AWSTemplateFormatVersion: '2010-09-09'
Description: 'Allows a Role/user to call the lambda to generate a URL for SageMaker Notebook'
Parameters:
URLLambdaARN:
Type: String
URLLambdaRole:
Type: String
AdminRole:
Type: String
Default: IibsAdminAccess-DO-NOT-DELETE
Resources:
#This is the entry that allows Developer to pass role to URLInstanciatorLambdaRoleExecution
DeveloperPassRolePolicy:
Type: AWS::IAM::Policy
DependsOn: DeveloperRole
Properties:
PolicyName : 'DeveloperPassRoleToSageMakerNotebookManagedPolicy'
Roles:
- 'Developer'
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- iam:GetRole
- iam:PassRole
Resource: !Ref 'URLLambdaARN'
- Effect: Allow
Action:
- lambda:CreateFunction
- lambda:InvokeFunction
Resource: "*"
- Effect: Allow
Action:
- iam:GetRole
- iam:PassRole
Resource: !Ref 'URLLambdaRole'
- Effect: Allow
Action:
- cloudformation:Describe*
Resource: '*'
DeveloperRole:
Type: AWS::IAM::Role
Properties:
RoleName: 'Developer'
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- 'servicecatalog.amazonaws.com'
Action:
- sts:AssumeRole
- Effect: Allow
Principal:
AWS:
- !Ref 'AdminRole'
Action:
- sts:AssumeRole
Path: /
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess"
- "arn:aws:iam::aws:policy/AWSServiceCatalogEndUserFullAccess"
- "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
- "arn:aws:iam::aws:policy/AWSKeyManagementServicePowerUser"
- "arn:aws:iam::aws:policy/service-role/AWSLambdaENIManagementAccess"
- "arn:aws:iam::aws:policy/AWSLambda_ReadOnlyAccess"
Outputs:
DeveloperRole:
Description: Developer Role
Value: !GetAtt 'DeveloperRole.Arn'
Export:
Name: 'Developer-ARN'