Parameters: UserProfileName: Type: String Description: The user profile name for the SageMaker workshop Default: 'SageMakerUser' DomainName: Type: String Description: The domain name of the Sagemaker studio instance Default: 'MyDomain' Mappings: RegionMap: us-east-1: datascience: "arn:aws:sagemaker:us-east-1:081325390199:image/datascience-1.0" us-east-2: datascience: "arn:aws:sagemaker:us-east-2:429704687514:image/datascience-1.0" us-west-1: datascience: "arn:aws:sagemaker:us-west-1:742091327244:image/datascience-1.0" us-west-2: datascience: "arn:aws:sagemaker:us-west-2:236514542706:image/datascience-1.0" af-south-1: datascience: "arn:aws:sagemaker:af-south-1:559312083959:image/datascience-1.0" ap-east-1: datascience: "arn:aws:sagemaker:ap-east-1:493642496378:image/datascience-1.0" ap-south-1: datascience: "arn:aws:sagemaker:ap-south-1:394103062818:image/datascience-1.0" ap-northeast-2: datascience: "arn:aws:sagemaker:ap-northeast-2:806072073708:image/datascience-1.0" ap-southeast-1: datascience: "arn:aws:sagemaker:ap-southeast-1:492261229750:image/datascience-1.0" ap-southeast-2: datascience: "arn:aws:sagemaker:ap-southeast-2:452832661640:image/datascience-1.0" ap-northeast-1: datascience: "arn:aws:sagemaker:ap-northeast-1:102112518831:image/datascience-1.0" ca-central-1: datascience: "arn:aws:sagemaker:ca-central-1:310906938811:image/datascience-1.0" eu-central-1: datascience: "arn:aws:sagemaker:eu-central-1:936697816551:image/datascience-1.0" eu-west-1: datascience: "arn:aws:sagemaker:eu-west-1:470317259841:image/datascience-1.0" eu-west-2: datascience: "arn:aws:sagemaker:eu-west-2:712779665605:image/datascience-1.0" eu-west-3: datascience: "arn:aws:sagemaker:eu-west-3:615547856133:image/datascience-1.0" eu-north-1: datascience: "arn:aws:sagemaker:eu-north-1:243637512696:image/datascience-1.0" eu-south-1: datascience: "arn:aws:sagemaker:eu-south-1:488287956546:image/sagemaker-data-wrangler-1.0" sa-east-1: datascience: "arn:aws:sagemaker:sa-east-1:782484402741:image/datascience-1.0" Resources: LambdaExecutionRole: Type: "AWS::IAM::Role" Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - lambda.amazonaws.com Action: - "sts:AssumeRole" Path: / ManagedPolicyArns: - 'arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess' - 'arn:aws:iam::aws:policy/AmazonS3FullAccess' - 'arn:aws:iam::aws:policy/IAMFullAccess' - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole SageMakerExecutionRole: Type: AWS::IAM::Role Properties: RoleName: !Join [ "-", [ "SageMakerExecutionRole", !Ref AWS::StackName ]] Policies: - PolicyName: s3-access PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - s3:GetObject - s3:PutObject - s3:DeleteObject - s3:ListBucket Resource: arn:aws:s3:::* - PolicyName: codebuild-access PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - codebuild:DeleteProject - codebuild:CreateProject - codebuild:BatchGetBuilds - codebuild:StartBuild Resource: 'arn:aws:codebuild:*:*:project/sagemaker-studio*' - Effect: Allow Action: - logs:CreateLogStream Resource: 'arn:aws:logs:*:*:log-group:/aws/codebuild/sagemaker-studio*' - Effect: Allow Action: - logs:GetLogEvents - logs:PutLogEvents Resource: 'arn:aws:logs:*:*:log-group:/aws/codebuild/sagemaker-studio*:log-stream:*' - Effect: Allow Action: - logs:CreateLogGroup Resource: '*' - Effect: Allow Action: - ecr:* Resource: '*' - PolicyName: