{
  "Version": "2012-10-17",
  "Id": "SmartStoreBucketPolicy",
  "Statement": [
    {
      "Sid": "RestrictedAllow",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "${role_arn}"
        ]
      },
      "Action": [
        "s3:*"
      ],
      "Resource": [
        "${bucket_arn}",
        "${bucket_arn}/*"
      ],
      "Condition": {
         "IpAddress": {"aws:SourceIp": "${vpc_cidr}"}
      }
    },
    {
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": [
        "${bucket_arn}",
        "${bucket_arn}/*"
      ],
      "Principal": {
        "AWS": [
          "arn:aws:iam::${account}:root"
        ]
      }
    }
  ]
}