# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: MIT-0 AWSTemplateFormatVersion: 2010-09-09 Description: This template creates the required IAM roles for SageMaker project templates Outputs: AmazonSageMakerServiceCatalogProductsLaunchRoleArn: Description: ProductsLaunchRole ARN Value: !If - ProductsLaunchRoleCondition - !GetAtt ProductsLaunchRole.Arn - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AmazonSageMakerServiceCatalogProductsLaunchRole' AmazonSageMakerServiceCatalogProductsUseRoleArn: Description: ProductsUseRole ARN Value: !If - ProductsUseRoleCondition - !GetAtt ProductsUseRole.Arn - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AmazonSageMakerServiceCatalogProductsUseRole' AmazonSageMakerServiceCatalogProductsCloudformationRoleArn: Description: AmazonSageMakerServiceCatalogProductsCloudformationRole ARN Value: !If - CloudFormationRoleCondition - !GetAtt CloudFormationRole.Arn - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AmazonSageMakerServiceCatalogProductsCloudformationRole' AmazonSageMakerServiceCatalogProductsCodeBuildRoleArn: Description: CodeBuildRole ARN Value: !If - CodeBuildRoleCondition - !GetAtt CodeBuildRole.Arn - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AmazonSageMakerServiceCatalogProductsCodeBuildRole' AmazonSageMakerServiceCatalogProductsCodePipelineRoleArn: Description: CodePipelineRole ARN Value: !If - CodePipelineRoleCondition - !GetAtt CodePipelineRole.Arn - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AmazonSageMakerServiceCatalogProductsCodePipelineRole' AmazonSageMakerServiceCatalogProductsEventsRoleArn: Description: EventsRole ARN Value: !If - EventsRoleCondition - !GetAtt EventsRole.Arn - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AmazonSageMakerServiceCatalogProductsEventsRole' AmazonSageMakerServiceCatalogProductsApiGatewayRoleArn: Description: ApiGatewayRole ARN Value: !If - ApiGatewayRoleCondition - !GetAtt ApiGatewayRole.Arn - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AmazonSageMakerServiceCatalogProductsApiGatewayRole' AmazonSageMakerServiceCatalogProductsFirehoseRoleArn: Description: FirehoseRole ARN Value: !If - FirehoseRoleCondition - !GetAtt FirehoseRole.Arn - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AmazonSageMakerServiceCatalogProductsFirehoseRole' AmazonSageMakerServiceCatalogProductsGlueRoleArn: Description: GlueRole ARN Value: !If - GlueRoleCondition - !GetAtt GlueRole.Arn - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AmazonSageMakerServiceCatalogProductsGlueRole' AmazonSageMakerServiceCatalogProductsLambdaRoleArn: Description: LambdaRole ARN Value: !If - LambdaRoleCondition - !GetAtt LambdaRole.Arn - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AmazonSageMakerServiceCatalogProductsLambdaRole' AmazonSageMakerServiceCatalogProductsExecutionRoleArn: Description: ProductsExecutionRole ARN Value: !If - ProductsExecutionRoleCondition - !GetAtt ProductsExecutionRole.Arn - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AmazonSageMakerServiceCatalogProductsExecutionRole' Parameters: CreateProductsLaunchRole: Description: Create AmazonSageMakerServiceCatalogProductsLaunchRole Type: String AllowedValues: - 'YES' - 'NO' Default: 'NO' CreateProductsUseRole: Description: Create AmazonSageMakerServiceCatalogProductsUseRole Type: String AllowedValues: - 'YES' - 'NO' Default: 'NO' CreateCloudFormationRole: Description: Create AmazonSageMakerServiceCatalogProductsCloudformationRole Type: String