# Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: MIT-0 Description: | Creates data science administrator role and service catalog launch role Outputs: DSAdministratorName: Description: The name of the DataScienceAdministrator role Value: !Ref DataScienceAdministrator DSAdministratorArn: Description: The ARN of the DataScienceAdministrator role Value: !GetAtt DataScienceAdministrator.Arn Export: Name: !Sub 'ds-administrator-role-${StackSetName}-arn' SCLaunchRoleArn: Description: The ARN of the Service Catalog launch role Value: !GetAtt SCLaunchRole.Arn Parameters: StackSetName: Type: String Description: A name to be used across nested stacks Resources: DataScienceAdministrator: Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root' Action: - 'sts:AssumeRole' - Sid: SageMakerTrustRelantionship Effect: Allow Principal: Service: - 'sagemaker.amazonaws.com' Action: - 'sts:AssumeRole' RoleName: !Join - '' - - !Sub '${StackSetName}-DataScienceAdministrator-' - !Select - 4 - !Split - '-' - !Select - 2 - !Split - / - !Ref 'AWS::StackId' Policies: - PolicyName: SageMakerAccessInlinePolicy PolicyDocument: Version: 2012-10-17 Statement: - Sid: SageMakerDSAdminAccess Effect: Allow Action: - 'sagemaker:*' - 'iam:TagRole' - 'kms:CreateGrant' - 'kms:DescribeKey' Resource: '*' - Sid: SageMakerIamPassRole Effect: Allow Action: - 'iam:PassRole' Resource: '*' Condition: StringEquals: 'iam:PassedToService': - sagemaker.amazonaws.com ManagedPolicyArns: - 'arn:aws:iam::aws:policy/AWSServiceCatalogAdminFullAccess' - 'arn:aws:iam::aws:policy/AWSKeyManagementServicePowerUser' - 'arn:aws:iam::aws:policy/AmazonS3FullAccess' - 'arn:aws:iam::aws:policy/AWSCloudFormationFullAccess' - 'arn:aws:iam::aws:policy/ReadOnlyAccess' - 'arn:aws:iam::aws:policy/AmazonSSMFullAccess' - 'arn:aws:iam::aws:policy/AWSCodeCommitFullAccess' - 'arn:aws:iam::aws:policy/AWSCodeArtifactAdminAccess' - 'arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess' SCLaunchRole: Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: servicecatalog.amazonaws.com Action: 'sts:AssumeRole' RoleName: !Join - '' - - !Sub '${StackSetName}-ServiceCatalogLaunchRole-' - !Select - 4 - !Split - '-' - !Select - 2 - !Split - / - !Ref 'AWS::StackId' Policies: - PolicyName: SCInlinePolicy PolicyDocument: Version: 2012-10-17 Statement: - Sid: Policy1 Effect: Allow Action: - 'cloudformation:CreateStack' - 'cloudformation:UpdateStack' - 'cloudformation:DeleteStack' - 'cloudformation:DescribeStacks' - 'cloudformation:DescribeStackEvents' - 'cloudformation:GetTemplateSummary' - 'cloudformation:ValidateTemplate' - 'codecommit:CreateCommit' - 'codecommit:CreateRepository' - 'codecommit:DeleteRepository' - 'codecommit:GetRepository' - 'codecommit:ListRepositories' - 'codecommit:TagResource' - 'config:DescribeConfigurationRecorderStatus' - 'config:DescribeConfigurationRecorders' - 'ec2:AssociateRouteTable' - 'ec2:AuthorizeSecurityGroupIngress' - 'ec2:CreateRouteTable' - 'ec2:CreateSecurityGroup' - 'ec2:CreateSubnet' - 'ec2:CreateTags' - 'ec2:CreateVpc' - 'ec2:CreateVpcEndpoint' - 'ec2:DeleteRouteTable' - 'ec2:DeleteSecurityGroup' - 'ec2:DeleteSubnet' - 'ec2:DeleteTags' - 'ec2:DeleteVpc' - 'ec2:DeleteVpcEndpoints' - 'ec2:DescribeRouteTables' - 'ec2:DescribeSecurityGroups' - 'ec2:DescribeSubnets' - 'ec2:DescribeTags' - 'ec2:DescribeVpcEndpoints' - 'ec2:DescribeVpcs' - 'ec2:DisassociateRouteTable' - 'ec2:ModifyVpcAttribute' - 'ec2:RevokeSecurityGroupIngress' - 'ecr:GetAuthorizationToken' - 