iam-access PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - iam:GetRole - iam:GetRolePolicy - iam:PassRole - iam:ListRoles - iam:CreateRole - iam:AttachRolePolicy Resource: '*' - PolicyName: kms-access PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - kms:CreateKey - kms:Get* - kms:List* Resource: '*' AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - sagemaker.amazonaws.com Action: - sts:AssumeRole - Effect: Allow Principal: Service: - codebuild.amazonaws.com Action: - sts:AssumeRole - Effect: Allow Principal: AWS: - !Sub "arn:aws:iam::${AWS::AccountId}:root" Action: - sts:AssumeRole ManagedPolicyArns: - 'arn:aws:iam::aws:policy/AmazonSageMakerFullAccess' - 'arn:aws:iam::aws:policy/AmazonS3FullAccess' - 'arn:aws:iam::aws:policy/AWSCloudFormationFullAccess' - 'arn:aws:iam::aws:policy/AWSCodePipeline_FullAccess' - 'arn:aws:iam::aws:policy/AmazonSageMakerPipelinesIntegrations' - 'arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess' - 'arn:aws:iam::aws:policy/AWSLambda_FullAccess' LambdaExecutionPolicy: Type: AWS::IAM::ManagedPolicy Properties: Path: / PolicyDocument: Version: 2012-10-17 Statement: - Sid: CloudWatchLogsPermissions Effect: Allow Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents Resource: !Sub "arn:${AWS::Partition}:logs:*:*:*" - Sid: SageMakerDomainPermission Effect: Allow Action: - sagemaker:ListDomains - sagemaker:CreateDomain - sagemaker:DescribeDomain - sagemaker:DeleteDomain - sagemaker:UpdateDomain - sagemaker:ListUserProfiles - sagemaker:CreateUserProfile - sagemaker:UpdateUserProfile - sagemaker:DeleteUserProfile - sagemaker:DescribeUserProfile - sagemaker:ListApps - sagemaker:CreateApp - sagemaker:DescribeApp - sagemaker:DeleteApp - sagemaker:UpdateApp Resource: - !Sub "arn:${AWS::Partition}:sagemaker:*:*:domain/*" - !Sub "arn:${AWS::Partition}:sagemaker:*:*:user-profile/*" - !Sub "arn:${AWS::Partition}:sagemaker:*:*:app/*" - Sid: SageMakerProjectsPermission Effect: Allow Action: - servicecatalog:AcceptPortfolioShare - sagemaker:EnableSagemakerServicecatalogPortfolio - sagemaker:DisableSagemakerServicecatalogPortfolio Resource: '*' - Sid: ServiceCatalogPermission Effect: Allow Action: - servicecatalog:* Resource: '*' - Sid: SageMakerExecPassRole Effect: Allow Action: - iam:PassRole Resource: !GetAtt SageMakerExecutionRole.Arn Roles: - !Ref LambdaExecutionRole # Adding a wait time after SageMakerExecutionRole creation # this is due to https://t.corp.amazon.com/P45031666 DomainDeploymentDelay: Type: 'Custom::Delay' DependsOn: SageMakerExecutionRole Properties: ServiceToken: !GetAtt DelayLambda.Arn TimeToWait: 300 DelayLambda: Type: 'AWS::Lambda::Function' Properties: Handler: "index.handler" Timeout: 660 Role: !GetAtt LambdaExecutionRole.Arn Runtime: python3.7 Code: ZipFile: | import json import cfnresponse import time def handler(event, context): time_to_wait = int(event['ResourceProperties']['TimeToWait']) print(f'Waiting for {time_to_wait} seconds') time.sleep(time_to_wait) print(f'Waiting finished') cfnresponse.send(event, context, cfnresponse.SUCCESS, {},'') DefaultVpcLambda: Type: AWS::Lambda::Function Properties: FunctionName: CFGetDefaultVpcId Code: ZipFile: | import json import boto3 import cfnresponse ec2 = boto3.client('ec2') def lambda_handler(event, context): if 'RequestType' in event and event['RequestType'] == 