-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathiam-roles.yml
132 lines (127 loc) · 4.53 KB
/
iam-roles.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
AWSTemplateFormatVersion: "2010-09-09"
Description: This template creates the IAM roles necessary to execute the SageMaker Edge Manager tutorial.
Parameters:
S3Bucket:
Type: String
Default: '*'
Description: Enter the name of the S3 bucket where you will store your model artifacts. This is the bucket that SageMaker will have access to.
Resources:
SageMakerRole:
Type: AWS::IAM::Role
DependsOn: SageMakerIoTRole
Properties:
RoleName: AmazonSageMaker-ExecutionRole-EdgeManager
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- sagemaker.amazonaws.com
Action:
- 'sts:AssumeRole'
Description: SageMaker execution role for running the SageMaker Edge Manager tutorial
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonSageMakerFullAccess
- arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess
Policies:
- PolicyName: SageMaker-S3-Access-Edge-Manager
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- s3:GetObject
- s3:PutObject
- s3:DeleteObject
- s3:ListBucket
Resource:
- !Sub
- arn:aws:s3:::${bucket}/
- { bucket: !Ref S3Bucket}
- !Sub
- arn:aws:s3:::${bucket}/*
- { bucket: !Ref S3Bucket}
- !Sub arn:aws:s3:::sagemaker-${AWS::Region}-${AWS::AccountId}/*
- !Sub arn:aws:s3:::sagemaker-${AWS::Region}-${AWS::AccountId}/
- Effect: Allow
Action:
- iam:PassRole
Resource: !GetAtt SageMakerIoTRole.Arn
- Effect: Allow
Action:
- iot:CreateThing
- iot:CreateThingType
- iot:CreateKeysAndCertificate
- iot:DescribeRoleAlias
- iot:CreatePolicy
- iot:AttachPolicy
- iot:DescribeEndpoint
Resource: '*'
SageMakerIoTRole:
Type: AWS::IAM::Role
Properties:
RoleName: SageMaker-IoT-Role
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- sagemaker.amazonaws.com
Action:
- 'sts:AssumeRole'
- Effect: Allow
Principal:
Service:
- credentials.iot.amazonaws.com
Action:
- 'sts:AssumeRole'
Description: Allows IoT to call AWS services on your behalf
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSIoTThingsRegistration
- arn:aws:iam::aws:policy/service-role/AWSIoTLogging
- arn:aws:iam::aws:policy/service-role/AWSIoTRuleActions
- arn:aws:iam::aws:policy/service-role/AmazonSageMakerEdgeDeviceFleetPolicy
UserAssumeRole:
Type: AWS::IAM::Role
Properties:
RoleName: Edge-Manager-User-Role-to-Assume
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
AWS:
- !Sub arn:aws:iam::${AWS::AccountId}:root
Action:
- 'sts:AssumeRole'
Description: Users should assume this role for the Edge Manager tutorial.
Policies:
- PolicyName: User-Edge-Manager-Policy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- s3:GetObject
Resource:
- !Sub
- arn:aws:s3:::${bucket}/*
- { bucket: !Ref S3Bucket}
- !Sub arn:aws:s3:::sagemaker-${AWS::Region}-${AWS::AccountId}/*
- Effect: Allow
Action:
- ecr:CreateRepository
- ecr:PutImage
Resource: '*'
Outputs:
SageMakerStudioRole:
Description: Role to be set as execution role in SageMaker Studio environment.
Value: !GetAtt SageMakerRole.Arn
SageMakerIoTRole:
Description: Role which gets passed to the Device Fleet during creation.
Value: !GetAtt SageMakerIoTRole.Arn
UserRole:
Description: User role to assume via the CLI.
Value: !GetAtt UserAssumeRole.Arn