kubeflow: Load balancer 443 listener can not be created successfully (aws)

/kind bug

aws specific issue

What steps did you take and what happened: There is a problem with installation instructions here https://www.kubeflow.org/docs/aws/deploy/install-kubeflow/. in step 5, after calling kubectl get ingress -n istio-system I get the response

NAME            HOSTS   ADDRESS   PORTS   AGE
istio-ingress   *                 80      32m

Check logs.

E0813 20:54:20.759908       1 :0] kubebuilder/controller "msg"="Reconciler error" "error"="failed to reconcile listeners due to failed to reconcile extra certificates on listener arn:aws:elasticloadbalancing:us-west-2:348134392524:listener/app/1bb9b272-istiosystem-istio-2af2/6d42fb2bee4fa1db/f9f47b6c4897d6fa: AccessDenied: User: arn:aws:sts::348134392524:assumed-role/eksctl-kfworkshop-nodegroup-cpu-n-NodeInstanceRole-5RU3EEH3OLKL/i-064f80cf6e51dbe65 is not authorized to perform: elasticloadbalancing:DescribeListenerCertificates\n\tstatus code: 403, request id: 85f03eb8-be0c-11e9-9aed-2792dfdc0674"  "controller"="alb-ingress-controller" "request"={"Namespace":"istio-system","Name":"istio-ingress"}

ALB IAM Policy miss elasticloadbalancing:DescribeListenerCertificates and it can not attach certificate to application load balancer.

What did you expect to happen: Load balancer get created by alb ingress controller.

Environment:

• Kubeflow version: (version number can be found at the bottom left corner of the Kubeflow dashboard): v0.6.1
• kfctl version: (use kfctl version): v0.6.1-rc.2-1-g3a37cbc6
• Kubernetes platform: (e.g. minikube): aws
• Kubernetes version: (use kubectl version): 1.13.7
• OS (e.g. from /etc/os-release): darwin