'Create': vpc_id = get_default_vpc_id() subnets = get_subnets_for_vpc(vpc_id) cfnresponse.send(event, context, cfnresponse.SUCCESS, {'VpcId': vpc_id , "Subnets" : subnets}, '') else: cfnresponse.send(event, context, cfnresponse.SUCCESS, {},'') def get_default_vpc_id(): vpcs = ec2.describe_vpcs(Filters=[{'Name': 'is-default', 'Values': ['true']}]) vpcs = vpcs['Vpcs'] vpc_id = vpcs[0]['VpcId'] return vpc_id def get_subnets_for_vpc(vpcId): response = ec2.describe_subnets( Filters=[ { 'Name': 'vpc-id', 'Values': [vpcId] } ] ) subnet_ids = [] for subnet in response['Subnets']: subnet_ids.append(subnet['SubnetId']) return subnet_ids Description: Return default VPC ID and Subnets Handler: index.lambda_handler MemorySize: 512 Role: !GetAtt LambdaExecutionRole.Arn Runtime: python3.7 Timeout: 5 DefaultVpcFinder: Type: Custom::ResourceForFindingDefaultVpc Properties: ServiceToken: !GetAtt DefaultVpcLambda.Arn StudioDomain: Type: AWS::SageMaker::Domain DependsOn: DomainDeploymentDelay Properties: AppNetworkAccessType: PublicInternetOnly AuthMode: IAM DefaultUserSettings: ExecutionRole: !GetAtt SageMakerExecutionRole.Arn DomainName: !Ref DomainName SubnetIds: !GetAtt DefaultVpcFinder.Subnets VpcId: !GetAtt DefaultVpcFinder.VpcId EnableProjectsLambda: Type: AWS::Lambda::Function DependsOn: StudioDomain Properties: FunctionName: CFEnableSagemakerProjects Code: ZipFile: | # Function: CFEnableSagemakerProjects # Purpose: Enables Sagemaker Projects import json import boto3 import cfnresponse client = boto3.client('sagemaker') sc_client = boto3.client('servicecatalog') def lambda_handler(event, context): response_status = cfnresponse.SUCCESS execution_role = event['ResourceProperties']['ExecutionRole'] if 'RequestType' in event and event['RequestType'] == 'Create': enable_projects(execution_role) cfnresponse.send(event, context, response_status, {}, '') def enable_projects(studio_role_arn): # enable Project on account level (accepts portfolio share) response = client.enable_sagemaker_servicecatalog_portfolio() # associate studio role with portfolio response = sc_client.list_accepted_portfolio_shares() portfolio_id = '' for portfolio in response['PortfolioDetails']: if portfolio['ProviderName'] == 'Amazon SageMaker': portfolio_id = portfolio['Id'] response = sc_client.associate_principal_with_portfolio( PortfolioId=portfolio_id, PrincipalARN=studio_role_arn, PrincipalType='IAM' ) Description: Enable Sagemaker Projects Handler: index.lambda_handler MemorySize: 512 Role: !GetAtt LambdaExecutionRole.Arn Runtime: python3.7 Timeout: 5 EnableProjects: Type: Custom::ResourceForEnablingSageMakerProjects Properties: ServiceToken: !GetAtt EnableProjectsLambda.Arn ExecutionRole: !GetAtt SageMakerExecutionRole.Arn UserProfile: Type: AWS::SageMaker::UserProfile Properties: DomainId: !GetAtt StudioDomain.DomainId UserProfileName: !Ref UserProfileName UserSettings: ExecutionRole: !GetAtt SageMakerExecutionRole.Arn JupyterApp: Type: AWS::SageMaker::App DependsOn: UserProfile Properties: AppName: default AppType: JupyterServer DomainId: !GetAtt StudioDomain.DomainId UserProfileName: !Ref UserProfileName DataScienceApp: Type: AWS::SageMaker::App DependsOn: UserProfile Properties: AppName: instance-event-engine-datascience-ml-t3-medium AppType: KernelGateway DomainId: !GetAtt StudioDomain.DomainId ResourceSpec: InstanceType: