# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: MIT-0 AWSTemplateFormatVersion: 2010-09-09 Description: Create shared IAM Roles for SageMaker Data Science Environment (both personas and execution roles) Parameters: DSAdministratorRoleName: Description: The name of the DataScienceAdministrator role Type: String Default: 'DataScienceAdministrator' SageMakerDetectiveControlExecutionRoleName: Description: The name of the SageMakerDetectiveControlExecutionRole Type: String Default: 'DSSageMakerDetectiveControlRole' SCLaunchRoleName: Description: The name of the Service Catalog Launch role Type: String Default: 'DSServiceCatalogLaunchRole' Outputs: AssumeDSAdministratorRole: Description: URL for assuming the role of a cross-environment data science admin Value: !If - DSAdministratorRoleCondition - !Sub 'https://signin.aws.amazon.com/switchrole?account=${AWS::AccountId}&roleName=${DataScienceAdministratorRole}&displayName=${DataScienceAdministratorRole}' - '' DSAdministratorRoleArn: Description: The ARN of the DataScienceAdministrator role Value: !If - DSAdministratorRoleCondition - !GetAtt DataScienceAdministratorRole.Arn - '' SageMakerDetectiveControlExecutionRoleArn: Description: The ARN of the SageMakerDetectiveControlExecutionRole Value: !If - SageMakerDetectiveControlExecutionRoleCondition - !GetAtt SageMakerDetectiveControlExecutionRole.Arn - '' SCLaunchRoleArn: Description: The ARN of the Service Catalog Launch role Value: !If - SCLaunchRoleCondition - !GetAtt SCLaunchRole.Arn - '' Conditions: DSAdministratorRoleCondition: !Not [ !Equals [ !Ref DSAdministratorRoleName, '' ] ] SageMakerDetectiveControlExecutionRoleCondition: !Not [ !Equals [ !Ref SageMakerDetectiveControlExecutionRoleName, '' ] ] SCLaunchRoleCondition: !Not [ !Equals [ !Ref SCLaunchRoleName, '' ] ] Resources: DataScienceAdministratorRole: Condition: DSAdministratorRoleCondition Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: AWS: - !Sub 'arn:aws:iam::${AWS::AccountId}:root' Service: - 'cloudformation.amazonaws.com' - 'codepipeline.amazonaws.com' Action: - 'sts:AssumeRole' RoleName: !Ref DSAdministratorRoleName Policies: - PolicyName: DataScienceAdministratorRoleInlinePolicy PolicyDocument: Version: 2012-10-17 Statement: - Action: - lambda:CreateFunction - lambda:DeleteFunction - lambda:PutFunctionConcurrency Resource: - !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:*GetEnvironmentConfiguration*' Effect: Allow - Action: - iam:PassRole Resource: - !Sub 'arn:aws:iam::${AWS::AccountId}:role/service-role/AmazonSageMakerServiceCatalogProductsLaunchRole' Effect: Allow ManagedPolicyArns: - 'arn:aws:iam::aws:policy/AWSServiceCatalogAdminFullAccess' - 'arn:aws:iam::aws:policy/AWSKeyManagementServicePowerUser' - 'arn:aws:iam::aws:policy/AmazonS3FullAccess' - 'arn:aws:iam::aws:policy/AWSCloudFormationFullAccess' - 'arn:aws:iam::aws:policy/ReadOnlyAccess' - 'arn:aws:iam::aws:policy/AmazonSSMFullAccess' - 'arn:aws:iam::aws:policy/AmazonSageMakerFullAccess' SageMakerDetectiveControlExecutionRole: Type: 'AWS::IAM::Role' Condition: SageMakerDetectiveControlExecutionRoleCondition Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: lambda.amazonaws.com Action: 'sts:AssumeRole' RoleName: !Ref SageMakerDetectiveControlExecutionRoleName Policies: - PolicyName: LambdaInlineForSageMaker PolicyDocument: Version: 2012-10-17 Statement: - Sid: VisualEditor0 Effect: Allow Action: - 'sagemaker:DeleteTags' - 'sagemaker:DeleteEndpointConfig' - 'sagemaker:StopTrainingJob' - 'sagemaker:DeleteModel' - 'sagemaker:DeleteEndpoint' - 'sagemaker:StopTransformJob' - 'sagemaker:AddTags' Resource: - !Sub 'arn:aws:sagemaker:*:${AWS::AccountId}:*' - Action: - 'sagemaker:List*' Resource: - '*' Effect: Allow ManagedPolicyArns: - 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole' SCLaunchRole: Type: 'AWS::IAM::Role' Condition: SCLaunchRoleCondition Properties: Description: Service Catalog launch role to deploy products from SC portfolio RoleName: !Ref SCLaunchRoleName AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - 'servicecatalog.amazonaws.com' - 'cloudformation.amazonaws.com' - 'codepipeline.amazonaws.com' Action: - 'sts:AssumeRole' Path: / Policies: - PolicyName: !Sub '${SCLaunchRoleName}-SCLaunchInlinePolicy' PolicyDocument: Version: 2012-10-17 Statement: - Sid: LambdaPermission Effect: Allow Action: - 'lambda:AddPermission' - 'lambda:CreateFunction' - 'lambda:DeleteFunction' - 'lambda:GetFunction' - 'lambda:GetFunctionConfiguration' - 'lambda:InvokeFunction' - 'lambda:RemovePermission' - 'lambda:PutFunctionConcurrency' - 'lambda:TagResource' Resource: - !Sub 'arn:aws:lambda:*:${AWS::AccountId}:function:*' - Effect: Allow Action: - 'lambda:ListFunctions' Resource: - '*' - Sid: SageMakerPermission Effect: Allow Action: - sagemaker:ListDomains - sagemaker:CreateDomain - sagemaker:DescribeDomain - sagemaker:DeleteDomain - sagemaker:UpdateDomain - sagemaker:ListUserProfiles - sagemaker:CreateUserProfile - sagemaker:UpdateUserProfile - sagemaker:DeleteUserProfile - sagemaker:DescribeUserProfile - sagemaker:ListApps - sagemaker:CreateApp - sagemaker:DescribeApp - sagemaker:DeleteApp - sagemaker:UpdateApp - sagemaker:CreateNotebookInstanceLifecycleConfig - sagemaker:DeleteNotebookInstanceLifecycleConfig - sagemaker:DescribeNotebookInstanceLifecycleConfig - sagemaker:Disassociate* - sagemaker:AddTags Resource: - !Sub "arn:${AWS::Partition}:sagemaker:*:*:domain/*" - !Sub "arn:${AWS::Partition}:sagemaker:*:*:user-profile/*" - !Sub "arn:${AWS::Partition}:sagemaker:*:*:app/*" - Sid: SageMakerProjectsPermission Effect: Allow Action: - sagemaker:EnableSagemakerServicecatalogPortfolio - sagemaker:DisableSagemakerServicecatalogPortfolio Resource: - '*' - Sid: ServiceCatalogPermission Effect: Allow Action: - 'servicecatalog:Accept*' - 'servicecatalog:Associate*' - 'servicecatalog:Create*' - 'servicecatalog:Delete*' - 'servicecatalog:Describe*' - 'servicecatalog:Disable*' - 'servicecatalog:Enable*' - 'servicecatalog:Execute*' - 'servicecatalog:Get*' - 'servicecatalog:Provision*' - 'servicecatalog:Scan*' - 'servicecatalog:Terminate*' - 'servicecatalog:Update*' - 'servicecatalog:TagResource' Resource: - !Sub 'arn:aws:servicecatalog:*:${AWS::AccountId}:*' - !Sub 'arn:aws:catalog:*:${AWS::AccountId}:*' - Effect: Allow Action: - 'servicecatalog:Disassociate*' - 'servicecatalog:List*' Resource: - '*' - Sid: IAMPermission Effect: Allow Action: - 'iam:AttachRolePolicy' - 'iam:CreateRole' - 'iam:DeleteRole' - 'iam:DeleteRolePolicy' - 'iam:DetachRolePolicy' - 'iam:GetRole' - 'iam:GetRolePolicy' - 'iam:ListPolicyVersions' - 'iam:PutRolePolicy' - 'iam:GetPolicy' - 'iam:CreatePolicy' - 'iam:DeletePolicy' - 'iam:Tag*' Resource: - !Sub 'arn:aws:iam::${AWS::AccountId}:*' - Sid: PassRolePermission Action: - iam:PassRole Resource: - !Sub 'arn:aws:iam::${AWS::AccountId}:role/*' Effect: Allow - Sid: KMSPermission Effect: Allow Action: - 'kms:CreateAlias' - 'kms:CreateGrant' - 'kms:Decrypt' - 'kms:DeleteAlias' - 'kms:DeleteCustomKeyStore' - 'kms:DeleteImportedKeyMaterial' - 'kms:DescribeKey' - 'kms:EnableKey' - 'kms:ListAliases' - 'kms:EnableKeyRotation' - 'kms:GenerateDataKey' - 'kms:PutKeyPolicy' - 'kms:ScheduleKeyDeletion' - 'kms:TagResource' - 'kms:UpdateAlias' - 'kms:UpdateCustomKeyStore' - 'kms:UpdateKeyDescription' Resource: - !Sub 'arn:aws:kms:*:${AWS::AccountId}:*' - Effect: Allow Action: - 'kms:CreateKey' Resource: - '*' - Effect: Allow Action: - 'codecommit:CreateCommit' - 'codecommit:CreateRepository' - 'codecommit:DeleteRepository' - 'codecommit:GetRepository' - 'codecommit:TagResource' Resource: - !Sub 'arn:aws:codecommit:*:${AWS::AccountId}:*' - Effect: Allow Action: - 'codecommit:ListRepositories' Resource: - '*' - Effect: Allow Action: - 'config:DescribeConfigurationRecorderStatus' - 'config:DescribeConfigurationRecorders' Resource: - '*' - Effect: Allow Action: - 'ec2:DescribeAvailabilityZones' - 'ec2:CreateTags' - 'ec2:DeleteTags' - 'ec2:DescribeTags' Resource: - '*' - Effect: Allow Action: - 'resource-groups:CreateGroup' - 'resource-groups:DeleteGroup' - 'resource-groups:Tag' - 'resource-groups:Untag' Resource: - '*' - Effect: Allow Action: - 'ssm:AddTagsToResource' - 'ssm:DeleteParameter' - 'ssm:DeleteParameters' - 'ssm:GetParameter' - 'ssm:GetParameters' - 'ssm:PutParameter' - 'ssm:RemoveTagsFromResource' Resource: - '*' ManagedPolicyArns: - 'arn:aws:iam::aws:policy/AmazonS3FullAccess' - 'arn:aws:iam::aws:policy/AWSCloudFormationFullAccess' - 'arn:aws:iam::aws:policy/CloudWatchLogsFullAccess' - 'arn:aws:iam::aws:policy/AmazonVPCFullAccess' - 'arn:aws:iam::aws:policy/AmazonElasticFileSystemFullAccess'