AllowedValues: - 'YES' - 'NO' Default: 'NO' CreateCodeBuildRole: Description: Create AmazonSageMakerServiceCatalogProductsCodeBuildRole Type: String AllowedValues: - 'YES' - 'NO' Default: 'NO' CreateCodePipelineRole: Description: Create AmazonSageMakerServiceCatalogProductsCodePipelineRole Type: String AllowedValues: - 'YES' - 'NO' Default: 'NO' CreateEventsRole: Description: Create AmazonSageMakerServiceCatalogProductsEventsRole Type: String AllowedValues: - 'YES' - 'NO' Default: 'NO' CreateApiGatewayRole: Description: Create AmazonSageMakerServiceCatalogProductsApiGatewayRole Type: String AllowedValues: - 'YES' - 'NO' Default: 'NO' CreateFirehoseRole: Description: Create AmazonSageMakerServiceCatalogProductsFirehoseRole Type: String AllowedValues: - 'YES' - 'NO' Default: 'NO' CreateGlueRole: Description: Create AmazonSageMakerServiceCatalogProductsGlueRole Type: String AllowedValues: - 'YES' - 'NO' Default: 'NO' CreateLambdaRole: Description: Create AmazonSageMakerServiceCatalogProductsLambdaRole Type: String AllowedValues: - 'YES' - 'NO' Default: 'NO' CreateProductsExecutionRole: Description: Create AmazonSageMakerServiceCatalogProductsExecutionRole Type: String AllowedValues: - 'YES' - 'NO' Default: 'NO' Conditions: ProductsLaunchRoleCondition: !Equals [ !Ref CreateProductsLaunchRole, 'YES' ] ProductsUseRoleCondition: !Equals [ !Ref CreateProductsUseRole, 'YES' ] CloudFormationRoleCondition: !Equals [ !Ref CreateCloudFormationRole, 'YES' ] CodeBuildRoleCondition: !Equals [ !Ref CreateCodeBuildRole, 'YES' ] CodePipelineRoleCondition: !Equals [ !Ref CreateCodePipelineRole, 'YES' ] EventsRoleCondition: !Equals [ !Ref CreateEventsRole, 'YES' ] ApiGatewayRoleCondition: !Equals [ !Ref CreateApiGatewayRole, 'YES' ] FirehoseRoleCondition: !Equals [ !Ref CreateFirehoseRole, 'YES' ] GlueRoleCondition: !Equals [ !Ref CreateGlueRole, 'YES' ] LambdaRoleCondition: !Equals [ !Ref CreateLambdaRole, 'YES' ] ProductsExecutionRoleCondition: !Equals [ !Ref CreateProductsExecutionRole, 'YES' ] Resources: ProductsLaunchRole: Type: "AWS::IAM::Role" Condition: ProductsLaunchRoleCondition Properties: RoleName: AmazonSageMakerServiceCatalogProductsLaunchRole Description: "SageMaker role created from the SageMaker AWS Management Console. This role has the permissions required to launch the Amazon SageMaker portfolio of products from AWS ServiceCatalog." AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: "servicecatalog.amazonaws.com" Action: "sts:AssumeRole" Path: "/service-role/" MaxSessionDuration: 3600 Policies: - PolicyName: AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - 'apigateway:GET' - 'apigateway:POST' - 'apigateway:PUT' - 'apigateway:PATCH' - 'apigateway:DELETE' Resource: '*' Condition: StringLike: 'aws:ResourceTag/sagemaker:launch-source': '*' - Effect: Allow Action: - 'apigateway:POST' Resource: '*' Condition: 'ForAnyValue:StringLike': 'aws:TagKeys': - 'sagemaker:launch-source' - Effect: Allow Action: - 'apigateway:PATCH' Resource: - 'arn:aws:apigateway:*::/account' - Effect: Allow Action: - 'cloudformation:CreateStack' - 'cloudformation:UpdateStack' - 'cloudformation:DeleteStack' Resource: 'arn:aws:cloudformation:*:*:stack/SC-*' Condition: ArnLikeIfExists: 'cloudformation:RoleArn': - 'arn:aws:sts::*:assumed-role/AmazonSageMakerServiceCatalog*' - Effect: Allow Action: - 'cloudformation:DescribeStackEvents' - 'cloudformation:DescribeStacks' Resource: 'arn:aws:cloudformation:*:*:stack/SC-*' - Effect: Allow Action: - 