ml.t3.medium SageMakerImageArn: !FindInMap - RegionMap - !Ref 'AWS::Region' - datascience UserProfileName: !Ref UserProfileName ### S3 Bucket similar to the one created by the create domain action in the UI StudioBucket: Type: AWS::S3::Bucket Properties: BucketName: !Join - "-" - - "sagemaker-studio" - !Select - 0 - !Split - "-" - !Select - 2 - !Split - "/" - !Ref "AWS::StackId" ### Roles for Sagemaker projects AmazonSageMakerServiceCatalogProductsLaunchRole: Type: "AWS::IAM::Role" Properties: RoleName: !Join [ ".", [ "SMSCProductsLaunchRole", !Ref AWS::StackName ]] Description: "SageMaker role created from the SageMaker AWS Management Console. This role has the permissions required to launch the Amazon SageMaker portfolio of products from AWS ServiceCatalog." AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: "servicecatalog.amazonaws.com" Action: "sts:AssumeRole" Path: "/service-role/" MaxSessionDuration: 3600 Policies: - PolicyName: !Join [ ".", [ "SMASCProductsServiceRolePolicy", !Ref AWS::StackName ]] PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - 'apigateway:GET' - 'apigateway:POST' - 'apigateway:PUT' - 'apigateway:PATCH' - 'apigateway:DELETE' Resource: '*' Condition: StringLike: 'aws:ResourceTag/sagemaker:launch-source': '*' - Effect: Allow Action: - 'apigateway:POST' Resource: '*' Condition: 'ForAnyValue:StringLike': 'aws:TagKeys': - 'sagemaker:launch-source' - Effect: Allow Action: - 'apigateway:PATCH' Resource: - 'arn:aws:apigateway:*::/account' - Effect: Allow Action: - 'cloudformation:CreateStack' - 'cloudformation:UpdateStack' - 'cloudformation:DeleteStack' Resource: 'arn:aws:cloudformation:*:*:stack/SC-*' Condition: ArnLikeIfExists: 'cloudformation:RoleArn': - 'arn:aws:sts::*:assumed-role/SMSC*' - Effect: Allow Action: - 'cloudformation:DescribeStackEvents' - 'cloudformation:DescribeStacks' Resource: 'arn:aws:cloudformation:*:*:stack/SC-*' - Effect: Allow Action: - 'cloudformation:GetTemplateSummary' - 'cloudformation:ValidateTemplate' Resource: '*' - Effect: Allow Action: - 'codebuild:CreateProject' - 'codebuild:DeleteProject' - 'codebuild:UpdateProject' Resource: - 'arn:aws:codebuild:*:*:project/sagemaker-*' - Effect: Allow Action: - 'codecommit:CreateCommit' - 'codecommit:CreateRepository' - 'codecommit:DeleteRepository' - 'codecommit:GetRepository' - 'codecommit:TagResource' Resource: - 'arn:aws:codecommit:*:*:sagemaker-*' - Effect: Allow Action: - 'codecommit:ListRepositories' Resource: '*' - Effect: Allow Action: - 'codepipeline:CreatePipeline' - 'codepipeline:DeletePipeline' - 'codepipeline:GetPipeline' - 'codepipeline:GetPipelineState' - 'codepipeline:StartPipelineExecution' - 'codepipeline:TagResource' - 'codepipeline:UpdatePipeline' Resource: - 'arn:aws:codepipeline:*:*:sagemaker-*' - Effect: Allow Action: - 'cognito-idp:CreateUserPool' Resource: '*' Condition: 'ForAnyValue:StringLike': 'aws:TagKeys': - 'sagemaker:launch-source' - Effect: Allow Action: - 'cognito-idp:CreateGroup' - 'cognito-idp:CreateUserPoolDomain' - 'cognito-idp:CreateUserPoolClient' - 'cognito-idp:DeleteGroup' - 'cognito-idp:DeleteUserPool' - 'cognito-idp:DeleteUserPoolClient' - 'cognito-idp:DeleteUserPoolDomain' - 'cognito-idp:DescribeUserPool' - 'cognito-idp:DescribeUserPoolClient' - 'cognito-idp:UpdateUserPool' - 'cognito-idp:UpdateUserPoolClient' Resource: '*' Condition: StringLike: 