# Update IAM Roles and Policies

In [1]:
import boto3
import sagemaker
import time
from time import gmtime, strftime

sagemaker_session = sagemaker.Session()
role = sagemaker.get_execution_role()
bucket = sagemaker_session.default_bucket()
region = boto3.Session().region_name

from botocore.config import Config

config = Config(retries={"max_attempts": 10, "mode": "adaptive"})

iam = boto3.client("iam", config=config)

## Get SageMaker Execution Role Name

In [2]:
role_name = role.split("/")[-1]

print("Role name: {}".format(role_name))

Role name: mod-6a56f92ff726428b-SageMakerExecutionRole-131HJ8VVEU80K


In [3]:
setup_iam_roles_passed = False

# **Pre-Requisite:  SageMaker notebook instance ExecutionRole contains `IAMFullAccess` Policy.**

In [4]:
admin = False
post_policies = iam.list_attached_role_policies(RoleName=role_name)["AttachedPolicies"]
for post_policy in post_policies:
    if post_policy["PolicyName"] == "AdministratorAccess":
        admin = True
        break

setup_iam_roles_passed = True
print("[OK] You are all set up to continue with this workshop!")

[OK] You are all set up to continue with this workshop!


In [5]:
if not admin:
    pre_policies = iam.list_attached_role_policies(RoleName=role_name)["AttachedPolicies"]

    required_policies = ["IAMFullAccess"]

    for pre_policy in pre_policies:
        for role_req in required_policies:
            if pre_policy["PolicyName"] == role_req:
                print("Attached: {}".format(pre_policy["PolicyName"]))
                try:
                    required_policies.remove(pre_policy["PolicyName"])
                except:
                    pass

    if len(required_policies) > 0:
        print(
            "*************** [ERROR] You need to attach the following policies in order to continue with this workshop *****************\n"
        )
        for required_policy in required_policies:
            print("Not Attached: {}".format(required_policy))
    else:
        print("[OK] You are all set to continue with this notebook!")
else:
    print("[OK] You are all set to continue with this notebook!")

*************** [ERROR] You need to attach the following policies in order to continue with this workshop *****************

Not Attached: IAMFullAccess


# **If you see an ERROR message ^^ above ^^, please attach the IAMFullAccess Policy to the SageMaker notebook instance ExecutionRole.**

In [6]:
from botocore.exceptions import ClientError

try:
    policy = "AdministratorAccess"
    response = iam.attach_role_policy(PolicyArn="arn:aws:iam::aws:policy/{}".format(policy), RoleName=role_name)
    print("Policy {} has been succesfully attached to role: {}".format(policy, role_name))
except ClientError as e:
    if e.response["Error"]["Code"] == "EntityAlreadyExists":
        print("[OK] Policy is already attached.")
    elif e.response["Error"]["Code"] == "LimitExceeded":
        print("[OK]")
    else:
        print("*************** [ERROR] {} *****************".format(e))

time.sleep(5)

*************** [ERROR] An error occurred (AccessDenied) when calling the AttachRolePolicy operation: User: arn:aws:sts::298039562326:assumed-role/mod-6a56f92ff726428b-SageMakerExecutionRole-131HJ8VVEU80K/SageMaker is not authorized to perform: iam:AttachRolePolicy on resource: role mod-6a56f92ff726428b-SageMakerExecutionRole-131HJ8VVEU80K *****************


In [7]:
from botocore.exceptions import ClientError

try:
    policy = "AmazonSageMakerFullAccess"
    response = iam.attach_role_policy(PolicyArn="arn:aws:iam::aws:policy/{}".format(policy), RoleName=role_name)
    print("Policy {} has been succesfully attached to role: {}".format(policy, role_name))
except ClientError as e:
    if e.response["Error"]["Code"] == "EntityAlreadyExists":
        print("[OK] Policy is already attached.")
    elif e.response["Error"]["Code"] == "LimitExceeded":
        print("[OK]")
    else:
        print("*************** [ERROR] {} *****************".format(e))

time.sleep(5)

