diff --git a/pkg/model/context.go b/pkg/model/context.go
index b72207ac05..6eedce2a17 100644
--- a/pkg/model/context.go
+++ b/pkg/model/context.go
@@ -411,5 +411,5 @@ func (m *KopsModelContext) NodePortRange() (utilnet.PortRange, error) {
 
 // UseServiceAccountIAM returns true if we are using service-account bound IAM roles.
 func (m *KopsModelContext) UseServiceAccountIAM() bool {
-	return featureflag.UseServiceAccountIAM.Enabled()
+	return featureflag.UseServiceAccountIAM.Enabled() && m.IsKubernetesGTE("1.12")
 }
diff --git a/pkg/model/iam.go b/pkg/model/iam.go
index 87ec8c6845..47801dd0f6 100644
--- a/pkg/model/iam.go
+++ b/pkg/model/iam.go
@@ -157,9 +157,10 @@ func (b *IAMModelBuilder) buildIAMRole(role iam.Subject, iamName string, c *fi.M
 func (b *IAMModelBuilder) buildIAMRolePolicy(role iam.Subject, iamName string, iamRole *awstasks.IAMRole, c *fi.ModelBuilderContext) error {
 	iamPolicy := &iam.PolicyResource{
 		Builder: &iam.PolicyBuilder{
-			Cluster: b.Cluster,
-			Role:    role,
-			Region:  b.Region,
+			Cluster:              b.Cluster,
+			Role:                 role,
+			Region:               b.Region,
+			UseServiceAccountIAM: b.UseServiceAccountIAM(),
 		},
 	}
 
diff --git a/pkg/model/iam/iam_builder.go b/pkg/model/iam/iam_builder.go
index 32b453690e..c5dea19c28 100644
--- a/pkg/model/iam/iam_builder.go
+++ b/pkg/model/iam/iam_builder.go
@@ -37,7 +37,6 @@ import (
 	"k8s.io/klog/v2"
 	"k8s.io/kops/pkg/apis/kops"
 	"k8s.io/kops/pkg/apis/kops/model"
-	"k8s.io/kops/pkg/featureflag"
 	"k8s.io/kops/pkg/util/stringorslice"
 	"k8s.io/kops/upup/pkg/fi"
 	"k8s.io/kops/upup/pkg/fi/cloudup/awstasks"
@@ -107,12 +106,13 @@ func (l *Statement) Equal(r *Statement) bool {
 // PolicyBuilder struct defines all valid fields to be used when building the
 // AWS IAM policy document for a given instance group role.
 type PolicyBuilder struct {
-	Cluster      *kops.Cluster
-	HostedZoneID string
-	KMSKeys      []string
-	Region       string
-	ResourceARN  *string
-	Role         Subject
+	Cluster              *kops.Cluster
+	HostedZoneID         string
+	KMSKeys              []string
+	Region               string
+	ResourceARN          *string
+	Role                 Subject
+	UseServiceAccountIAM bool
 }
 
 // BuildAWSPolicy builds a set of IAM policy statements based on the
@@ -157,7 +157,7 @@ func (r *NodeRoleMaster) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error) {
 		addKMSIAMPolicies(p, stringorslice.Slice(b.KMSKeys), b.Cluster.Spec.IAM.Legacy)
 	}
 
-	if !b.UseServiceAccountIAM() {
+	if !b.UseServiceAccountIAM {
 		if b.Cluster.Spec.IAM.Legacy {
 			addLegacyDNSControllerPermissions(b, p)
 		}
@@ -198,7 +198,7 @@ func (r *NodeRoleNode) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error) {
 		return nil, fmt.Errorf("failed to generate AWS IAM S3 access statements: %v", err)
 	}
 
-	if !b.UseServiceAccountIAM() && b.Cluster.Spec.IAM.Legacy {
+	if !b.UseServiceAccountIAM && b.Cluster.Spec.IAM.Legacy {
 		addLegacyDNSControllerPermissions(b, p)
 		AddDNSControllerPermissions(b, p)
 	}
@@ -572,11 +572,6 @@ func addECRPermissions(p *Policy) {
 	})
 }
 
-// UseServiceAccountIAM returns true if we are using service-account bound IAM roles.
-func (b *PolicyBuilder) UseServiceAccountIAM() bool {
-	return featureflag.UseServiceAccountIAM.Enabled()
-}
-
 // addLegacyDNSControllerPermissions adds legacy IAM permissions used by the node roles.
 func addLegacyDNSControllerPermissions(b *PolicyBuilder, p *Policy) {
 	// Legacy IAM permissions for node roles