# Update IAM Roles and Policies

In [None]:
import sagemaker
from time import gmtime, strftime
import boto3

sagemaker_session = sagemaker.Session()
role = sagemaker.get_execution_role()
bucket = sagemaker_session.default_bucket()
region = boto3.Session().region_name

from botocore.config import Config

config = Config(
   retries = {
      'max_attempts': 10,
      'mode': 'adaptive'
   }
)

iam = boto3.client('iam', config=config)

In [None]:
role_name = role.split('/')[-1]

print('Role name: {}'.format(role_name))

# *Check: This notebook expects the SageMaker notebook instance execution role to have `IAMFullAccess` policies assigned:*

In [None]:
pre_policies = iam.list_attached_role_policies(RoleName=role_name)['AttachedPolicies']

required_policies = [
                     'IAMFullAccess' 
#                     'AmazonSageMakerFullAccess'
                    ]

for pre_policy in pre_policies:
    for role_req in required_policies:
        if pre_policy['PolicyName'] == role_req:
            print('Attached: {}'.format(pre_policy['PolicyName']))
            try:
                required_policies.remove(pre_policy['PolicyName'])
            except:
                pass
    
if len(required_policies) > 0:
    print('\n*************** ERROR: You need to attach the following policies in order to continue with this workshop *****************\n')
    for required_policy in required_policies:
        print('Not Attached: {}'.format(required_policy))
else:
    print('\n*************** SUCCESS: You are all set to continue with this notebook! *****************\n')
            

# ^^^^ *If you see an ERROR message above, please attach the mentioned AWS IAM Policy to your current SageMaker notebook instance execution role before you continue with this notebook.*

In [None]:
from botocore.exceptions import ClientError

try:
    response = iam.attach_role_policy(
        PolicyArn='arn:aws:iam::aws:policy/AdministratorAccess',
        RoleName=role_name
    )
    print("Policy has been succesfully attached to role: %s" % role_name)
except ClientError as e:
    if e.response['Error']['Code'] == 'EntityAlreadyExists':
        print("Policy is already attached. This is OK.")
    elif e.response['Error']['Code'] == 'LimitExceeded':
        print('******* We reached the max. of 10 attached policies per role.  This could be OK if you have AdministratorAccess. ******')
    else:
        print("*************** Unexpected error: %s *****************" % e)

In [None]:
from botocore.exceptions import ClientError

try:
    response = iam.attach_role_policy(
        PolicyArn='arn:aws:iam::aws:policy/AmazonSageMakerFullAccess',
        RoleName=role_name
    )
    print("Policy has been succesfully attached to role: %s" % role_name)
except ClientError as e:
    if e.response['Error']['Code'] == 'EntityAlreadyExists':
        print("Policy is already attached. This is OK.")
    elif e.response['Error']['Code'] == 'LimitExceeded':
        print('******* We reached the max. of 10 attached policies per role.  This could be OK if you have AdministratorAccess. ******')
    else:
        print("*************** Unexpected error: %s *****************" % e)

In [None]:
from botocore.exceptions import ClientError

try:
    response = iam.attach_role_policy(
        PolicyArn='arn:aws:iam::aws:policy/IAMFullAccess',
        RoleName=role_name
    )
    print("Policy has been succesfully attached to role: %s" % role_name)
except ClientError as e:
    if e.response['Error']['Code'] == 'EntityAlreadyExists':
        print("Policy is already attached. This is OK.")
    elif e.response['Error']['Code'] == 'LimitExceeded':
        print('******* We reached the max. of 10 attached policies per role.  This could be OK if you have AdministratorAccess. ******')
    else:
        print("*************** Unexpected error: %s *****************" % e)

In [None]:
from botocore.exceptions import ClientError

try:
    response = iam.attach_role_policy(
        PolicyArn='arn:aws:iam::aws:policy/AmazonS3FullAccess',
        RoleName=role_name
    )
    print("Policy has been succesfully attached to role: %s" % role_name)
except ClientError as e:
    if e.response['Error']['Code'] == 'EntityAlreadyExists':
        print("Policy is already attached. This is OK.")
    elif e.response['Error']['Code'] == 'LimitExceeded':
        print('******* We reached the max. of 10 attached policies per role.  This could be OK if you have AdministratorAccess. ******')
    else:
        print("*************** Unexpected error: %s *****************" % e)

In [None]:
from botocore.exceptions import ClientError

try:
    response = iam.attach_role_policy(
        PolicyArn='arn:aws:iam::aws:policy/ComprehendFullAccess',
        RoleName=role_name
    )
    print("Policy has been succesfully attached to role: %s" % role_name)
except ClientError as e:
    if e.response['Error']['Code'] == 'EntityAlreadyExists':
        print("Policy is already attached. This is OK.")
    elif e.response['Error']['Code'] == 'LimitExceeded':
        print('******* We reached the max. of 10 attached policies per role.  This could be OK if you have AdministratorAccess. ******')
    else:
        print("*************** Unexpected error: %s *****************" % e)

