diff --git a/cmd/kops/integration_test.go b/cmd/kops/integration_test.go
index f7b2bf4a16bcb..26176b7e803a4 100644
--- a/cmd/kops/integration_test.go
+++ b/cmd/kops/integration_test.go
@@ -607,6 +607,14 @@ func runTestCloudformation(t *testing.T, clusterName string, srcDir string, vers
 				t.Logf("actual terraform output in %s", actualPath)
 			}
 
+			if os.Getenv("HACK_UPDATE_EXPECTED_IN_PLACE") != "" {
+				fp := path.Join(srcDir, expectedCfPath)
+				t.Logf("HACK_UPDATE_EXPECTED_IN_PLACE: writing expected output %s", fp)
+				if err := ioutil.WriteFile(fp, actualCF, 0644); err != nil {
+					t.Errorf("error writing expected output file %q: %v", fp, err)
+				}
+			}
+
 			t.Fatalf("cloudformation output differed from expected. Test file: %s", path.Join(srcDir, expectedCfPath))
 		}
 
diff --git a/docs/iam_roles.md b/docs/iam_roles.md
index b38c07ff5bf0e..be016dddf6f98 100644
--- a/docs/iam_roles.md
+++ b/docs/iam_roles.md
@@ -178,10 +178,10 @@ Now run a cluster update to create the new launch configuration, using [lifecycl
 kops update cluster ${CLUSTER_NAME} --yes --lifecycle-overrides IAMRole=ExistsAndWarnIfChanges,IAMRolePolicy=ExistsAndWarnIfChanges,IAMInstanceProfileRole=ExistsAndWarnIfChanges
 ```
 
-*Everytime `kops update cluster` is ran, it must include the above `--lifecycle-overrides` unless a non-`security` phase is specified.*
+*Everytime `kops update cluster` is run, it must include the above `--lifecycle-overrides` unless a non-`security` phase is specified.*
 
 Finally, perform a rolling update in order to replace EC2 instances in the ASG with the new launch configuration:
 
 ```
 kops rolling-update cluster ${CLUSTER_NAME} --yes
-```
\ No newline at end of file
+```
diff --git a/pkg/model/iam.go b/pkg/model/iam.go
index e018483232410..fb9eb977299fb 100644
--- a/pkg/model/iam.go
+++ b/pkg/model/iam.go
@@ -19,7 +19,6 @@ package model
 import (
 	"encoding/json"
 	"fmt"
-	"reflect"
 	"strings"
 	"text/template"
 
@@ -168,10 +167,9 @@ func (b *IAMModelBuilder) buildIAMTasks(igRole kops.InstanceGroupRole, iamName s
 		{
 			additionalPolicy := ""
 			if b.Cluster.Spec.AdditionalPolicies != nil {
-				roleAsString := reflect.ValueOf(igRole).String()
 				additionalPolicies := *(b.Cluster.Spec.AdditionalPolicies)
 
-				additionalPolicy = additionalPolicies[strings.ToLower(roleAsString)]
+				additionalPolicy = additionalPolicies[strings.ToLower(string(igRole))]
 			}
 
 			additionalPolicyName := "additional." + iamName
diff --git a/pkg/util/templater/templater.go b/pkg/util/templater/templater.go
index d10ef6b4d492b..d9762fc34ebac 100644
--- a/pkg/util/templater/templater.go
+++ b/pkg/util/templater/templater.go
@@ -114,7 +114,7 @@ func indentContent(indent int, content string) string {
 	return b.String()
 }
 
-// includenSnippet is responsible for including a snippet
+// includeSnippet is responsible for including a snippet
 func includeSnippet(tm *template.Template, name string, context map[string]interface{}) (string, error) {
 	b := bytes.NewBufferString("")
 	if err := tm.ExecuteTemplate(b, name, context); err != nil {
diff --git a/tests/integration/update_cluster/additional_user-data/cloudformation.json b/tests/integration/update_cluster/additional_user-data/cloudformation.json
index c3452f602f279..1f482be8cb0f7 100644
--- a/tests/integration/update_cluster/additional_user-data/cloudformation.json
+++ b/tests/integration/update_cluster/additional_user-data/cloudformation.json
@@ -611,6 +611,31 @@
         ]
       }
     },
+    "AWSIAMPolicyadditionalmastersadditionaluserdataexamplecom": {
+      "Type": "AWS::IAM::Policy",
+      "Properties": {
+        "PolicyName": "additional.masters.additionaluserdata.example.com",
+        "Roles": [
+          {
+            "Ref": "AWSIAMRolemastersadditionaluserdataexamplecom"
+          }
+        ],
+        "PolicyDocument": {
+          "Statement": [
+            {
+              "Action": [
+                "s3:GetObject"
+              ],
+              "Effect": "Allow",
+              "Resource": [
+                "arn:aws:s3:::somebucket/someobject"
+              ]
+            }
+          ],
+          "Version": "2012-10-17"
+        }
+      }
+    },
     "AWSIAMPolicymastersadditionaluserdataexamplecom": {
       "Type": "AWS::IAM::Policy",
       "Properties": {
@@ -840,4 +865,4 @@
       }
     }
   }
-}
+}
\ No newline at end of file
diff --git a/tests/integration/update_cluster/additional_user-data/in-v1alpha2.yaml b/tests/integration/update_cluster/additional_user-data/in-v1alpha2.yaml
index d62aa1280ef70..d3350d6978903 100644
--- a/tests/integration/update_cluster/additional_user-data/in-v1alpha2.yaml
+++ b/tests/integration/update_cluster/additional_user-data/in-v1alpha2.yaml
@@ -4,6 +4,15 @@ metadata:
   creationTimestamp: "2016-12-10T22:42:27Z"
   name: additionaluserdata.example.com
 spec:
+  additionalPolicies:
+    master: |
+      [
+        {
+          "Action": [ "s3:GetObject" ],
+          "Resource": [ "arn:aws:s3:::somebucket/someobject" ],
+          "Effect": "Allow"
+        }
+      ]
   kubernetesApiAccess:
   - 0.0.0.0/0
   channel: stable