diff --git a/k8s/crds/kops.k8s.io_clusters.yaml b/k8s/crds/kops.k8s.io_clusters.yaml
index db59a486d3..f42f78a89f 100644
--- a/k8s/crds/kops.k8s.io_clusters.yaml
+++ b/k8s/crds/kops.k8s.io_clusters.yaml
@@ -1175,15 +1175,21 @@ spec:
                           description: AWS grants permissions to AWS resources.
                           properties:
                             inlinePolicy:
+                              description: InlinePolicy is an IAM Policy that will
+                                be attached inline to the IAM Role.
                               type: string
                             policyARNs:
+                              description: PolicyARNs is a list of existing IAM Policies.
                               items:
                                 type: string
                               type: array
                           type: object
                         name:
+                          description: Name is the name of the Kubernetes ServiceAccount.
                           type: string
                         namespace:
+                          description: Namespace is the namespace of the Kubernetes
+                            ServiceAccount.
                           type: string
                       required:
                       - name
diff --git a/pkg/apis/kops/cluster.go b/pkg/apis/kops/cluster.go
index 22047c72fb..602dd6044a 100644
--- a/pkg/apis/kops/cluster.go
+++ b/pkg/apis/kops/cluster.go
@@ -220,7 +220,9 @@ type ServiceAccountIssuerDiscoveryConfig struct {
 
 // ServiceAccountExternalPermissions grants a ServiceAccount permissions to external resources.
 type ServiceAccountExternalPermission struct {
-	Name      string `json:"name"`
+	// Name is the name of the Kubernetes ServiceAccount.
+	Name string `json:"name"`
+	// Namespace is the namespace of the Kubernetes ServiceAccount.
 	Namespace string `json:"namespace"`
 	// AWS grants permissions to AWS resources.
 	AWS *AWSPermission `json:"aws,omitempty"`
@@ -228,8 +230,10 @@ type ServiceAccountExternalPermission struct {
 
 // AWSPermission grants permissions to AWS resources.
 type AWSPermission struct {
-	PolicyARNs   []string `json:"policyARNs,omitempty"`
-	InlinePolicy string   `json:"inlinePolicy,omitempty"`
+	// PolicyARNs is a list of existing IAM Policies.
+	PolicyARNs []string `json:"policyARNs,omitempty"`
+	// InlinePolicy is an IAM Policy that will be attached inline to the IAM Role.
+	InlinePolicy string `json:"inlinePolicy,omitempty"`
 }
 
 // NodeAuthorizationSpec is used to node authorization
diff --git a/pkg/apis/kops/v1alpha2/cluster.go b/pkg/apis/kops/v1alpha2/cluster.go
index eeacffb155..7a62d236c8 100644
--- a/pkg/apis/kops/v1alpha2/cluster.go
+++ b/pkg/apis/kops/v1alpha2/cluster.go
@@ -219,7 +219,9 @@ type ServiceAccountIssuerDiscoveryConfig struct {
 
 // ServiceAccountExternalPermissions grants a ServiceAccount permissions to external resources.
 type ServiceAccountExternalPermission struct {
-	Name      string `json:"name"`
+	// Name is the name of the Kubernetes ServiceAccount.
+	Name string `json:"name"`
+	// Namespace is the namespace of the Kubernetes ServiceAccount.
 	Namespace string `json:"namespace"`
 	// AWS grants permissions to AWS resources.
 	AWS *AWSPermission `json:"aws,omitempty"`
@@ -227,8 +229,10 @@ type ServiceAccountExternalPermission struct {
 
 // AWSPermission grants permissions to AWS resources.
 type AWSPermission struct {
-	PolicyARNs   []string `json:"policyARNs,omitempty"`
-	InlinePolicy string   `json:"inlinePolicy,omitempty"`
+	// PolicyARNs is a list of existing IAM Policies.
+	PolicyARNs []string `json:"policyARNs,omitempty"`
+	// InlinePolicy is an IAM Policy that will be attached inline to the IAM Role.
+	InlinePolicy string `json:"inlinePolicy,omitempty"`
 }
 
 // NodeAuthorizationSpec is used to node authorization
diff --git a/pkg/apis/kops/validation/validation.go b/pkg/apis/kops/validation/validation.go
index 11b9d32aad..3c5b87933f 100644
--- a/pkg/apis/kops/validation/validation.go
+++ b/pkg/apis/kops/validation/validation.go
@@ -257,7 +257,7 @@ func validateClusterSpec(spec *kops.ClusterSpec, c *kops.Cluster, fieldPath *fie
 	if spec.IAM != nil {
 		if len(spec.IAM.ServiceAccountExternalPermissions) > 0 {
 			if spec.ServiceAccountIssuerDiscovery == nil || !spec.ServiceAccountIssuerDiscovery.EnableAWSOIDCProvider {
-				allErrs = append(allErrs, field.Required(fieldPath.Child("serviceAccountIssuerDiscovery", "enableAWSOIDCProvider"), "serviceAccountExternalPermissions requires AWS OIDC Provider to be enabled"))
+				allErrs = append(allErrs, field.Forbidden(fieldPath.Child("iam", "serviceAccountExternalPermissions"), "serviceAccountExternalPermissions requires AWS OIDC Provider to be enabled"))
 			}
 			allErrs = append(allErrs, validateSAExternalPermissions(spec.IAM.ServiceAccountExternalPermissions, fieldPath.Child("iam", "serviceAccountExternalPermissions"))...)
 		}