig file")
diff --git a/test/e2e/awsiamauth.go b/test/e2e/awsiamauth.go
index d494c8eae57b..a197831f75b7 100644
--- a/test/e2e/awsiamauth.go
+++ b/test/e2e/awsiamauth.go
@@ -4,6 +4,8 @@
 package e2e
 
 import (
+	"time"
+
 	"github.com/aws/eks-anywhere/pkg/api/v1alpha1"
 	"github.com/aws/eks-anywhere/test/framework"
 )
@@ -36,3 +38,16 @@ func runTinkerbellAWSIamAuthFlow(test *framework.ClusterE2ETest) {
 	test.DeleteCluster()
 	test.ValidateHardwareDecommissioned()
 }
+
+func runAWSIamAuthFlowWorkload(test *framework.MulticlusterE2ETest) {
+	test.CreateManagementClusterWithConfig()
+	test.RunInWorkloadClusters(func(w *framework.WorkloadCluster) {
+		w.GenerateClusterConfig()
+		w.CreateCluster()
+		w.ValidateAWSIamAuth()
+		w.StopIfFailed()
+		w.DeleteCluster()
+	})
+	time.Sleep(5 * time.Minute)
+	test.DeleteManagementCluster()
+}
diff --git a/test/e2e/vsphere_test.go b/test/e2e/vsphere_test.go
index 7a06a727db7b..2d08e851a4e1 100644
--- a/test/e2e/vsphere_test.go
+++ b/test/e2e/vsphere_test.go
@@ -189,6 +189,35 @@ func TestVSphereKubernetes131AWSIamAuth(t *testing.T) {
 	runAWSIamAuthFlow(test)
 }
 
+func TestVSphereKubernetes130AWSIamAuthWorkloadCluster(t *testing.T) {
+	provider := framework.NewVSphere(t, framework.WithUbuntu130())
+	test := framework.NewMulticlusterE2ETest(
+		t,
+		framework.NewClusterE2ETest(
+			t,
+			provider,
+			framework.WithClusterFiller(
+				api.WithKubernetesVersion(v1alpha1.Kube130),
+				api.WithControlPlaneCount(1),
+				api.WithWorkerNodeCount(1),
+				api.WithStackedEtcdTopology(),
+			),
+		),
+		framework.NewClusterE2ETest(
+			t,
+			provider,
+			framework.WithAWSIam(),
+			framework.WithClusterFiller(
+				api.WithKubernetesVersion(v1alpha1.Kube130),
+				api.WithControlPlaneCount(1),
+				api.WithWorkerNodeCount(1),
+				api.WithStackedEtcdTopology(),
+			),
+		),
+	)
+	runAWSIamAuthFlowWorkload(test)
+}
+
 func TestVSphereKubernetes127BottleRocketAWSIamAuth(t *testing.T) {
 	test := framework.NewClusterE2ETest(
 		t,