In [None]:
from botocore.exceptions import ClientError

try:
    response = iam.attach_role_policy(
        PolicyArn='arn:aws:iam::aws:policy/AmazonAthenaFullAccess',
        RoleName=role_name
    )
    print("Policy has been succesfully attached to role: %s" % role_name)
except ClientError as e:
    if e.response['Error']['Code'] == 'EntityAlreadyExists':
        print("Policy is already attached. This is OK.")
    elif e.response['Error']['Code'] == 'LimitExceeded':
        print('******* We reached the max. of 10 attached policies per role.  This could be OK if you have AdministratorAccess. ******')
    else:
        print("*************** Unexpected error: %s *****************" % e)

In [None]:
from botocore.exceptions import ClientError

try:
    response = iam.attach_role_policy(
        PolicyArn='arn:aws:iam::aws:policy/SecretsManagerReadWrite',
        RoleName=role_name
    )
    print("Policy has been succesfully attached to role: %s" % role_name)
except ClientError as e:
    if e.response['Error']['Code'] == 'EntityAlreadyExists':
        print("Policy is already attached. This is OK.")
    elif e.response['Error']['Code'] == 'LimitExceeded':
        print('******* We reached the max. of 10 attached policies per role.  This could be OK if you have AdministratorAccess. ******')
    else:
        print("*************** Unexpected error: %s *****************" % e)

In [None]:
from botocore.exceptions import ClientError

try:
    response = iam.attach_role_policy(
        PolicyArn='arn:aws:iam::aws:policy/AmazonRedshiftFullAccess',
        RoleName=role_name
    )
    print("Policy has been succesfully attached to role: %s" % role_name)
except ClientError as e:
    if e.response['Error']['Code'] == 'EntityAlreadyExists':
        print("Policy is already attached. This is OK.")
    elif e.response['Error']['Code'] == 'LimitExceeded':
        print('******* We reached the max. of 10 attached policies per role.  This could be OK if you have AdministratorAccess. ******')
    else:
        print("*************** Unexpected error: %s *****************" % e)

In [None]:
from botocore.exceptions import ClientError

try:
    response = iam.attach_role_policy(
        PolicyArn='arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess',
        RoleName=role_name
    )
    print("Policy has been succesfully attached to role: %s" % role_name)
except ClientError as e:
    if e.response['Error']['Code'] == 'EntityAlreadyExists':
        print("Policy is already attached. This is OK.")
    elif e.response['Error']['Code'] == 'LimitExceeded':
        print('******* We reached the max. of 10 attached policies per role.  This could be OK if you have AdministratorAccess. ******')
    else:
        print("*************** Unexpected error: %s *****************" % e)

In [None]:
from botocore.exceptions import ClientError

try:
    response = iam.attach_role_policy(
        PolicyArn='arn:aws:iam::aws:policy/AWSStepFunctionsFullAccess',
        RoleName=role_name
    )
    print("Policy has been succesfully attached to role: %s" % role_name)
except ClientError as e:
    if e.response['Error']['Code'] == 'EntityAlreadyExists':
        print("Policy is already attached. This is OK.")
    elif e.response['Error']['Code'] == 'LimitExceeded':
        print('******* We reached the max. of 10 attached policies per role.  This could be OK if you have AdministratorAccess. ******')
    else:
        print("*************** Unexpected error: %s *****************" % e)

# *Final Check*

In [None]:
#role = iam.get_role(RoleName=role_name)
post_policies = iam.list_attached_role_policies(RoleName=role_name)['AttachedPolicies']

required_policies = [
                     'SecretsManagerReadWrite', 
                     'IAMFullAccess', 
                     'AmazonS3FullAccess', 
                     'AmazonAthenaFullAccess', 
                     'ComprehendFullAccess',
                     'AdministratorAccess',
                     'AWSStepFunctionsFullAccess',
                     'AmazonSageMakerFullAccess'
                    ]

admin = False

for post_policy in post_policies:
    print('Attached {}'.format(post_policy['PolicyName']))
    if post_policy['PolicyName'] == 'AdministratorAccess':
        admin = True
        print('You have {} privileges.'.format(post_policy['PolicyName']))
        try:
            required_policies.remove(post_policy['PolicyName'])
        except:
            break
    else: 
        try:
            required_policies.remove(post_policy['PolicyName'])
        except:
            pass

if not admin and len(required_policies) > 0:
    print('\n*************** Unexpected error: RE-RUN THIS NOTEBOOK *****************\n')
    for required_policy in required_policies:
        print('Not Attached: {}'.format(required_policy))
else:
    print('\n*************** SUCCESS: You are all set up to continue with this workshop! *****************\n')

In [None]:
%%javascript
Jupyter.notebook.save_checkpoint();
Jupyter.notebook.session.delete();