'cloudformation:GetTemplateSummary' - 'cloudformation:ValidateTemplate' Resource: '*' - Effect: Allow Action: - 'codebuild:CreateProject' - 'codebuild:DeleteProject' - 'codebuild:UpdateProject' Resource: - 'arn:aws:codebuild:*:*:project/sagemaker-*' - Effect: Allow Action: - 'codecommit:CreateCommit' - 'codecommit:CreateRepository' - 'codecommit:DeleteRepository' - 'codecommit:GetRepository' - 'codecommit:TagResource' Resource: - 'arn:aws:codecommit:*:*:sagemaker-*' - Effect: Allow Action: - 'codecommit:ListRepositories' Resource: '*' - Effect: Allow Action: - 'codepipeline:CreatePipeline' - 'codepipeline:DeletePipeline' - 'codepipeline:GetPipeline' - 'codepipeline:GetPipelineState' - 'codepipeline:StartPipelineExecution' - 'codepipeline:TagResource' - 'codepipeline:UpdatePipeline' Resource: - 'arn:aws:codepipeline:*:*:sagemaker-*' - Effect: Allow Action: - 'cognito-idp:CreateUserPool' Resource: '*' Condition: 'ForAnyValue:StringLike': 'aws:TagKeys': - 'sagemaker:launch-source' - Effect: Allow Action: - 'cognito-idp:CreateGroup' - 'cognito-idp:CreateUserPoolDomain' - 'cognito-idp:CreateUserPoolClient' - 'cognito-idp:DeleteGroup' - 'cognito-idp:DeleteUserPool' - 'cognito-idp:DeleteUserPoolClient' - 'cognito-idp:DeleteUserPoolDomain' - 'cognito-idp:DescribeUserPool' - 'cognito-idp:DescribeUserPoolClient' - 'cognito-idp:UpdateUserPool' - 'cognito-idp:UpdateUserPoolClient' Resource: '*' Condition: StringLike: 'aws:ResourceTag/sagemaker:launch-source': '*' - Action: - 'ecr:CreateRepository' - 'ecr:DeleteRepository' Resource: - 'arn:aws:ecr:*:*:repository/sagemaker-*' Effect: Allow - Effect: Allow Action: - 'events:DescribeRule' - 'events:DeleteRule' - 'events:DisableRule' - 'events:EnableRule' - 'events:PutRule' - 'events:PutTargets' - 'events:RemoveTargets' Resource: - 'arn:aws:events:*:*:rule/sagemaker-*' - Effect: Allow Action: - 'firehose:CreateDeliveryStream' - 'firehose:DeleteDeliveryStream' - 'firehose:DescribeDeliveryStream' - 'firehose:StartDeliveryStreamEncryption' - 'firehose:StopDeliveryStreamEncryption' - 'firehose:UpdateDestination' Resource: 'arn:aws:firehose:*:*:deliverystream/sagemaker-*' - Action: - 'glue:CreateDatabase' - 'glue:DeleteDatabase' Resource: - 'arn:aws:glue:*:*:catalog' - 'arn:aws:glue:*:*:database/sagemaker-*' - 'arn:aws:glue:*:*:table/sagemaker-*' - 'arn:aws:glue:*:*:userDefinedFunction/sagemaker-*' Effect: Allow - Action: - 'glue:CreateClassifier' - 'glue:DeleteClassifier' - 'glue:DeleteCrawler' - 'glue:DeleteJob' - 'glue:DeleteTrigger' - 'glue:DeleteWorkflow' - 'glue:StopCrawler' Resource: - '*' Effect: Allow - Action: - 'glue:CreateWorkflow' Resource: - 'arn:aws:glue:*:*:workflow/sagemaker-*' Effect: Allow - Action: - 'glue:CreateJob' Resource: - 'arn:aws:glue:*:*:job/sagemaker-*' Effect: Allow - Action: - 'glue:CreateCrawler' - 'glue:GetCrawler' Resource: - 'arn:aws:glue:*:*:crawler/sagemaker-*' Effect: Allow - Action: - 'glue:CreateTrigger' - 'glue:GetTrigger' Resource: - 'arn:aws:glue:*:*:trigger/sagemaker-*' Effect: Allow - Effect: Allow Action: - 'iam:PassRole' Resource: - 'arn:aws:iam::*:role/service-role/AmazonSageMakerServiceCatalog*' - Effect: Allow Action: - 'lambda:AddPermission' - 'lambda:CreateFunction' - 'lambda:DeleteFunction' - 'lambda:GetFunction' - 'lambda:GetFunctionConfiguration' - 'lambda:InvokeFunction' - 'lambda:RemovePermission' Resource: - 'arn:aws:lambda:*:*:function:sagemaker-*' - Effect: Allow Action: - 'logs:CreateLogGroup' - 'logs:CreateLogStream' - 'logs:DeleteLogGroup' - 