Creating aws role returns 403 unauthorized to perform iam:GetRole

We have a Vault cluster running in an EKS cluster with self-managed ec2 nodes that have an instance-profile attached.

I am looking to establish aws iam authentication for a set of applications that run in ECS FARGATE.

I am logging in to Vault with a token that has full rights over auth/

I successfully created vault auth enable aws and created relevant policy ecs-task-policy.

I went to create the ECS Task Role:

auth_type=iam \
policies=ecs-task-policy \

where the iam principal arn is the AWS task role of the ECS task that will interact with Vault.

I am getting the following error trying to create the role:

Error writing data to auth/aws/role/vault-role-rwn-ecs-task-role: Error making API request.
Code: 400. Errors:
* unable to resolve ARN "arn:aws:iam::1234567890:role/ecs-task-role" to internal ID: AccessDenied: User: arn:aws:sts::1234567890:assumed-role/eks-node-group-role/i-11223344556677 is not authorized to perform: iam:GetRole on resource: role ecs-task-role because no identity-based policy allows the iam:GetRole action
        status code: 403, request id: 123456-123456-123456-abcdef

It appears that the assumed role of the EKS node instance profile is getting in the way, but why is that the case? All I want is the ECS task to to be able to authenticate to Vault using the role of the task? Again, ECS is fargate so I am not sure where the EKS node plays in.