{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "autoscaling:*", "cloudformation:*", "ec2:*", "elasticloadbalancing:*", "iam:AddRoleToInstanceProfile", "iam:AttachRolePolicy", "iam:CreateInstanceProfile", "iam:CreatePolicy", "iam:CreatePolicyVersion", "iam:CreateRole", "iam:CreateServiceLinkedRole", "iam:DeleteInstanceProfile", "iam:DeletePolicy", "iam:DeletePolicyVersion", "iam:DeleteRole", "iam:DeleteRolePolicy", "iam:DeleteServiceLinkedRole", "iam:DetachRolePolicy", "iam:GetAccount*", "iam:GetInstanceProfile", "iam:GetRole", "iam:GetRolePolicy", "iam:GetServiceLinkedRoleDeletionStatus", "iam:GetUser", "iam:GetUserPolicy", "iam:ListAttachedRolePolicies", "iam:ListAttachedUserPolicies", "iam:ListInstanceProfilesForRole", "iam:ListPolicies", "iam:ListRolePolicies", "iam:ListRoles", "iam:PassRole", "iam:PutRolePolicy", "iam:RemoveRoleFromInstanceProfile", "iam:TagRole", "iam:UpdateAssumeRolePolicy", "iam:UpdateRoleDescription", "kms:*", "logs:*", "route53:*", "sts:AssumeRole", "sts:DecodeAuthorizationMessage", "sts:GetFederationToken", "servicequotas:*", "support:*", "trustedadvisor:*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:DeleteBucket", "s3:DeleteObject", "s3:GetBucketLogging", "s3:GetObject", "s3:ListBucket", "s3:PutBucketAcl", "s3:PutBucketEncryption", "s3:PutBucketLogging", "s3:PutBucketLifecycle", "s3:PutBucketTagging", "s3:PutObject", "s3:PutEncryptionConfiguration", "s3:PutLifecycleConfiguration" ], "Resource": "arn:aws:s3:::*-g8s-*" }, { "Effect": "Allow", "Action": [ "iam:AttachRolePolicy", "iam:CreatePolicy", "iam:CreatePolicyVersion", "iam:CreateRole", "iam:DeletePolicy", "iam:DeletePolicyVersion", "iam:DeleteRole", "iam:DeleteRolePolicy", "iam:DeleteServiceLinkedRole", "iam:DetachRolePolicy", "iam:PassRole", "iam:PutRolePolicy", "iam:UpdateAssumeRolePolicy", "iam:UpdateRoleDescription" ], "Resource": [ "${arn_prefix}:iam::${account_id}:role/*-EC2-K8S-Role", "${arn_prefix}:iam::${account_id}:role/*-IAMManager-Role", "${arn_prefix}:iam::${account_id}:role/*-Route53Manager-Role", "${arn_prefix}:iam::${account_id}:role/*-vpc-peer-access", "${arn_prefix}:iam::${account_id}:role/gs-*" ] }, { "Effect": "Allow", "Action": [ "iam:AddRoleToInstanceProfile", "iam:CreateInstanceProfile", "iam:DeleteInstanceProfile", "iam:RemoveRoleFromInstanceProfile" ], "Resource": [ "${arn_prefix}:iam::${account_id}:instance-profile/*-EC2-K8S-Role", "${arn_prefix}:iam::${account_id}:instance-profile/gs-*" ] }, { "Effect": "Allow", "Action": [ "iam:ListRoleTags", "iam:TagRole" ], "Resource": [ "${arn_prefix}:iam::${account_id}:role/gs-*", "${arn_prefix}:iam::${account_id}:role/*-IAMManager-Role", "${arn_prefix}:iam::${account_id}:role/*-Route53Manager-Role" ] }, { "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": "${arn_prefix}:iam::${account_id}:role/aws-service-role/*" } ] }