# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: MIT-0 AWSTemplateFormatVersion: 2010-09-09 Description: Create SageMaker Project templates IAM Roles (AmazonSageMakerServiceCatalogProductsLaunchRole and AmazonSageMakerServiceCatalogProductsUseRole) Outputs: AmazonSageMakerServiceCatalogProductsLaunchRoleArn: Description: AmazonSageMakerServiceCatalogProductsLaunchRole ARN Value: !If - AmazonSageMakerServiceCatalogProductsLaunchRoleCondition - !GetAtt AmazonSageMakerServiceCatalogProductsLaunchRole.Arn - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AmazonSageMakerServiceCatalogProductsLaunchRole' AmazonSageMakerServiceCatalogProductsUseRoleArn: Description: AmazonSageMakerServiceCatalogProductsUseRole ARN Value: !If - AmazonSageMakerServiceCatalogProductsUseRoleCondition - !GetAtt AmazonSageMakerServiceCatalogProductsUseRole.Arn - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AmazonSageMakerServiceCatalogProductsUseRole' Parameters: AmazonSageMakerServiceCatalogProductsLaunchRoleName: Description: AmazonSageMakerServiceCatalogProductsLaunchRole Name Type: String Default: 'AmazonSageMakerServiceCatalogProductsLaunchRole' AmazonSageMakerServiceCatalogProductsUseRoleName: Description: AmazonSageMakerServiceCatalogProductsUseRole Name Type: String Default: 'AmazonSageMakerServiceCatalogProductsUseRole' Conditions: AmazonSageMakerServiceCatalogProductsLaunchRoleCondition: !Not [ !Equals [ !Ref AmazonSageMakerServiceCatalogProductsLaunchRoleName, '' ] ] AmazonSageMakerServiceCatalogProductsUseRoleCondition: !Not [ !Equals [ !Ref AmazonSageMakerServiceCatalogProductsUseRoleName, ''] ] Resources: ### Roles for Sagemaker projects AmazonSageMakerServiceCatalogProductsLaunchRole: Type: "AWS::IAM::Role" DeletionPolicy: Retain UpdateReplacePolicy: Retain Condition: AmazonSageMakerServiceCatalogProductsLaunchRoleCondition Properties: RoleName: !Ref AmazonSageMakerServiceCatalogProductsLaunchRoleName Description: "SageMaker role created from the SageMaker AWS Management Console. This role has the permissions required to launch the Amazon SageMaker portfolio of products from AWS ServiceCatalog." AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: - servicecatalog.amazonaws.com - codepipeline.amazonaws.com - lambda.amazonaws.com Action: "sts:AssumeRole" Path: "/service-role/" MaxSessionDuration: 3600 ManagedPolicyArns: - 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole' - 'arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess' Policies: - PolicyName: AmazonSageMakerServiceCatalogProductsLaunchRolePolicy PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - 'apigateway:GET' - 'apigateway:POST' - 'apigateway:PUT' - 'apigateway:PATCH' - 'apigateway:DELETE' Resource: - '*' Condition: StringLike: 'aws:ResourceTag/sagemaker:launch-source': '*' - Effect: Allow Action: - 'apigateway:POST' Resource: - '*' Condition: 'ForAnyValue:StringLike': 'aws:TagKeys': - 'sagemaker:launch-source' - Effect: Allow Action: - 'apigateway:PATCH' Resource: - 'arn:aws:apigateway:*::/account' - Effect: Allow Action: - 'cloudformation:CreateStack' - 'cloudformation:UpdateStack' - 'cloudformation:DeleteStack' Resource: 