{
    "Version": "2012-10-17",
    "Id": "key-rosa-policy-1",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<aws-account-id>:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "Allow ROSA use of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::<aws-account-id>:role/ManagedOpenShift-Support-Role", 
                    "arn:aws:iam::<aws-account-id>:role/ManagedOpenShift-Installer-Role",
                    "arn:aws:iam::<aws-account-id>:role/ManagedOpenShift-Worker-Role",
                    "arn:aws:iam::<aws-account-id>:role/ManagedOpenShift-ControlPlane-Role",
                    "arn:aws:iam::<aws-account-id>:role/<clustername>-openshift-cluster-csi-drivers-ebs-cloud-cre"
                ]
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Allow attachment of persistent resources",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::<aws-account-id>:role/ManagedOpenShift-Support-Role", 
                    "arn:aws:iam::<aws-account-id>:role/ManagedOpenShift-Installer-Role",
                    "arn:aws:iam::<aws-account-id>:role/ManagedOpenShift-Worker-Role",
                    "arn:aws:iam::<aws-account-id>:role/ManagedOpenShift-ControlPlane-Role",
                    "arn:aws:iam::<aws-account-id>:role/<clustername>-openshift-cluster-csi-drivers-ebs-cloud-cre"
                ]
            },
            "Action": [
                "kms:CreateGrant",
                "kms:ListGrants",
                "kms:RevokeGrant"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": "true"
                }
            }
        }
    ]
}