'logs:DeleteLogStream' - 'logs:DescribeLogGroups' - 'logs:DescribeLogStreams' - 'logs:PutRetentionPolicy' Resource: - 'arn:aws:logs:*:*:log-group:/aws/apigateway/AccessLogs/*' - 'arn:aws:logs:*:*:log-group::log-stream:*' - Effect: Allow Action: 's3:GetObject' Resource: '*' Condition: StringEquals: 's3:ExistingObjectTag/servicecatalog:provisioning': 'true' - Effect: Allow Action: 's3:GetObject' Resource: - 'arn:aws:s3:::sagemaker-*' - Effect: Allow Action: - 's3:CreateBucket' - 's3:DeleteBucket' - 's3:DeleteBucketPolicy' - 's3:GetBucketPolicy' - 's3:PutBucketAcl' - 's3:PutBucketNotification' - 's3:PutBucketPolicy' - 's3:PutBucketPublicAccessBlock' - 's3:PutBucketLogging' - 's3:PutEncryptionConfiguration' Resource: 'arn:aws:s3:::sagemaker-*' - Action: - 'sagemaker:CreateEndpoint' - 'sagemaker:CreateEndpointConfig' - 'sagemaker:CreateModel' - 'sagemaker:CreateWorkteam' - 'sagemaker:DeleteEndpoint' - 'sagemaker:DeleteEndpointConfig' - 'sagemaker:DeleteModel' - 'sagemaker:DeleteWorkteam' - 'sagemaker:DescribeModel' - 'sagemaker:DescribeEndpointConfig' - 'sagemaker:DescribeEndpoint' - 'sagemaker:DescribeWorkteam' Resource: - 'arn:aws:sagemaker:*:*:*' Effect: Allow - Action: - 'states:CreateStateMachine' - 'states:DeleteStateMachine' - 'states:UpdateStateMachine' Resource: - 'arn:aws:states:*:*:stateMachine:sagemaker-*' Effect: Allow ProductsUseRole: Type: "AWS::IAM::Role" Condition: ProductsUseRoleCondition Properties: RoleName: AmazonSageMakerServiceCatalogProductsUseRole Description: "SageMaker role created from the SageMaker AWS Management Console. This role has the permissions required to use the Amazon SageMaker portfolio of products from AWS ServiceCatalog." Path: "/service-role/" MaxSessionDuration: 3600 AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: - "cloudformation.amazonaws.com" - "apigateway.amazonaws.com" - "lambda.amazonaws.com" - "codebuild.amazonaws.com" - "sagemaker.amazonaws.com" - "glue.amazonaws.com" - "events.amazonaws.com" - "states.amazonaws.com" - "codepipeline.amazonaws.com" - "firehose.amazonaws.com" Action: "sts:AssumeRole" Policies: - PolicyName: AmazonSageMakerServiceCatalogProductsUseRole-20210122T152377 PolicyDocument: Version: 2012-10-17 Statement: - Action: - cloudformation:CreateChangeSet - cloudformation:CreateStack - cloudformation:DescribeChangeSet - cloudformation:DeleteChangeSet - cloudformation:DeleteStack - cloudformation:DescribeStacks - cloudformation:ExecuteChangeSet - cloudformation:SetStackPolicy - cloudformation:UpdateStack Resource: arn:aws:cloudformation:*:*:stack/sagemaker-* Effect: Allow - Action: - cloudwatch:PutMetricData Resource: "*" Effect: Allow - Action: - codebuild:BatchGetBuilds - codebuild:StartBuild Resource: - arn:aws:codebuild:*:*:project/sagemaker-* - arn:aws:codebuild:*:*:build/sagemaker-* Effect: Allow - Action: - codecommit:CancelUploadArchive - codecommit:GetBranch - codecommit:GetCommit - codecommit:GetUploadArchiveStatus - codecommit:UploadArchive Resource: arn:aws:codecommit:*:*:sagemaker-* Effect: Allow - Action: - codepipeline:StartPipelineExecution Resource: arn:aws:codepipeline:*:*:sagemaker-* Effect: Allow - Action: - ec2:DescribeRouteTables Resource: "*" Effect: Allow - Action: - ecr:BatchCheckLayerAvailability - ecr:BatchGetImage - ecr:Describe* - ecr:GetAuthorizationToken - ecr:GetDownloadUrlForLayer Resource: "*" Effect: Allow - Effect: Allow Action: - ecr:BatchDeleteImage - ecr:CompleteLayerUpload - ecr:CreateRepository - ecr:DeleteRepository - ecr:InitiateLayerUpload - ecr:PutImage - ecr:UploadLayerPart Resource: - arn:aws:ecr:*:*:repository/sagemaker-* - Action: - events:DeleteRule - events:DescribeRule - events:PutRule - events:PutTargets - events:RemoveTargets Resource: - arn:aws:events:*:*:rule/sagemaker-* Effect: Allow - Action: - firehose:PutRecord - firehose:PutRecordBatch Resource: arn:aws:firehose:*:*:deliverystream/sagemaker-* Effect: Allow - Action: - glue:BatchCreatePartition - glue:BatchDeletePartition - glue:BatchDeleteTable - glue:BatchDeleteTableVersion - glue:BatchGetPartition - glue:CreateDatabase - glue:CreatePartition - glue:CreateTable - glue:DeletePartition - glue:DeleteTable - glue:DeleteTableVersion - glue:GetDatabase - glue:GetPartition - glue:GetPartitions - glue:GetTable - glue:GetTables - glue:GetTableVersion - glue:GetTableVersions - glue:SearchTables - glue:UpdatePartition - glue:UpdateTable Resource: - arn:aws:glue:*:*:catalog - arn:aws:glue:*:*:database/default - arn:aws:glue:*:*:database/global_temp - arn:aws:glue:*:*:database/sagemaker-* - arn:aws:glue:*:*:table/sagemaker-* - arn:aws:glue:*:*:tableVersion/sagemaker-* Effect: Allow - Action: - iam:PassRole Resource: - arn:aws:iam::*:role/service-role/AmazonSageMakerServiceCatalogProductsUse* Effect: Allow - Effect: Allow Action: - lambda:InvokeFunction Resource: - arn:aws:lambda:*:*:function:sagemaker-* - Action: - logs:CreateLogDelivery - logs:CreateLogGroup - logs:CreateLogStream - logs:DeleteLogDelivery - logs:Describe* - logs:GetLogDelivery - logs:GetLogEvents - logs:ListLogDeliveries - logs:PutLogEvents - logs:PutResourcePolicy - logs:UpdateLogDelivery Resource: "*" Effect: Allow - Effect: Allow Action: - s3:CreateBucket - s3:DeleteBucket - s3:GetBucketAcl - s3:GetBucketCors - s3:GetBucketLocation - s3:ListAllMyBuckets - s3:ListBucket - s3:ListBucketMultipartUploads - s3:PutBucketCors Resource: - arn:aws:s3:::aws-glue-* - arn:aws:s3:::sagemaker-* - Effect: Allow Action: - s3:AbortMultipartUpload - s3:DeleteObject - s3:GetObject - s3:GetObjectVersion - s3:PutObject Resource: - arn:aws:s3:::aws-glue-* - arn:aws:s3:::sagemaker-* - Effect: Allow Action: - sagemaker:* NotResource: - arn:aws:sagemaker:*:*:domain/* - arn:aws:sagemaker:*:*:user-profile/* - arn:aws:sagemaker:*:*:app/* - arn:aws:sagemaker:*:*:flow-definition/* - Action: - states:DescribeExecution - states:DescribeStateMachine - states:DescribeStateMachineForExecution - states:GetExecutionHistory - states:ListExecutions - states:ListTagsForResource - states:StartExecution - states:StopExecution - states:TagResource - states:UntagResource - states:UpdateStateMachine Resource: - arn:aws:states:*:*:stateMachine:sagemaker-* - arn:aws:states:*:*:execution:sagemaker-*:* Effect: Allow - Action: - states:ListStateMachines Resource: "*" Effect: Allow CloudFormationRole: Type: "AWS::IAM::Role" Condition: CloudFormationRoleCondition Properties: RoleName: AmazonSageMakerServiceCatalogProductsCloudformationRole Description: "CloudFormationRole" AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: "cloudformation.amazonaws.com" Action: "sts:AssumeRole" Path: "/service-role/" MaxSessionDuration: 3600 ManagedPolicyArns: - !Sub "arn:${AWS::Partition}:iam::aws:policy/service-role/AmazonSageMakerServiceCatalogProductsCloudformationServiceRolePolicy" CodeBuildRole: Type: "AWS::IAM::Role" Condition: CodeBuildRoleCondition Properties: RoleName: AmazonSageMakerServiceCatalogProductsCodeBuildRole Description: "CodeBuildRole" AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: "codebuild.amazonaws.com" Action: "sts:AssumeRole" Path: "/service-role/" MaxSessionDuration: 3600 ManagedPolicyArns: - !Sub "arn:${AWS::Partition}:iam::aws:policy/AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy" CodePipelineRole: Type: "AWS::IAM::Role" Condition: CodePipelineRoleCondition Properties: RoleName: AmazonSageMakerServiceCatalogProductsCodePipelineRole Description: "CodePipelineRole" AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: "codepipeline.amazonaws.com" Action: "sts:AssumeRole" Path: "/service-role/" MaxSessionDuration: 3600 ManagedPolicyArns: - !Sub "arn:${AWS::Partition}:iam::aws:policy/service-role/AmazonSageMakerServiceCatalogProductsCodePipelineServiceRolePolicy" EventsRole: Type: "AWS::IAM::Role" Condition: EventsRoleCondition Properties: RoleName: AmazonSageMakerServiceCatalogProductsEventsRole Description: "EventsRole" AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: "events.amazonaws.com" Action: "sts:AssumeRole" Path: "/service-role/" MaxSessionDuration: 3600 ManagedPolicyArns: - !Sub "arn:${AWS::Partition}:iam::aws:policy/service-role/AmazonSageMakerServiceCatalogProductsEventsServiceRolePolicy" ApiGatewayRole: Type: "AWS::IAM::Role" Condition: ApiGatewayRoleCondition Properties: RoleName: AmazonSageMakerServiceCatalogProductsApiGatewayRole Description: "ApiGatewayRole" AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: "apigateway.amazonaws.com" Action: "sts:AssumeRole" Path: "/service-role/" MaxSessionDuration: 3600 ManagedPolicyArns: - !Sub "arn:${AWS::Partition}:iam::aws:policy/service-role/AmazonSageMakerServiceCatalogProductsApiGatewayServiceRolePolicy" FirehoseRole: Type: "AWS::IAM::Role" Condition: FirehoseRoleCondition Properties: RoleName: AmazonSageMakerServiceCatalogProductsFirehoseRole Description: "FirehoseRole" AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: "firehose.amazonaws.com" Action: "sts:AssumeRole" Path: "/service-role/" MaxSessionDuration: 3600 ManagedPolicyArns: - !Sub "arn:${AWS::Partition}:iam::aws:policy/service-role/AmazonSageMakerServiceCatalogProductsFirehoseServiceRolePolicy" GlueRole: Type: "AWS::IAM::Role" Condition: GlueRoleCondition Properties: RoleName: AmazonSageMakerServiceCatalogProductsGlueRole Description: "GlueRole" AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: "glue.amazonaws.com" Action: "sts:AssumeRole" Path: "/service-role/" MaxSessionDuration: 3600 ManagedPolicyArns: - !Sub "arn:${AWS::Partition}:iam::aws:policy/service-role/AmazonSageMakerServiceCatalogProductsGlueServiceRolePolicy" LambdaRole: Type: "AWS::IAM::Role" Condition: LambdaRoleCondition Properties: RoleName: AmazonSageMakerServiceCatalogProductsLambdaRole Description: "LambdaRole" AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: "lambda.amazonaws.com" Action: "sts:AssumeRole" Path: "/service-role/" MaxSessionDuration: 3600 ManagedPolicyArns: - !Sub "arn:${AWS::Partition}:iam::aws:policy/service-role/AmazonSageMakerServiceCatalogProductsLambdaServiceRolePolicy" ProductsExecutionRole: Type: "AWS::IAM::Role" Condition: ProductsExecutionRoleCondition Properties: RoleName: AmazonSageMakerServiceCatalogProductsExecutionRole Description: "ProductsExecutionRole" AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: "sagemaker.amazonaws.com" Action: "sts:AssumeRole" Path: "/service-role/" MaxSessionDuration: 3600 ManagedPolicyArns: - !Sub "arn:${AWS::Partition}:iam::aws:policy/AmazonSageMakerFullAccess"