'arn:aws:cloudformation:*:*:stack/SC-*' Condition: ArnLikeIfExists: 'cloudformation:RoleArn': - 'arn:aws:sts::*:assumed-role/AmazonSageMakerServiceCatalog*' - Effect: Allow Action: - 'cloudformation:DescribeStackEvents' - 'cloudformation:DescribeStacks' Resource: 'arn:aws:cloudformation:*:*:stack/SC-*' - Effect: Allow Action: - 'cloudformation:GetTemplateSummary' - 'cloudformation:ValidateTemplate' Resource: - '*' - Effect: Allow Action: - 'codebuild:CreateProject' - 'codebuild:DeleteProject' - 'codebuild:UpdateProject' - 'codebuild:TagResource' Resource: - 'arn:aws:codebuild:*:*:project/sagemaker-*' - Effect: Allow Action: - 'codecommit:CreateCommit' - 'codecommit:CreateRepository' - 'codecommit:DeleteRepository' - 'codecommit:GetRepository' - 'codecommit:TagResource' Resource: - 'arn:aws:codecommit:*:*:sagemaker-*' - Effect: Allow Action: - 'codecommit:ListRepositories' Resource: - '*' - Effect: Allow Action: - 'codepipeline:CreatePipeline' - 'codepipeline:DeletePipeline' - 'codepipeline:GetPipeline' - 'codepipeline:GetPipelineState' - 'codepipeline:StartPipelineExecution' - 'codepipeline:TagResource' - 'codepipeline:UpdatePipeline' Resource: - 'arn:aws:codepipeline:*:*:sagemaker-*' - Effect: Allow Action: - 'cognito-idp:CreateUserPool' Resource: - '*' Condition: 'ForAnyValue:StringLike': 'aws:TagKeys': - 'sagemaker:launch-source' - Effect: Allow Action: - 'cognito-idp:CreateGroup' - 'cognito-idp:CreateUserPoolDomain' - 'cognito-idp:CreateUserPoolClient' - 'cognito-idp:DeleteGroup' - 'cognito-idp:DeleteUserPool' - 'cognito-idp:DeleteUserPoolClient' - 'cognito-idp:DeleteUserPoolDomain' - 'cognito-idp:DescribeUserPool' - 'cognito-idp:DescribeUserPoolClient' - 'cognito-idp:UpdateUserPool' - 'cognito-idp:UpdateUserPoolClient' Resource: - '*' Condition: StringLike: 'aws:ResourceTag/sagemaker:launch-source': '*' - Action: - 'ecr:CreateRepository' - 'ecr:DeleteRepository' Resource: - 'arn:aws:ecr:*:*:repository/sagemaker-*' Effect: Allow - Effect: Allow Action: - 'events:DescribeRule' - 'events:DeleteRule' - 'events:DisableRule' - 'events:EnableRule' - 'events:PutRule' - 'events:PutTargets' - 'events:RemoveTargets' Resource: - 'arn:aws:events:*:*:rule/sagemaker-*' - Effect: Allow Action: - 'firehose:CreateDeliveryStream' - 'firehose:DeleteDeliveryStream' - 'firehose:DescribeDeliveryStream' - 'firehose:StartDeliveryStreamEncryption' - 'firehose:StopDeliveryStreamEncryption' - 'firehose:UpdateDestination' Resource: - 'arn:aws:firehose:*:*:deliverystream/sagemaker-*' - Action: - 'glue:CreateDatabase' - 'glue:DeleteDatabase' Resource: - 'arn:aws:glue:*:*:catalog' - 'arn:aws:glue:*:*:database/sagemaker-*' - 'arn:aws:glue:*:*:table/sagemaker-*' - 'arn:aws:glue:*:*:userDefinedFunction/sagemaker-*' Effect: Allow - Action: - 'glue:CreateClassifier' - 'glue:DeleteClassifier' - 'glue:DeleteCrawler' - 'glue:DeleteJob' - 'glue:DeleteTrigger' - 'glue:DeleteWorkflow' - 'glue:StopCrawler' Resource: - !Sub 'arn:aws:glue:*:${AWS::AccountId}:*' Effect: Allow - Action: - 'glue:CreateWorkflow' Resource: - 'arn:aws:glue:*:*:workflow/sagemaker-*' Effect: Allow - Action: - 'glue:CreateJob' Resource: - 'arn:aws:glue:*:*:job/sagemaker-*' Effect: Allow - Action: - 