{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "autoscaling:*",
                "cloudformation:*",
                "cloudwatch:*",
                "ec2:*",
                "ecr:*",
                "elasticloadbalancing:*",
                "events:*",
                "iam:GetAccount*",
                "iam:GetInstanceProfile",
                "iam:GetRole",
                "iam:GetRolePolicy",
                "iam:GetServiceLinkedRoleDeletionStatus",
                "iam:GetUser",
                "iam:GetUserPolicy",
                "iam:ListAttachedRolePolicies",
                "iam:ListAttachedUserPolicies",
                "iam:ListInstanceProfilesForRole",
                "iam:ListPolicies",
                "iam:ListRolePolicies",
                "iam:ListRoles",
                "kms:*",
                "logs:*",
                "route53:*",
                "route53domains:*",
                "s3:*",
                "sts:AssumeRole",
                "sts:DecodeAuthorizationMessage",
                "sts:GetFederationToken",
                "servicequotas:*",
                "support:*",
                "trustedadvisor:*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:AttachRolePolicy",
                "iam:CreatePolicy",
                "iam:CreatePolicyVersion",
                "iam:CreateRole",
                "iam:DeletePolicy",
                "iam:DeletePolicyVersion",
                "iam:DeleteRole",
                "iam:DeleteRolePolicy",
                "iam:DeleteServiceLinkedRole",
                "iam:DetachRolePolicy",
                "iam:PassRole",
                "iam:PutRolePolicy",
                "iam:UpdateAssumeRolePolicy",
                "iam:UpdateRoleDescription"
            ],
            "Resource": [
                "${arn_prefix}:iam::${account_id}:role/*-EC2-K8S-Role",
                "${arn_prefix}:iam::${account_id}:role/*-IAMManager-Role",
                "${arn_prefix}:iam::${account_id}:role/*-Route53Manager-Role",
                "${arn_prefix}:iam::${account_id}:role/*-vpc-peer-access",
                "${arn_prefix}:iam::${account_id}:role/gs-*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:AddRoleToInstanceProfile",
                "iam:CreateInstanceProfile",
                "iam:DeleteInstanceProfile",
                "iam:RemoveRoleFromInstanceProfile"
            ],
            "Resource": [
                "${arn_prefix}:iam::${account_id}:instance-profile/*-EC2-K8S-Role",
                "${arn_prefix}:iam::${account_id}:instance-profile/gs-*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:ListRoleTags",
                "iam:TagRole"
            ],
            "Resource": [
                "${arn_prefix}:iam::${account_id}:role/gs-*",
                "${arn_prefix}:iam::${account_id}:role/*-IAMManager-Role",
                "${arn_prefix}:iam::${account_id}:role/*-Route53Manager-Role"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:CreateServiceLinkedRole"
            ],
            "Resource": "${arn_prefix}:iam::${account_id}:role/aws-service-role/*"
        }
    ]
}