*************** [ERROR] An error occurred (AccessDenied) when calling the AttachRolePolicy operation: User: arn:aws:sts::298039562326:assumed-role/mod-6a56f92ff726428b-SageMakerExecutionRole-131HJ8VVEU80K/SageMaker is not authorized to perform: iam:AttachRolePolicy on resource: role mod-6a56f92ff726428b-SageMakerExecutionRole-131HJ8VVEU80K *****************


In [8]:
from botocore.exceptions import ClientError

try:
    policy = "IAMFullAccess"
    response = iam.attach_role_policy(PolicyArn="arn:aws:iam::aws:policy/{}".format(policy), RoleName=role_name)
    print("Policy {} has been succesfully attached to role: {}".format(policy, role_name))
except ClientError as e:
    if e.response["Error"]["Code"] == "EntityAlreadyExists":
        print("[OK] Policy is already attached.")
    elif e.response["Error"]["Code"] == "LimitExceeded":
        print("[OK]")
    else:
        print("*************** [ERROR] {} *****************".format(e))

time.sleep(5)

*************** [ERROR] An error occurred (AccessDenied) when calling the AttachRolePolicy operation: User: arn:aws:sts::298039562326:assumed-role/mod-6a56f92ff726428b-SageMakerExecutionRole-131HJ8VVEU80K/SageMaker is not authorized to perform: iam:AttachRolePolicy on resource: role mod-6a56f92ff726428b-SageMakerExecutionRole-131HJ8VVEU80K *****************


In [9]:
from botocore.exceptions import ClientError

try:
    policy = "AmazonS3FullAccess"
    response = iam.attach_role_policy(PolicyArn="arn:aws:iam::aws:policy/{}".format(policy), RoleName=role_name)
    print("Policy {} has been succesfully attached to role: {}".format(policy, role_name))
except ClientError as e:
    if e.response["Error"]["Code"] == "EntityAlreadyExists":
        print("[OK] Policy is already attached.")
    elif e.response["Error"]["Code"] == "LimitExceeded":
        print("[OK]")
    else:
        print("*************** [ERROR] {} *****************".format(e))

time.sleep(5)

*************** [ERROR] An error occurred (AccessDenied) when calling the AttachRolePolicy operation: User: arn:aws:sts::298039562326:assumed-role/mod-6a56f92ff726428b-SageMakerExecutionRole-131HJ8VVEU80K/SageMaker is not authorized to perform: iam:AttachRolePolicy on resource: role mod-6a56f92ff726428b-SageMakerExecutionRole-131HJ8VVEU80K *****************


In [10]:
from botocore.exceptions import ClientError

try:
    policy = "ComprehendFullAccess"
    response = iam.attach_role_policy(PolicyArn="arn:aws:iam::aws:policy/{}".format(policy), RoleName=role_name)
    print("Policy {} has been succesfully attached to role: {}".format(policy, role_name))
except ClientError as e:
    if e.response["Error"]["Code"] == "EntityAlreadyExists":
        print("[OK] Policy is already attached.")
    elif e.response["Error"]["Code"] == "LimitExceeded":
        print("[OK]")
    else:
        print("*************** [ERROR] {} *****************".format(e))

time.sleep(5)

*************** [ERROR] An error occurred (AccessDenied) when calling the AttachRolePolicy operation: User: arn:aws:sts::298039562326:assumed-role/mod-6a56f92ff726428b-SageMakerExecutionRole-131HJ8VVEU80K/SageMaker is not authorized to perform: iam:AttachRolePolicy on resource: role mod-6a56f92ff726428b-SageMakerExecutionRole-131HJ8VVEU80K *****************


