diff --git a/capa-controller-role/README.md b/capa-controller-role/README.md
index 9560c70..23ebd00 100644
--- a/capa-controller-role/README.md
+++ b/capa-controller-role/README.md
@@ -14,6 +14,8 @@ If you don't know what the `INSTALLATION_NAME` value is supposed to be, ask Gian
 ```
 export INSTALLATION_NAME=test
 export ROLE_NAME="giantswarm-${INSTALLATION_NAME}-capa-controller"
+# for china replace this with proper AWS China account, for AWS Global leave this as it is for all cases
+export AWS_ACCOUNT=084190472784
 
 envsubst < ./trusted-entities.json > ${INSTALLATION_NAME}-trusted-entities.json
 aws iam create-role --role-name "${ROLE_NAME}" --description "Giant Swarm managed role for k8s cluster creation" --assume-role-policy-document file://${INSTALLATION_NAME}-trusted-entities.json
diff --git a/capa-controller-role/eks-controller-policy.json b/capa-controller-role/eks-controller-policy.json
index e2b15f9..bc6fac0 100644
--- a/capa-controller-role/eks-controller-policy.json
+++ b/capa-controller-role/eks-controller-policy.json
@@ -44,7 +44,7 @@
                 "iam:CreateServiceLinkedRole"
             ],
             "Resource": [
-                "arn:aws:iam::*:role/aws-service-role/eks-fargate-pods.amazonaws.com/AWSServiceRoleForAmazonEKSForFargate"
+                "arn:*:iam::*:role/aws-service-role/eks-fargate-pods.amazonaws.com/AWSServiceRoleForAmazonEKSForFargate"
             ],
             "Condition": {
                 "StringLike": {
diff --git a/capa-controller-role/irsa-operator-policy.json b/capa-controller-role/irsa-operator-policy.json
index ff127a1..df7b60d 100644
--- a/capa-controller-role/irsa-operator-policy.json
+++ b/capa-controller-role/irsa-operator-policy.json
@@ -49,7 +49,7 @@
                 "s3:PutLifecycleConfiguration",
                 "s3:PutObjectAcl"
             ],
-            "Resource": "arn:aws:s3:::*-g8s-*"
+            "Resource": "arn:*:s3:::*-g8s-*"
         },
         {
             "Effect": "Allow",
diff --git a/capa-controller-role/trusted-entities.json b/capa-controller-role/trusted-entities.json
index 5d8a645..8bd4f5b 100644
--- a/capa-controller-role/trusted-entities.json
+++ b/capa-controller-role/trusted-entities.json
@@ -4,7 +4,7 @@
         {
             "Effect": "Allow",
             "Principal": {
-                "AWS": "arn:aws:iam::084190472784:user/${INSTALLATION_NAME}-capa-controller"
+                "AWS": "arn:*:iam::${AWS_ACCOUNT}:user/${INSTALLATION_NAME}-capa-controller"
             },
             "Action": "sts:AssumeRole",
             "Condition": {}