'glue:CreateCrawler' - 'glue:GetCrawler' Resource: - 'arn:aws:glue:*:*:crawler/sagemaker-*' Effect: Allow - Action: - 'glue:CreateTrigger' - 'glue:GetTrigger' Resource: - 'arn:aws:glue:*:*:trigger/sagemaker-*' Effect: Allow - Effect: Allow Action: - 'iam:PassRole' Resource: - !Sub 'arn:aws:iam::${AWS::AccountId}:role/service-role/AmazonSageMakerServiceCatalog*' - !Sub 'arn:aws:iam::${AWS::AccountId}:role/*SageMakerExecutionRole*' - Effect: Allow Action: - 'lambda:AddPermission' - 'lambda:CreateFunction' - 'lambda:DeleteFunction' - 'lambda:GetFunction' - 'lambda:GetFunctionConfiguration' - 'lambda:InvokeFunction' - 'lambda:RemovePermission' - 'lambda:PutFunctionConcurrency' - 'lambda:TagResource' Resource: - !Sub 'arn:aws:lambda:*:${AWS::AccountId}:function:*' - Effect: Allow Action: - 'logs:CreateLogGroup' - 'logs:CreateLogStream' - 'logs:DeleteLogGroup' - 'logs:DeleteLogStream' - 'logs:DescribeLogGroups' - 'logs:DescribeLogStreams' - 'logs:PutRetentionPolicy' Resource: - 'arn:aws:logs:*:*:log-group:/aws/apigateway/AccessLogs/*' - 'arn:aws:logs:*:*:log-group::log-stream:*' - Effect: Allow Action: 's3:GetObject' Resource: - 'arn:aws:s3:::*' Condition: StringEquals: 's3:ExistingObjectTag/servicecatalog:provisioning': 'true' - Effect: Allow Action: 's3:GetObject' Resource: - 'arn:aws:s3:::sagemaker-*' - 'arn:aws:s3:::sm-mlops-cp-*' - Effect: Allow Action: - 's3:CreateBucket' - 's3:DeleteBucket' - 's3:DeleteBucketPolicy' - 's3:GetBucketPolicy' - 's3:PutBucketAcl' - 's3:PutBucketNotification' - 's3:PutBucketPolicy' - 's3:PutBucketPublicAccessBlock' - 's3:PutBucketLogging' - 's3:PutEncryptionConfiguration' - 's3:PutBucketTagging' Resource: - 'arn:aws:s3:::sagemaker-*' - 'arn:aws:s3:::sm-mlops-cp-*' - Action: - 'sagemaker:CreateEndpoint' - 'sagemaker:CreateEndpointConfig' - 'sagemaker:CreateModel' - 'sagemaker:CreateWorkteam' - 'sagemaker:DeleteEndpoint' - 'sagemaker:DeleteEndpointConfig' - 'sagemaker:DeleteModel' - 'sagemaker:DeleteWorkteam' - 'sagemaker:Describe*' Resource: - 'arn:aws:sagemaker:*:*:*' Effect: Allow - Action: - 'sagemaker:List*' Resource: - '*' Effect: Allow - Action: - 'states:CreateStateMachine' - 'states:DeleteStateMachine' - 'states:UpdateStateMachine' Resource: - 'arn:aws:states:*:*:stateMachine:sagemaker-*' Effect: Allow - Action: - 'ssm:GetParameters' - 'ssm:GetParameter' Resource: !Sub 'arn:aws:ssm:*:${AWS::AccountId}:parameter/*' Effect: Allow AmazonSageMakerServiceCatalogProductsUseRole: Type: "AWS::IAM::Role" DeletionPolicy: Retain UpdateReplacePolicy: Retain Condition: AmazonSageMakerServiceCatalogProductsUseRoleCondition Properties: RoleName: !Ref AmazonSageMakerServiceCatalogProductsUseRoleName Description: "SageMaker role created from the SageMaker AWS Management Console. This role has the permissions required to use the Amazon SageMaker portfolio of products from AWS ServiceCatalog." Path: "/service-role/" MaxSessionDuration: 3600 ManagedPolicyArns: - 'arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess' AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: - "cloudformation.amazonaws.com" - "apigateway.amazonaws.com" - "lambda.amazonaws.com" - "codebuild.amazonaws.com" - "sagemaker.amazonaws.com" - "glue.amazonaws.com" - "events.amazonaws.com" - "states.amazonaws.com" - "codepipeline.amazonaws.com" - "firehose.amazonaws.com" Action: "sts:AssumeRole" Policies: - PolicyName: AmazonSageMakerServiceCatalogProductsUseRolePolicy PolicyDocument: Version: 2012-10-17 Statement: - Action: - sts:AssumeRole Resource: - 'arn:aws:iam::*:role/*SageMakerModelExecution*' Effect: Allow - Action: - cloudformation:Delete* - cloudformation:Get* - cloudformation:Create* - cloudformation:Update* - cloudformation:List* - cloudformation:Describe* - cloudformation:ExecuteChangeSet - cloudformation:SetStackPolicy Resource: - arn:aws:cloudformation:*:*:stack/sagemaker-* - arn:aws:cloudformation:*:*:stackset/sagemaker-* - arn:aws:cloudformation:*:*:type/resource/* - arn:aws:cloudformation:*:*:stackset-target/sagemaker-* Effect: Allow - Action: - cloudformation:GetTemplate - cloudformation:GetTemplateSummary - cloudformation:TagResource Resource: - '*' Effect: Allow - Action: - cloudwatch:PutMetricData Resource: - !Sub 'arn:aws:cloudwatch:*:${AWS::AccountId}:*' Effect: Allow - Action: - codebuild:BatchGetBuilds - codebuild:StartBuild Resource: - arn:aws:codebuild:*:*:project/sagemaker-* - arn:aws:codebuild:*:*:build/sagemaker-* Effect: Allow - Action: - codebuild:ListCuratedEnvironmentImages Resource: - '*' Effect: Allow - Action: - codebuild:CreateReportGroup - codebuild:CreateReport - codebuild:UpdateReport - codebuild:BatchPutTestCases - codebuild:BatchPutCodeCoverages Resource: !Sub 'arn:aws:codebuild:*:${AWS::AccountId}:report-group/sagemaker*' Effect: Allow - Action: - codecommit:CancelUploadArchive - codecommit:GetBranch - codecommit:GetCommit - codecommit:GetUploadArchiveStatus - codecommit:UploadArchive Resource: arn:aws:codecommit:*:*:sagemaker-* Effect: Allow - Action: - codepipeline:StartPipelineExecution Resource: arn:aws:codepipeline:*:*:sagemaker-* Effect: Allow - Action: - ec2:CreateNetworkInterface - ec2:DeleteNetworkInterface Resource: - !Sub 'arn:aws:ec2:*:${AWS::AccountId}:*' Effect: Allow - Action: - ec2:CreateNetworkInterfacePermission Resource: !Sub "arn:aws:ec2:*:${AWS::AccountId}:network-interface/*" Effect: Allow - Action: - ecr:BatchCheckLayerAvailability - ecr:BatchGetImage - ecr:Describe* - ecr:ListImages - ecr:GetAuthorizationToken - ecr:GetDownloadUrlForLayer Resource: - '*' Effect: Allow - Effect: Allow Action: - ecr:BatchDeleteImage - ecr:CompleteLayerUpload - ecr:CreateRepository - ecr:DeleteRepository - ecr:InitiateLayerUpload - ecr:PutImage - ecr:UploadLayerPart Resource: - arn:aws:ecr:*:*:repository/sagemaker-* - Action: - events:DeleteRule - events:DescribeRule - events:PutRule - events:PutTargets - events:RemoveTargets Resource: - arn:aws:events:*:*:rule/sagemaker-* Effect: Allow - Action: - firehose:PutRecord - firehose:PutRecordBatch Resource: arn:aws:firehose:*:*:deliverystream/sagemaker-* Effect: Allow - Action: - glue:BatchCreatePartition - glue:BatchDeletePartition - glue:BatchDeleteTable - glue:BatchDeleteTableVersion - glue:BatchGetPartition - glue:CreateDatabase - glue:CreatePartition - glue:CreateTable - glue:DeletePartition - glue:DeleteTable - glue:DeleteTableVersion - glue:GetDatabase - glue:GetPartition - glue:GetPartitions - glue:GetTable - glue:GetTables - glue:GetTableVersion - glue:GetTableVersions - glue:SearchTables - glue:UpdatePartition - glue:UpdateTable Resource: - arn:aws:glue:*:*:catalog - arn:aws:glue:*:*:database/default - arn:aws:glue:*:*:database/global_temp - arn:aws:glue:*:*:database/sagemaker-* - arn:aws:glue:*:*:table/sagemaker-* - arn:aws:glue:*:*:tableVersion/sagemaker-* Effect: Allow - Action: - iam:PassRole Resource: - arn:aws:iam::*:role/service-role/AmazonSageMakerServiceCatalog* - !Sub 'arn:aws:iam::${AWS::AccountId}:role/*SageMakerExecutionRole*' - !Sub 'arn:aws:iam::${AWS::AccountId}:role/*SageMakerPipeline*' - !Sub 'arn:aws:iam::${AWS::AccountId}:role/*StackSetAdministration*' Effect: Allow - Effect: Allow Action: - lambda:InvokeFunction Resource: - arn:aws:lambda:*:*:function:sagemaker-* - Action: - logs:CreateLogDelivery - logs:CreateLogGroup - logs:CreateLogStream - logs:DeleteLogDelivery - logs:Describe* - logs:GetLogDelivery - logs:GetLogEvents - logs:ListLogDeliveries - logs:PutLogEvents - logs:PutResourcePolicy - logs:UpdateLogDelivery Resource: - !Sub 'arn:aws:logs:*:${AWS::AccountId}:*' Effect: Allow - Effect: Allow Action: - s3:CreateBucket - s3:GetBucketAcl - s3:GetBucketCors - s3:GetBucketLocation - s3:ListAllMyBuckets - s3:ListBucket - s3:ListBucketMultipartUploads - s3:PutBucketCors - s3:AbortMultipartUpload - s3:DeleteObject - s3:GetObject - s3:GetObjectVersion - s3:PutObject Resource: - 'arn:aws:s3:::aws-glue-*' - 'arn:aws:s3:::sagemaker-*' - 'arn:aws:s3:::sm-mlops-cp-*' - !Sub 'arn:aws:s3:::*-${AWS::AccountId}-data*' - !Sub 'arn:aws:s3:::*-${AWS::AccountId}-data*/*' - !Sub 'arn:aws:s3:::*-${AWS::AccountId}-models*' - !Sub 'arn:aws:s3:::*-${AWS::AccountId}-models*/*' - Effect: Allow Action: - 'sagemaker:Create*' - 'sagemaker:Delete*' - 'sagemaker:Describe*' - 'sagemaker:Start*' - 'sagemaker:Stop*' - 'sagemaker:Update*' - 'sagemaker:Search*' - 'sagemaker:Add*' - 'sagemaker:Associate*' - 'sagemaker:Disassociate*' - 'sagemaker:Register*' - 'sagemaker:Send*' - 'sagemaker:Put*' - 'sagemaker:Get*' - 'sagemaker:Batch*' NotResource: - arn:aws:sagemaker:*:*:domain/* - arn:aws:sagemaker:*:*:user-profile/* - arn:aws:sagemaker:*:*:app/* - arn:aws:sagemaker:*:*:flow-definition/* - Action: - 'sagemaker:List*' Resource: - '*' Effect: Allow - Effect: Allow Action: - sagemaker:Describe* - sagemaker:ListTags Resource: - arn:aws:sagemaker:*:*:domain/* - Action: - states:DescribeExecution - states:DescribeStateMachine - states:DescribeStateMachineForExecution - states:GetExecutionHistory - states:ListExecutions - states:ListTagsForResource - states:StartExecution - states:StopExecution - states:TagResource - states:UntagResource - states:UpdateStateMachine Resource: - arn:aws:states:*:*:stateMachine:sagemaker-* - arn:aws:states:*:*:execution:sagemaker-*:* Effect: Allow - Action: - states:ListStateMachines Resource: - '*' Effect: Allow - Action: - 'kms:CreateGrant' - 'kms:Decrypt' - 'kms:DescribeKey' - 'kms:Encrypt' - 'kms:GenerateDataKey' - 'kms:ListAliases' Resource: - '*' Effect: Allow - Action: - 'ssm:GetParameter*' Resource: !Sub 'arn:aws:ssm:*:${AWS::AccountId}:parameter/*' Effect: Allow