In [11]:
from botocore.exceptions import ClientError

try:
    policy = "AmazonAthenaFullAccess"
    response = iam.attach_role_policy(PolicyArn="arn:aws:iam::aws:policy/{}".format(policy), RoleName=role_name)
    print("Policy {} has been succesfully attached to role: {}".format(policy, role_name))
except ClientError as e:
    if e.response["Error"]["Code"] == "EntityAlreadyExists":
        print("[OK] Policy is already attached.")
    elif e.response["Error"]["Code"] == "LimitExceeded":
        print("[OK]")
    else:
        print("*************** [ERROR] {} *****************".format(e))

time.sleep(5)

*************** [ERROR] An error occurred (AccessDenied) when calling the AttachRolePolicy operation: User: arn:aws:sts::298039562326:assumed-role/mod-6a56f92ff726428b-SageMakerExecutionRole-131HJ8VVEU80K/SageMaker is not authorized to perform: iam:AttachRolePolicy on resource: role mod-6a56f92ff726428b-SageMakerExecutionRole-131HJ8VVEU80K *****************


In [12]:
from botocore.exceptions import ClientError

try:
    policy = "SecretsManagerReadWrite"
    response = iam.attach_role_policy(PolicyArn="arn:aws:iam::aws:policy/{}".format(policy), RoleName=role_name)
    print("Policy {} has been succesfully attached to role: {}".format(policy, role_name))
except ClientError as e:
    if e.response["Error"]["Code"] == "EntityAlreadyExists":
        print("[OK] Policy is already attached.")
    elif e.response["Error"]["Code"] == "LimitExceeded":
        print("[OK]")
    else:
        print("*************** [ERROR] {} *****************".format(e))

time.sleep(5)

*************** [ERROR] An error occurred (AccessDenied) when calling the AttachRolePolicy operation: User: arn:aws:sts::298039562326:assumed-role/mod-6a56f92ff726428b-SageMakerExecutionRole-131HJ8VVEU80K/SageMaker is not authorized to perform: iam:AttachRolePolicy on resource: role mod-6a56f92ff726428b-SageMakerExecutionRole-131HJ8VVEU80K *****************


In [13]:
from botocore.exceptions import ClientError

try:
    policy = "AmazonRedshiftFullAccess"
    response = iam.attach_role_policy(PolicyArn="arn:aws:iam::aws:policy/{}".format(policy), RoleName=role_name)
    print("Policy {} has been succesfully attached to role: {}".format(policy, role_name))
except ClientError as e:
    if e.response["Error"]["Code"] == "EntityAlreadyExists":
        print("[OK] Policy is already attached.")
    elif e.response["Error"]["Code"] == "LimitExceeded":
        print("[OK]")
    else:
        print("*************** [ERROR] {} *****************".format(e))

time.sleep(5)

*************** [ERROR] An error occurred (AccessDenied) when calling the AttachRolePolicy operation: User: arn:aws:sts::298039562326:assumed-role/mod-6a56f92ff726428b-SageMakerExecutionRole-131HJ8VVEU80K/SageMaker is not authorized to perform: iam:AttachRolePolicy on resource: role mod-6a56f92ff726428b-SageMakerExecutionRole-131HJ8VVEU80K *****************


In [14]:
from botocore.exceptions import ClientError

try:
    policy = "AmazonEC2ContainerRegistryFullAccess"
    response = iam.attach_role_policy(PolicyArn="arn:aws:iam::aws:policy/{}".format(policy), RoleName=role_name)
    print("Policy {} has been succesfully attached to role: {}".format(policy, role_name))
except ClientError as e:
    if e.response["Error"]["Code"] == "EntityAlreadyExists":
        print("[OK] Policy is already attached.")
    elif e.response["Error"]["Code"] == "LimitExceeded":
        print("[OK]")
    else:
        print("*************** [ERROR] {} *****************".format(e))

time.sleep(5)

*************** [ERROR] An error occurred (AccessDenied) when calling the AttachRolePolicy operation: User: arn:aws:sts::298039562326:assumed-role/mod-6a56f92ff726428b-SageMakerExecutionRole-131HJ8VVEU80K/SageMaker is not authorized to perform: iam:AttachRolePolicy on resource: role mod-6a56f92ff726428b-SageMakerExecutionRole-131HJ8VVEU80K *****************