'ecr:BatchCheckLayerAvailability' - 'ecr:GetDownloadUrlForLayer' - 'ecr:GetRepositoryPolicy' - 'ecr:SetRepositoryPolicy' - 'ecr:DescribeRepositories' - 'ecr:CreateRepository' - 'ecr:DeleteRepository' - 'ecr:DescribeRepository' - 'ecr:ListImages' - 'ecr:PutImage' - 'ecr:DescribeImages' - 'ecr:BatchGetImage' - 'ecr:GetLifecyclePolicy' - 'ecr:GetLifecyclePolicyPreview' - 'ecr:ListTagsForResource' - 'ecr:TagResource' - 'ecr:UntagResource' - 'ecr:DescribeImageScanFindings' - 'ecr:InitiateLayerUpload' - 'ecr:UploadLayerPart' - 'ecr:CompleteLayerUpload' - 'iam:AttachRolePolicy' - 'iam:GetPolicy' - 'iam:CreatePolicy' - 'iam:CreatePolicyVersion' - 'iam:DeletePolicy' - 'iam:DeletePolicyVersion' - 'iam:CreateRole' - 'iam:DeleteRole' - 'iam:DeleteRolePolicy' - 'iam:DetachRolePolicy' - 'iam:GetRole' - 'iam:GetRolePolicy' - 'iam:ListPolicyVersions' - 'iam:PassRole' - 'iam:PutRolePolicy' - 'iam:CreateServiceLinkedRole' - 'iam:TagRole' - 'kms:CreateAlias' - 'kms:CreateGrant' - 'kms:CreateKey' - 'kms:Decrypt' - 'kms:DeleteAlias' - 'kms:DeleteCustomKeyStore' - 'kms:DeleteImportedKeyMaterial' - 'kms:DescribeKey' - 'kms:EnableKey' - 'kms:EnableKeyRotation' - 'kms:GenerateDataKey' - 'kms:ListAliases' - 'kms:PutKeyPolicy' - 'kms:ScheduleKeyDeletion' - 'kms:TagResource' - 'kms:UpdateAlias' - 'kms:UpdateCustomKeyStore' - 'kms:UpdateKeyDescription' - 'kms:GenerateDataKeyWithoutPlainText' - 'resource-groups:CreateGroup' - 'resource-groups:DeleteGroup' - 'resource-groups:Tag' - 'resource-groups:Untag' - 's3:CreateBucket' - 's3:DeleteBucket' - 's3:DeleteBucketPolicy' - 's3:GetBucketPolicy' - 's3:GetEncryptionConfiguration' - 's3:GetObject' - 's3:HeadBucket' - 's3:PutBucketPolicy' - 's3:PutBucketTagging' - 's3:PutEncryptionConfiguration' - 's3:PutBucketPublicAccessBlock' - 'servicecatalog:AssociatePrincipalWithPortfolio' - 'servicecatalog:AssociateProductWithPortfolio' - 'servicecatalog:CreateConstraint' - 'servicecatalog:CreatePortfolio' - 'servicecatalog:CreateProduct' - 'servicecatalog:DeleteConstraint' - 'servicecatalog:DeletePortfolio' - 'servicecatalog:DeleteProduct' - 'servicecatalog:DescribeConstraint' - 'servicecatalog:DescribeProductAsAdmin' - 'servicecatalog:DescribeProvisioningArtifact' - 'servicecatalog:DisassociatePrincipalFromPortfolio' - 'servicecatalog:DisassociateProductFromPortfolio' - 'ssm:AddTagsToResource' - 'ssm:DeleteParameter' - 'ssm:DeleteParameters' - 'ssm:GetParameter' - 'ssm:GetParameters' - 'ssm:PutParameter' - 'ssm:RemoveTagsFromResource' - 'elasticfilesystem:CreateFileSystem' - 'sagemaker:AddTags' - 'sagemaker:CreateDomain' - 'sagemaker:CreateUserProfile' - 'sagemaker:CreateApp' - 'sagemaker:CreateAppImageConfig' - 'sagemaker:CreateImage' - 'sagemaker:CreateImageVersion' - 'sagemaker:DescribeDomain' - 'sagemaker:DescribeImage' - 'sagemaker:DescribeImageVersion' - 'sagemaker:DescribeUserProfile' - 'sagemaker:DeleteDomain' - 'sagemaker:DeleteImage' - 'sagemaker:DeleteImageVersion' - 'sagemaker:DeleteUserProfile' - 'sagemaker:DeleteApp' - 'sagemaker:DeleteNotebookInstance' - 'sagemaker:DeleteAppImageConfig' - 'sagemaker:DeleteTags' - 'sagemaker:ListTags' - 'sagemaker:UpdateAppImageConfig' - 'sagemaker:UpdateNotebookInstanceLifecycleConfig' - 'sagemaker:UpdateDomain' - 'sagemaker:UpdateUserProfile' - 'sagemaker:UpdateImage' Resource: '*' - Sid: SageMakerIamPassRole Effect: Allow Action: - 'iam:PassRole' Resource: '*' Condition: StringEquals: 'iam:PassedToService': - sagemaker.amazonaws.com