# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: MIT-0 AWSTemplateFormatVersion: 2010-09-09 Description: Create environment-specific IAM Roles for SageMaker Data Science Environment Personas Parameters: EnvName: Type: String AllowedPattern: '[a-z0-9\-]*' Description: Please specify your data science environment name. Used as a suffix for environment resource names. EnvType: Description: System Environment (e.g. dev, test, prod). Used as a suffix for environment resource names. Type: String Default: dev CreateIAMUserRoles: Description: Select YES if you want to create an IAM User roles Type: String AllowedValues: - 'YES' - 'NO' Default: 'YES' CreateVPCFlowLogsRole: Description: Select YES if you want to create an IAM Role for VPC Flow Logs to write the logs into a CloudWatch log group Type: String AllowedValues: - 'YES' - 'NO' Default: 'YES' SetupStackSetExecutionRoleName: Description: Stack set execution role to setup IAM roles in the target accounts (staging and production OUs) Type: String Default: 'AWSCloudFormationStackSetExecutionRole' Conditions: VPCFlowLogsRoleCondition: !Equals [!Ref CreateVPCFlowLogsRole, 'YES'] IAMUserRolesCondition: !Equals [!Ref CreateIAMUserRoles, 'YES'] SCProjectLaunchRoleCondition: !Equals ['YES', 'NO'] Outputs: AssumeTeamAdminRole: Description: URL for assuming the role of a environment admin Value: !If - IAMUserRolesCondition - !Sub 'https://signin.aws.amazon.com/switchrole?account=${AWS::AccountId}&roleName=${DataScienceTeamAdministratorRole}&displayName=${DataScienceTeamAdministratorRole}' - '' AssumeDataScientistRole: Description: URL for assuming the role of a environment user Value: !If - IAMUserRolesCondition - !Sub 'https://signin.aws.amazon.com/switchrole?account=${AWS::AccountId}&roleName=${DataScientistRole}&displayName=${DataScientistRole}' - '' DSTeamAdministratorRoleArn: Description: The ARN of the DataScienceTeamAdministrator role Value: !If - IAMUserRolesCondition - !GetAtt DataScienceTeamAdministratorRole.Arn - '' DataScientistRoleArn: Description: The ARN of the Data Scientist role Value: !If - IAMUserRolesCondition - !GetAtt DataScientistRole.Arn - '' SageMakerExecutionRoleArn: Description: The ARN of the SageMaker execution role Value: !GetAtt SageMakerExecutionRole.Arn SageMakerPipelineExecutionRoleArn: Description: The ARN of the SageMaker execution role Value: !GetAtt SageMakerPipelineExecutionRole.Arn SCProjectLaunchRoleArn: Description: The ARN of the ServiceCatalog product launch role Value: !If - SCProjectLaunchRoleCondition - !GetAtt SCProjectLaunchRole.Arn - '' SetupLambdaExecutionRoleArn: Description: Lambda execution role for Data Science environment setup function Value: !GetAtt SetupLambdaExecutionRole.Arn StackSetAdministrationRoleArn: Description: AWS CloudFormation StackSet administrator role ARN Value: !GetAtt StackSetAdministrationRole.Arn VPCFlowLogsRoleArn: Description: The ARN of the VPC Flow Logs role Value: !If [ VPCFlowLogsRoleCondition, !GetAtt VPCFlowLogsRole.Arn, '' ] Resources: DataScienceTeamAdministratorRole: Condition: IAMUserRolesCondition Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root" Action: - 'sts:AssumeRole' Policies: - PolicyName: SageMakerAccessInlinePolicy PolicyDocument: Version: 2012-10-17 Statement: - Sid: VisualEditor0 Effect: Allow Action: - 'sagemaker:Create*' - 'sagemaker:Delete*' - 'sagemaker:Describe*' - 'sagemaker:Start*' - 'sagemaker:Stop*' - 'sagemaker:Update*' - 'sagemaker:Search*' - 'sagemaker:Add*' - 'sagemaker:Associate*' - 'sagemaker:Disassociate*' - 'sagemaker:Register*' - 'sagemaker:Send*' - 'sagemaker:Put*' - 'sagemaker:Get*' - 'sagemaker:Batch*' Resource: - !Sub 'arn:aws:sagemaker:*:${AWS::AccountId}:*' - Action: - 'sagemaker:List*' Resource: - '*' Effect: Allow - Action: - codepipeline:PutApprovalResult Resource: - !Sub arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:sagemaker* Effect: Allow ManagedPolicyArns: - 'arn:aws:iam::aws:policy/AWSServiceCatalogAdminFullAccess' - 'arn:aws:iam::aws:policy/AWSKeyManagementServicePowerUser' - 'arn:aws:iam::aws:policy/AmazonS3FullAccess' - 'arn:aws:iam::aws:policy/AWSCloudFormationFullAccess' - 'arn:aws:iam::aws:policy/ReadOnlyAccess' - 'arn:aws:iam::aws:policy/AmazonSSMFullAccess' - 'arn:aws:iam::aws:policy/AWSCodeCommitFullAccess' Tags: - Key: EnvironmentName Value: !Ref EnvName - Key: EnvironmentType Value: !Ref EnvType DataScientistRole: Condition: IAMUserRolesCondition Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root" Action: - 'sts:AssumeRole' Policies: - PolicyName: SageMakerAccessInlinePolicy PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - 'sagemaker:CreateModel' - 'sagemaker:DescribeTrainingJob' - 'sagemaker:DescribeLabelingJob' - 'sagemaker:DescribeModelPackage' - 'sagemaker:Search' - 'sagemaker:DescribeAlgorithm' - 'sagemaker:UpdateEndpointWeightsAndCapacities' - 'sagemaker:UpdateCodeRepository' - 'sagemaker:DescribeTransformJob' - 'sagemaker:CreateEndpoint' - 'sagemaker:CreateModelPackage' - 'sagemaker:DeleteModel' - 'sagemaker:DescribeSubscribedWorkteam' - 'sagemaker:DescribeHyperParameterTuningJob' - 'sagemaker:CreateEndpointConfig' - 'sagemaker:DescribeEndpointConfig' - 'sagemaker:StopNotebookInstance' - 'sagemaker:RenderUiTemplate' - 'sagemaker:StopTransformJob' - 'sagemaker:DescribeNotebookInstance' - 'sagemaker:CreateAlgorithm' - 'sagemaker:CreateTrainingJob' - 'sagemaker:DescribeNotebookInstanceLifecycleConfig' - 'sagemaker:StopHyperParameterTuningJob' - 'sagemaker:DeleteCodeRepository' - 'sagemaker:DeleteEndpoint' - 'sagemaker:DescribeEndpoint' - 'sagemaker:CreateTransformJob' - 'sagemaker:InvokeEndpoint' - 'sagemaker:CreateCodeRepository' - 'sagemaker:DescribeModel' - 'sagemaker:StopTrainingJob' - 'sagemaker:DescribeWorkteam' - 'sagemaker:UpdateEndpoint' - 'sagemaker:DescribeCompilationJob' - 'sagemaker:GetSearchSuggestions' - 'sagemaker:CreatePresignedNotebookInstanceUrl' - 'sagemaker:StartNotebookInstance' - 'sagemaker:DescribeCodeRepository' Resource: - !Sub 'arn:aws:sagemaker:${AWS::Region}:${AWS::AccountId}:*' - Effect: Allow Action: - 'codecommit:BatchGetRepositories' - 'codecommit:GitPull' - 'codecommit:GitPush' - 'codecommit:CreateBranch' - 'codecommit:DeleteBranch' - 'codecommit:GetBranch' - 'codecommit:CreatePullRequest' - 'codecommit:CreatePullRequestApproval' - 