In [15]:
from botocore.exceptions import ClientError

try:
    policy = "AWSStepFunctionsFullAccess"
    response = iam.attach_role_policy(PolicyArn="arn:aws:iam::aws:policy/{}".format(policy), RoleName=role_name)
    print("Policy {} has been succesfully attached to role: {}".format(policy, role_name))
except ClientError as e:
    if e.response["Error"]["Code"] == "EntityAlreadyExists":
        print("[OK] Policy is already attached.")
    elif e.response["Error"]["Code"] == "LimitExceeded":
        print("[OK]")
    else:
        print("*************** [ERROR] {} *****************".format(e))

time.sleep(5)

*************** [ERROR] An error occurred (AccessDenied) when calling the AttachRolePolicy operation: User: arn:aws:sts::298039562326:assumed-role/mod-6a56f92ff726428b-SageMakerExecutionRole-131HJ8VVEU80K/SageMaker is not authorized to perform: iam:AttachRolePolicy on resource: role mod-6a56f92ff726428b-SageMakerExecutionRole-131HJ8VVEU80K *****************


In [16]:
from botocore.exceptions import ClientError

try:
    policy = "AmazonKinesisFullAccess"
    response = iam.attach_role_policy(PolicyArn="arn:aws:iam::aws:policy/{}".format(policy), RoleName=role_name)
    print("Policy {} has been succesfully attached to role: {}".format(policy, role_name))
except ClientError as e:
    if e.response["Error"]["Code"] == "EntityAlreadyExists":
        print("[OK] Policy is already attached.")
    elif e.response["Error"]["Code"] == "LimitExceeded":
        print("[OK]")
    else:
        print("*************** [ERROR] {} *****************".format(e))

time.sleep(5)

*************** [ERROR] An error occurred (AccessDenied) when calling the AttachRolePolicy operation: User: arn:aws:sts::298039562326:assumed-role/mod-6a56f92ff726428b-SageMakerExecutionRole-131HJ8VVEU80K/SageMaker is not authorized to perform: iam:AttachRolePolicy on resource: role mod-6a56f92ff726428b-SageMakerExecutionRole-131HJ8VVEU80K *****************


In [17]:
from botocore.exceptions import ClientError

try:
    policy = "AmazonKinesisFirehoseFullAccess"
    response = iam.attach_role_policy(PolicyArn="arn:aws:iam::aws:policy/{}".format(policy), RoleName=role_name)
    print("Policy {} has been succesfully attached to role: {}".format(policy, role_name))
except ClientError as e:
    if e.response["Error"]["Code"] == "EntityAlreadyExists":
        print("[OK] Policy is already attached.")
    elif e.response["Error"]["Code"] == "LimitExceeded":
        print("[OK]")
    else:
        print("*************** [ERROR] {} *****************".format(e))

time.sleep(5)

*************** [ERROR] An error occurred (AccessDenied) when calling the AttachRolePolicy operation: User: arn:aws:sts::298039562326:assumed-role/mod-6a56f92ff726428b-SageMakerExecutionRole-131HJ8VVEU80K/SageMaker is not authorized to perform: iam:AttachRolePolicy on resource: role mod-6a56f92ff726428b-SageMakerExecutionRole-131HJ8VVEU80K *****************


In [18]:
from botocore.exceptions import ClientError

try:
    policy = "AmazonKinesisAnalyticsFullAccess"
    response = iam.attach_role_policy(PolicyArn="arn:aws:iam::aws:policy/{}".format(policy), RoleName=role_name)
    print("Policy {} has been succesfully attached to role: {}".format(policy, role_name))
except ClientError as e:
    if e.response["Error"]["Code"] == "EntityAlreadyExists":
        print("[OK] Policy is already attached.")
    elif e.response["Error"]["Code"] == "LimitExceeded":
        print("[OK]")
    else:
        print("*************** [ERROR] {} *****************".format(e))

time.sleep(5)