'aws:ResourceTag/sagemaker:launch-source': '*' - Action: - 'ecr:CreateRepository' - 'ecr:DeleteRepository' Resource: - 'arn:aws:ecr:*:*:repository/sagemaker-*' Effect: Allow - Effect: Allow Action: - 'events:DescribeRule' - 'events:DeleteRule' - 'events:DisableRule' - 'events:EnableRule' - 'events:PutRule' - 'events:PutTargets' - 'events:RemoveTargets' Resource: - 'arn:aws:events:*:*:rule/sagemaker-*' - Effect: Allow Action: - 'firehose:CreateDeliveryStream' - 'firehose:DeleteDeliveryStream' - 'firehose:DescribeDeliveryStream' - 'firehose:StartDeliveryStreamEncryption' - 'firehose:StopDeliveryStreamEncryption' - 'firehose:UpdateDestination' Resource: 'arn:aws:firehose:*:*:deliverystream/sagemaker-*' - Action: - 'glue:CreateDatabase' - 'glue:DeleteDatabase' Resource: - 'arn:aws:glue:*:*:catalog' - 'arn:aws:glue:*:*:database/sagemaker-*' - 'arn:aws:glue:*:*:table/sagemaker-*' - 'arn:aws:glue:*:*:userDefinedFunction/sagemaker-*' Effect: Allow - Action: - 'glue:CreateClassifier' - 'glue:DeleteClassifier' - 'glue:DeleteCrawler' - 'glue:DeleteJob' - 'glue:DeleteTrigger' - 'glue:DeleteWorkflow' - 'glue:StopCrawler' Resource: - '*' Effect: Allow - Action: - 'glue:CreateWorkflow' Resource: - 'arn:aws:glue:*:*:workflow/sagemaker-*' Effect: Allow - Action: - 'glue:CreateJob' Resource: - 'arn:aws:glue:*:*:job/sagemaker-*' Effect: Allow - Action: - 'glue:CreateCrawler' - 'glue:GetCrawler' Resource: - 'arn:aws:glue:*:*:crawler/sagemaker-*' Effect: Allow - Action: - 'glue:CreateTrigger' - 'glue:GetTrigger' Resource: - 'arn:aws:glue:*:*:trigger/sagemaker-*' Effect: Allow - Effect: Allow Action: - 'iam:PassRole' Resource: - 'arn:aws:iam::*:role/service-role/SMSC*' - Effect: Allow Action: - 'lambda:AddPermission' - 'lambda:CreateFunction' - 'lambda:DeleteFunction' - 'lambda:GetFunction' - 'lambda:GetFunctionConfiguration' - 'lambda:InvokeFunction' - 'lambda:RemovePermission' Resource: - 'arn:aws:lambda:*:*:function:sagemaker-*' - Effect: Allow Action: - 'logs:CreateLogGroup' - 'logs:CreateLogStream' - 'logs:DeleteLogGroup' - 'logs:DeleteLogStream' - 'logs:DescribeLogGroups' - 'logs:DescribeLogStreams' - 'logs:PutRetentionPolicy' Resource: - 'arn:aws:logs:*:*:log-group:/aws/apigateway/AccessLogs/*' - 'arn:aws:logs:*:*:log-group::log-stream:*' - Effect: Allow Action: 's3:GetObject' Resource: '*' Condition: StringEquals: 's3:ExistingObjectTag/servicecatalog:provisioning': 'true' - Effect: Allow Action: 's3:GetObject' Resource: - 'arn:aws:s3:::sagemaker-*' - Effect: Allow Action: - 's3:CreateBucket' - 's3:DeleteBucket' - 's3:DeleteBucketPolicy' - 's3:GetBucketPolicy' - 's3:PutBucketAcl' - 's3:PutBucketNotification' - 's3:PutBucketPolicy' - 's3:PutBucketPublicAccessBlock' - 's3:PutBucketLogging' - 's3:PutEncryptionConfiguration' Resource: 'arn:aws:s3:::sagemaker-*' - Action: - 'sagemaker:CreateEndpoint' - 'sagemaker:CreateEndpointConfig' - 'sagemaker:CreateModel' - 'sagemaker:CreateWorkteam' - 'sagemaker:DeleteEndpoint' - 'sagemaker:DeleteEndpointConfig' - 'sagemaker:DeleteModel' - 'sagemaker:DeleteWorkteam' - 'sagemaker:DescribeModel' - 'sagemaker:DescribeEndpointConfig' - 'sagemaker:DescribeEndpoint' - 'sagemaker:DescribeWorkteam' Resource: - 'arn:aws:sagemaker:*:*:*' Effect: Allow - Action: - 'states:CreateStateMachine' - 'states:DeleteStateMachine' - 'states:UpdateStateMachine' Resource: - 