'codecommit:GetPullRequest' - 'codecommit:CreateCommit' - 'codecommit:GetCommit' - 'codecommit:GetCommitHistory' - 'codecommit:GetDifferences' - 'codecommit:GetReferences' - 'codecommit:CreateRepository' - 'codecommit:GetRepository' Resource: - !Sub 'arn:aws:codecommit:${AWS::Region}:${AWS::AccountId}:*' - Effect: Allow Action: - codepipeline:List* - codepipeline:Get* Resource: - !Sub 'arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:*' - Effect: Allow Action: - 'codecommit:List*' Resource: - '*' - Action: - 'sagemaker:List*' Resource: - '*' Effect: Allow ManagedPolicyArns: - 'arn:aws:iam::aws:policy/AWSServiceCatalogEndUserReadOnlyAccess' - 'arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess' - 'arn:aws:iam::aws:policy/AWSCloudFormationReadOnlyAccess' - 'arn:aws:iam::aws:policy/AmazonSSMReadOnlyAccess' - 'arn:aws:iam::aws:policy/AWSLambda_ReadOnlyAccess' - 'arn:aws:iam::aws:policy/AWSCodeCommitReadOnly' - 'arn:aws:iam::aws:policy/job-function/DataScientist' Tags: - Key: EnvironmentName Value: !Ref EnvName - Key: EnvironmentType Value: !Ref EnvType SageMakerPipelineExecutionPolicy: Type: AWS::IAM::ManagedPolicy Properties: Description: Policy for SageMaker pipeline execution role PolicyDocument: Version: 2012-10-17 Statement: - Action: - iam:PassRole Resource: - !GetAtt SageMakerExecutionRole.Arn Effect: Allow - Action: - sagemaker:Create* - sagemaker:Describe* - sagemaker:Start* - sagemaker:StopPipelineExecution - sagemaker:UpdatePipeline - sagemaker:UpdatePipelineExecution Resource: - !Sub 'arn:aws:sagemaker:*:${AWS::AccountId}:*' Effect: Allow - Action: - 'sagemaker:List*' Resource: - '*' Effect: Allow - Action: - s3:GetObject - s3:HeadObject Resource: - !Sub 'arn:aws:s3:::${EnvName}-${EnvType}-${AWS::Region}-${AWS::AccountId}-data*' - !Sub 'arn:aws:s3:::${EnvName}-${EnvType}-${AWS::Region}-${AWS::AccountId}-data*/*' - !Sub 'arn:aws:s3:::${EnvName}-${EnvType}-${AWS::Region}-${AWS::AccountId}-models*' - !Sub 'arn:aws:s3:::${EnvName}-${EnvType}-${AWS::Region}-${AWS::AccountId}-models*/*' - 'arn:aws:s3:::*sagemaker*/*' Effect: Allow - Action: - ecr:SetRepositoryPolicy - ecr:CompleteLayerUpload - ecr:BatchDeleteImage - ecr:UploadLayerPart - ecr:DeleteRepositoryPolicy - ecr:InitiateLayerUpload - ecr:DeleteRepository - ecr:PutImage Resource: 'arn:aws:ecr:*:*:repository/*sagemaker*' Effect: Allow - Action: - ecr:BatchCheckLayerAvailability - ecr:BatchGetImage - ecr:CreateRepository - ecr:Describe* - ecr:GetAuthorizationToken - ecr:GetDownloadUrlForLayer - ecr:StartImageScan Resource: - 'arn:aws:ecr:*' Effect: Allow SageMakerPipelineExecutionRole: Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - sagemaker.amazonaws.com Action: - 'sts:AssumeRole' Path: / ManagedPolicyArns: - !Ref SageMakerPipelineExecutionPolicy Tags: - Key: EnvironmentName Value: !Ref EnvName - Key: EnvironmentType Value: !Ref EnvType - Key: Principal Value: !Sub '${EnvName}-${EnvType}-sm-pipeline-role' #Need this tag for aws:ViaAWSService condition key for S3 bucket policies SageMakerExecutionPolicy: Type: 'AWS::IAM::ManagedPolicy' Properties: PolicyDocument: Version: 2012-10-17 Statement: - Action: - 'ssm:GetParameters' - 'ssm:GetParameter' Resource: !Sub 'arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${EnvName}-${EnvType}*' Effect: Allow - Action: - 'sagemaker:CreateNotebookInstance' - 'sagemaker:CreateHyperParameterTuningJob' - 'sagemaker:CreateProcessingJob' - 'sagemaker:CreateTrainingJob' - 'sagemaker:CreateCompilationJob' - 'sagemaker:CreateModel' Resource: - !Sub 'arn:aws:sagemaker:*:${AWS::AccountId}:*' Effect: Deny Condition: 'Null': 'sagemaker:VpcSubnets': 'true' 'sagemaker:VpcSecurityGroupIds': 'true' - Action: - sagemaker:ListTags Resource: - !Sub 'arn:aws:sagemaker:*:${AWS::AccountId}:*' Effect: Allow - Action: - 'codecommit:BatchGetRepositories' - 'codecommit:GitPull' - 'codecommit:GitPush' - 'codecommit:CreateBranch' - 'codecommit:DeleteBranch' - 'codecommit:GetBranch' - 'codecommit:CreatePullRequest' - 'codecommit:GetPullRequest' - 'codecommit:CreateCommit' - 'codecommit:GetCommit' - 'codecommit:GetCommitHistory' - 'codecommit:GetDifferences' - 'codecommit:GetReferences' - 'codecommit:CreateRepository' - 'codecommit:GetRepository' Resource: - !Sub 'arn:aws:codecommit:*:${AWS::AccountId}:*' Effect: Allow - Effect: Allow Action: - 'codecommit:List*' Resource: - '*' - Action: - 'kms:CreateGrant' - 'kms:Decrypt' - 'kms:DescribeKey' - 'kms:Encrypt' - 'kms:GenerateDataKey' - 'kms:ListAliases' Resource: - !Sub 'arn:aws:kms:*:${AWS::AccountId}:*' Effect: Allow - Action: - s3:DescribeJob Resource: - '*' Effect: Allow - Action: - 's3:DeleteObject' - 's3:DeleteBucket' Resource: - 'arn:aws:s3:::sm-mlops-cp-*' - 'arn:aws:s3:::sm-mlops-cp-*/*' Effect: Allow - Action: - 's3:GetObject' - 's3:PutObject' - 's3:DeleteObject' - 's3:HeadObject' - 's3:GetBucketAcl' - 's3:GetBucketCors' - 's3:ListBucketMultipartUploads' - 's3:PutBucketCors' - 's3:GetObjectVersion' - 's3:AbortMultipartUpload' Resource: - !Sub 'arn:aws:s3:::${EnvName}-${EnvType}-${AWS::Region}-${AWS::AccountId}-data*' - !Sub 'arn:aws:s3:::${EnvName}-${EnvType}-${AWS::Region}-${AWS::AccountId}-data*/*' - !Sub 'arn:aws:s3:::${EnvName}-${EnvType}-${AWS::Region}-${AWS::AccountId}-models*' - !Sub 'arn:aws:s3:::${EnvName}-${EnvType}-${AWS::Region}-${AWS::AccountId}-models*/*' - 'arn:aws:s3:::*sagemaker*/*' Effect: Allow - Action: - 'cloudformation:DeleteStackInstances' - 'cloudformation:DeleteStackSet' Resource: - 'arn:aws:cloudformation:*:*:stackset/sagemaker-*' Effect: Allow - Action: - 'cloudformation:List*' - 'cloudformation:Describe*' Resource: - !Sub 'arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:*' Effect: Allow - Action: - 'codepipeline:GetPipelineState' Resource: - 'arn:aws:codepipeline:*:*:sagemaker-*' Effect: Allow - Action: - 's3:GetBucketLocation' - 's3:ListBucket' - 's3:ListAllMyBuckets' Resource: - 'arn:aws:s3:::*' Effect: Allow - Action: - glue:CreateTable - glue:GetPartition - glue:BatchCreatePartition Resource: - !Sub 'arn:aws:glue:${AWS::Region}:${AWS::AccountId}:*' Effect: Allow SageMakerExecutionRole: Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - sagemaker.amazonaws.com Action: - 'sts:AssumeRole' Path: / ManagedPolicyArns: - !Ref SageMakerExecutionPolicy - 'arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess' - 'arn:aws:iam::aws:policy/AmazonSageMakerFullAccess' - 'arn:aws:iam::aws:policy/AmazonSageMakerFeatureStoreAccess' Tags: - Key: EnvironmentName Value: !Ref EnvName - Key: EnvironmentType Value: !Ref EnvType - Key: Principal Value: !Sub '${EnvName}-${EnvType}-sm-execution-role' #Need this tag for aws:ViaAWSService condition key for S3 bucket policies SCProjectLaunchRole: Type: 'AWS::IAM::Role' Condition: SCProjectLaunchRoleCondition Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: servicecatalog.amazonaws.com Action: 'sts:AssumeRole' Policies: - PolicyName: SCInlinePolicy PolicyDocument: Version: 2012-10-17 Statement: - Sid: IAMPermission Effect: Allow Action: - 'iam:AttachRolePolicy' - 'iam:CreateRole' - 'iam:DeleteRole' - 'iam:DeleteRolePolicy' - 'iam:DetachRolePolicy' - 'iam:GetRole' - 'iam:GetRolePolicy' - 'iam:ListPolicyVersions' - 'iam:PassRole' - 'iam:PutRolePolicy' - 'iam:GetPolicy' - 'iam:CreatePolicy' - 'iam:DeletePolicy' - 'iam:Tag*' Resource: - !Sub 'arn:*:iam::${AWS::AccountId}:*' - Sid: KMSPermission Effect: Allow Action: - 'kms:CreateAlias' - 'kms:CreateGrant' - 'kms:Decrypt' - 'kms:DeleteAlias' - 'kms:DeleteCustomKeyStore' - 'kms:DeleteImportedKeyMaterial' - 'kms:DescribeKey' - 'kms:EnableKey' - 'kms:EnableKeyRotation' - 'kms:GenerateDataKey' - 'kms:ListAliases' - 'kms:PutKeyPolicy' - 'kms:ScheduleKeyDeletion' - 'kms:TagResource' - 'kms:UpdateAlias' - 'kms:UpdateCustomKeyStore' - 'kms:UpdateKeyDescription' Resource: - !Sub 'arn:aws:kms:*:${AWS::AccountId}:*' - Effect: Allow Action: - 'kms:CreateKey' Resource: - '*' - Sid: SSMPermission Effect: Allow Action: - 'ssm:AddTagsToResource' - 'ssm:DeleteParameter' - 'ssm:GetParameter' - 'ssm:PutParameter' - 'ssm:RemoveTagsFromResource' Resource: - !Sub 'arn:aws:ssm:*:${AWS::AccountId}:*' - Effect: Allow Action: - 'ssm:DeleteParameters' - 'ssm:GetParameters' Resource: - '*' ManagedPolicyArns: - 'arn:aws:iam::aws:policy/AWSCloudFormationFullAccess' - 'arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess' - 'arn:aws:iam::aws:policy/AmazonSageMakerFullAccess' - 'arn:aws:iam::aws:policy/AWSLambda_FullAccess' Tags: - Key: EnvironmentName Value: !Ref EnvName - Key: EnvironmentType Value: !Ref EnvType VPCFlowLogsRole: Type: 'AWS::IAM::Role' Condition: VPCFlowLogsRoleCondition Properties: Description: Rights to Publish VPC Flow Logs to CloudWatch Logs AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: sts:AssumeRole Principal: Service: - vpc-flow-logs.amazonaws.com Path: / Policies: - PolicyName: CloudWatchLogGroup PolicyDocument: Version: 2012-10-17 Statement: - Sid: CloudWatchLogs Effect: Allow Action: - logs:CreateLogStream - logs:PutLogEvents - logs:DescribeLogGroups - logs:DescribeLogStreams Resource: !