*************** [ERROR] An error occurred (AccessDenied) when calling the AttachRolePolicy operation: User: arn:aws:sts::298039562326:assumed-role/mod-6a56f92ff726428b-SageMakerExecutionRole-131HJ8VVEU80K/SageMaker is not authorized to perform: iam:AttachRolePolicy on resource: role mod-6a56f92ff726428b-SageMakerExecutionRole-131HJ8VVEU80K *****************


# *Final Check*

In [19]:
# role = iam.get_role(RoleName=role_name)
post_policies = iam.list_attached_role_policies(RoleName=role_name)["AttachedPolicies"]

required_policies = [
    "AdministratorAccess",
    "SecretsManagerReadWrite",
    "IAMFullAccess",
    "AmazonS3FullAccess",
    "AmazonAthenaFullAccess",
    "ComprehendFullAccess",
    "AmazonEC2ContainerRegistryFullAccess",
    "AmazonRedshiftFullAccess",
    "AWSStepFunctionsFullAccess",
    "AmazonSageMakerFullAccess",
    "AmazonKinesisFullAccess",
    "AmazonKinesisFirehoseFullAccess",
    "AmazonKinesisAnalyticsFullAccess",
]

admin = False

for post_policy in post_policies:
    if post_policy["PolicyName"] == "AdministratorAccess":
        admin = True
        try:
            required_policies.remove(post_policy["PolicyName"])
        except:
            break
    else:
        try:
            required_policies.remove(post_policy["PolicyName"])
        except:
            pass

if not admin and len(required_policies) > 0:
    print("*************** [ERROR] RE-RUN THIS NOTEBOOK *****************")
    for required_policy in required_policies:
        print("Not Attached: {}".format(required_policy))
else:
    setup_iam_roles_passed = True
    print("[OK] You are all set up to continue with this workshop!")

*************** [ERROR] RE-RUN THIS NOTEBOOK *****************
Not Attached: AdministratorAccess
Not Attached: SecretsManagerReadWrite
Not Attached: IAMFullAccess
Not Attached: ComprehendFullAccess
Not Attached: AmazonEC2ContainerRegistryFullAccess
Not Attached: AmazonRedshiftFullAccess
Not Attached: AWSStepFunctionsFullAccess
Not Attached: AmazonKinesisFullAccess
Not Attached: AmazonKinesisFirehoseFullAccess
Not Attached: AmazonKinesisAnalyticsFullAccess


In [20]:
%store setup_iam_roles_passed

Stored 'setup_iam_roles_passed' (bool)


In [21]:
%store

Stored variables and their in-db values:
ingest_create_athena_table_parquet_passed             -> True
pipeline_endpoint_name                                -> 'bert-model-from-registry-ep-1621110420'
pipeline_experiment_name                              -> 'BERT-pipeline-1621102217'
pipeline_name                                         -> 'BERT-pipeline-1621102217'
pipeline_trial_name                                   -> 'trial-1621102217'
s3_private_path_tsv                                   -> 's3://sagemaker-us-east-1-298039562326/amazon-revi
s3_public_path_tsv                                    -> 's3://amazon-reviews-pds/tsv'
setup_dependencies_passed                             -> True
setup_iam_roles_passed                                -> True
setup_instance_check_passed                           -> True
setup_s3_bucket_passed                                -> True
test_data_bias_s3_uri                                 -> 's3://sagemaker-us-east-1-298039562326/bias/test_d
test

# Release Resources

In [22]:
%%html

<p><b>Shutting down your kernel for this notebook to release resources.</b></p>
<button class="sm-command-button" data-commandlinker-command="kernelmenu:shutdown" style="display:none;">Shutdown Kernel</button>
        
<script>
try {
    els = document.getElementsByClassName("sm-command-button");
    els[0].click();
}
catch(err) {
    // NoOp
}    
</script>

In [23]:
%%javascript

try {
    Jupyter.notebook.save_checkpoint();
    Jupyter.notebook.session.delete();
}
catch(err) {
    // NoOp
}

<IPython.core.display.Javascript object>