istio: Load balancer does not come up on AWS

Running Istio 1.1.2 via the amazing Banzai operator, but this has been an issue as far back as 0.8. Under Kops, the ELB for Istio comes right up, however with either Typhoon or KubeSpray, it doesn’t bring it up:

✗  kubectl version
Client Version: version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.1", GitCommit:"b7394102d6ef778017f2ca4046abbaa23b88c290", GitTreeState:"clean", BuildDate:"2019-04-08T17:11:31Z", GoVersion:"go1.12.1", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.1", GitCommit:"b7394102d6ef778017f2ca4046abbaa23b88c290", GitTreeState:"clean", BuildDate:"2019-04-08T17:02:58Z", GoVersion:"go1.12.1", Compiler:"gc", Platform:"linux/amd64"}

✗  kubectl get service -n istio-system | grep LoadBalancer
istio-ingressgateway                                LoadBalancer   10.233.19.19    <pending>     15020:31460/TCP,80:31380/TCP,443:31390/TCP,31400:31400/TCP,15029:31410/TCP,15030:31420/TCP,15031:31430/TCP,15032:31440/TCP,15443:31450/TCP   33m

Both master and nodes have roles with the following IAM policies:

    {
      "Effect": "Allow",
      "Action": ["ec2:*"],
      "Resource": ["*"]
    },
    {
      "Effect": "Allow",
      "Action": ["elasticloadbalancing:*"],
      "Resource": ["*"]
    },

Bug description LoadBalancer stays in <pending>

Expected behavior LoadBalancer is provisioned

Steps to reproduce the bug Install Istio

Environment where bug was observed (cloud vendor, OS, etc) AWS / CoreOS

Affected product area (please put an X in all that apply)

[X ] Configuration Infrastructure [ ] Docs [X ] Installation [X ] Networking [ ] Performance and Scalability [ ] Policies and Telemetry [ ] Security [ ] Test and Release [ ] User Experience