'arn:aws:states:*:*:stateMachine:sagemaker-*' Effect: Allow AmazonSageMakerServiceCatalogProductsUseRole: Type: "AWS::IAM::Role" Properties: RoleName: !Join [ ".", [ "SMSCProductsUseRole", !Ref AWS::StackName ]] Description: "SageMaker role created from the SageMaker AWS Management Console. This role has the permissions required to use the Amazon SageMaker portfolio of products from AWS ServiceCatalog." Path: "/service-role/" MaxSessionDuration: 3600 AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: - "cloudformation.amazonaws.com" - "apigateway.amazonaws.com" - "lambda.amazonaws.com" - "codebuild.amazonaws.com" - "sagemaker.amazonaws.com" - "glue.amazonaws.com" - "events.amazonaws.com" - "states.amazonaws.com" - "codepipeline.amazonaws.com" - "firehose.amazonaws.com" Action: "sts:AssumeRole" Policies: - PolicyName: !Join [ ".", [ "SMSCProductsUseRole-1", !Ref AWS::StackName ]] PolicyDocument: Version: 2012-10-17 Statement: - Action: - cloudformation:CreateChangeSet - cloudformation:CreateStack - cloudformation:DescribeChangeSet - cloudformation:DeleteChangeSet - cloudformation:DeleteStack - cloudformation:DescribeStacks - cloudformation:ExecuteChangeSet - cloudformation:SetStackPolicy - cloudformation:UpdateStack Resource: arn:aws:cloudformation:*:*:stack/sagemaker-* Effect: Allow - Action: - cloudwatch:PutMetricData Resource: "*" Effect: Allow - Action: - codebuild:BatchGetBuilds - codebuild:StartBuild Resource: - arn:aws:codebuild:*:*:project/sagemaker-* - arn:aws:codebuild:*:*:build/sagemaker-* Effect: Allow - Action: - codecommit:CancelUploadArchive - codecommit:GetBranch - codecommit:GetCommit - codecommit:GetUploadArchiveStatus - codecommit:UploadArchive Resource: arn:aws:codecommit:*:*:sagemaker-* Effect: Allow - Action: - codepipeline:StartPipelineExecution Resource: arn:aws:codepipeline:*:*:sagemaker-* Effect: Allow - Action: - ec2:DescribeRouteTables Resource: "*" Effect: Allow - Action: - ecr:BatchCheckLayerAvailability - ecr:BatchGetImage - ecr:Describe* - ecr:GetAuthorizationToken - ecr:GetDownloadUrlForLayer Resource: "*" Effect: Allow - Effect: Allow Action: - ecr:BatchDeleteImage - ecr:CompleteLayerUpload - ecr:CreateRepository - ecr:DeleteRepository - ecr:InitiateLayerUpload - ecr:PutImage - ecr:UploadLayerPart Resource: - arn:aws:ecr:*:*:repository/sagemaker-* - Action: - events:DeleteRule - events:DescribeRule - events:PutRule - events:PutTargets - events:RemoveTargets Resource: - arn:aws:events:*:*:rule/sagemaker-* Effect: Allow - Action: - firehose:PutRecord - firehose:PutRecordBatch Resource: arn:aws:firehose:*:*:deliverystream/sagemaker-* Effect: Allow - Action: - glue:BatchCreatePartition - glue:BatchDeletePartition - glue:BatchDeleteTable - glue:BatchDeleteTableVersion - glue:BatchGetPartition - glue:CreateDatabase - glue:CreatePartition - glue:CreateTable - glue:DeletePartition - glue:DeleteTable - glue:DeleteTableVersion - glue:GetDatabase - glue:GetPartition - glue:GetPartitions - glue:GetTable - glue:GetTables - glue:GetTableVersion - glue:GetTableVersions - glue:SearchTables - glue:UpdatePartition - glue:UpdateTable Resource: - arn:aws:glue:*:*:catalog - arn:aws:glue:*:*:database/default - arn:aws:glue:*:*:database/global_temp - arn:aws:glue:*:*:database/sagemaker-* - arn:aws:glue:*:*:table/sagemaker-* - arn:aws:glue:*:*:tableVersion/sagemaker-* Effect: Allow - Action: - iam:PassRole Resource: - arn:aws:iam::*:role/service-role/SMSCProductsUse* Effect: Allow - Effect: Allow Action: - lambda:InvokeFunction Resource: - arn:aws:lambda:*:*:function:sagemaker-* - Action: - logs:CreateLogDelivery - logs:CreateLogGroup - logs:CreateLogStream - logs:DeleteLogDelivery - logs:Describe* - logs:GetLogDelivery - logs:GetLogEvents - logs:ListLogDeliveries - logs:PutLogEvents - logs:PutResourcePolicy - logs:UpdateLogDelivery Resource: "*" Effect: Allow - Effect: Allow Action: - s3:CreateBucket - s3:DeleteBucket - s3:GetBucketAcl - s3:GetBucketCors - s3:GetBucketLocation - s3:ListAllMyBuckets - s3:ListBucket - s3:ListBucketMultipartUploads - s3:PutBucketCors Resource: - arn:aws:s3:::aws-glue-* - arn:aws:s3:::sagemaker-* - Effect: Allow Action: - s3:AbortMultipartUpload - s3:DeleteObject - s3:GetObject - s3:GetObjectVersion - s3:PutObject Resource: - arn:aws:s3:::aws-glue-* - arn:aws:s3:::sagemaker-* - Effect: Allow Action: - sagemaker:* NotResource: - arn:aws:sagemaker:*:*:domain/* - arn:aws:sagemaker:*:*:user-profile/* - arn:aws:sagemaker:*:*:app/* - arn:aws:sagemaker:*:*:flow-definition/* - Action: - states:DescribeExecution - states:DescribeStateMachine - states:DescribeStateMachineForExecution - states:GetExecutionHistory - states:ListExecutions - states:ListTagsForResource - states:StartExecution - states:StopExecution - states:TagResource - states:UntagResource - states:UpdateStateMachine Resource: - arn:aws:states:*:*:stateMachine:sagemaker-* - arn:aws:states:*:*:execution:sagemaker-*:* Effect: Allow - Action: - states:ListStateMachines Resource: "*" Effect: Allow RouteCalculator: Type: AWS::Location::RouteCalculator Properties: CalculatorName: !Join [ "." , [ "route.calculator", !Ref AWS::StackName ]] DataSource: 'Here' Description: 'Ednpoint for route calculation' RouteMap: Type: AWS::Location::Map Properties: Configuration: Style: 'VectorHereExplore' Description: String MapName: !Join [ ".", [ "route.map", !Ref AWS::StackName ]] LocaitionServiceAccessPolicy: Type: "AWS::IAM::ManagedPolicy" Properties: ManagedPolicyName: !Join [ ".", [ "wastemap-Policy", !Ref AWS::StackName ]] PolicyDocument: !Sub - | { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "geo:GetMapStyleDescriptor", "geo:GetMapGlyphs", "geo:GetMapSprites", "geo:GetMapTile" ], "Resource": "${RouteMapARN}" }, { "Effect": "Allow", "Action": [ "geo:CalculateRouteMatrix", "geo:CalculateRoute" ], "Resource": "${RouteCalculatorARN}" }, { "Effect": "Allow", "Action": [ "cloudformation:DescribeStacks" ], "Resource": "*" } ] } - RouteMapARN : !GetAtt RouteMap.Arn RouteCalculatorARN : !GetAtt RouteCalculator.Arn Roles: - Ref: SageMakerExecutionRole SagemakerLocaitionServiceAccessPolicyAssumeRole: Type: "AWS::IAM::Policy" Properties: PolicyName: !Join [ ".", [ "inline-wastemap-Policy", !Ref AWS::StackName ]] PolicyDocument: !Sub - | { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sts:AssumeRole" ], "Resource": "arn:aws:iam::${AWS::AccountId}:role/${SagemakerRoleName}" } ] } - SagemakerRoleName : !Ref SageMakerExecutionRole Roles: - Ref: SageMakerExecutionRole Outputs: CalculatorName: Description: "Route CalculatorName" Value: !Ref RouteCalculator MapName: Description: "Map Name" Value: !Ref RouteMap PolicyName: Description: "Location Service Policy Name" Value: !Ref LocaitionServiceAccessPolicy