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/vpcflowlogs/${EnvName}-${EnvType}*' Tags: - Key: EnvironmentName Value: !Ref EnvName - Key: EnvironmentType Value: !Ref EnvType SetupLambdaExecutionRole: Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - lambda.amazonaws.com Action: - 'sts:AssumeRole' Path: / ManagedPolicyArns: - !Ref SetupLambdaExecutionPolicy - 'arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess' - 'arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess' - 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole' Tags: - Key: EnvironmentName Value: !Ref EnvName - Key: EnvironmentType Value: !Ref EnvType SetupLambdaExecutionPolicy: Type: AWS::IAM::ManagedPolicy Properties: Path: / PolicyDocument: Version: 2012-10-17 Statement: - Sid: SageMakerDomainPermission Effect: Allow Action: - sagemaker:ListDomains - sagemaker:CreateDomain - sagemaker:DescribeDomain - sagemaker:DeleteDomain - sagemaker:UpdateDomain - sagemaker:ListUserProfiles - sagemaker:CreateUserProfile - sagemaker:UpdateUserProfile - sagemaker:DeleteUserProfile - sagemaker:DescribeUserProfile - sagemaker:ListApps - sagemaker:CreateApp - sagemaker:DescribeApp - sagemaker:DeleteApp - sagemaker:UpdateApp Resource: - !Sub "arn:${AWS::Partition}:sagemaker:*:*:domain/*" - !Sub "arn:${AWS::Partition}:sagemaker:*:*:user-profile/*" - !Sub "arn:${AWS::Partition}:sagemaker:*:*:app/*" - Sid: SCPermissions Effect: Allow Action: - servicecatalog:Accept* - servicecatalog:Associate* - servicecatalog:Create* - servicecatalog:Delete* - servicecatalog:Describe* - servicecatalog:Disassociate* - servicecatalog:Enable* - servicecatalog:Execute* - servicecatalog:Get* - servicecatalog:List* - servicecatalog:Provision* - servicecatalog:Scan* - servicecatalog:Terminate* - servicecatalog:Update* - servicecatalog:Search* Resource: - !Sub 'arn:aws:servicecatalog:*:${AWS::AccountId}:*' - !Sub 'arn:aws:catalog:*:${AWS::AccountId}:*' - # Authorization strategy is ActionOnly for these two operations and require * in resource field Sid: SageMakerEnableSCPortfolio Effect: Allow Action: - sagemaker:EnableSagemakerServicecatalogPortfolio - sagemaker:DisableSagemakerServicecatalogPortfolio Resource: - '*' - Sid: AWSOrganizationsPermission Effect: Allow Action: - organizations:List* - organizations:DescribeOrganizationalUnit Resource: 'arn:aws:organizations::*:ou/o-*/ou-*' - Sid: SageMakerExecPassRole Effect: Allow Action: - iam:PassRole - iam:GetRole Resource: !GetAtt SageMakerExecutionRole.Arn - Sid: AssumeTargetAccountRole Action: - sts:AssumeRole Resource: - 'arn:*:iam::*:role/*StackSetExecutionRole*' Effect: Allow - Sid: BucketPolicyPermission Action: - 's3:GetBucketPolicy' - 's3:PutBucketPolicy' Resource: - !Sub 'arn:aws:s3:::${EnvName}-${EnvType}-${AWS::Region}-${AWS::AccountId}-models*' Effect: Allow - Sid: KMSPolicyPermission Action: - 'kms:GetKeyPolicy' - 'kms:PutKeyPolicy' Resource: - !Sub 'arn:aws:kms:*:${AWS::AccountId}:*' Effect: Allow - Sid: SSMReadPermission Action: - 'ssm:GetParameters' - 'ssm:GetParameter' Resource: !Sub 'arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${EnvName}-${EnvType}*' Effect: Allow StackSetAdministrationRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: cloudformation.amazonaws.com Action: - sts:AssumeRole Path: / Policies: - PolicyName: AssumeRole-StackSetExecutionRole PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - sts:AssumeRole Resource: - 'arn:*:iam::*:role/*StackSetExecutionRole*' - !Sub 'arn:*:iam::*:role/${SetupStackSetExecutionRoleName}'