# Setup IAM for Kinesis

In [None]:
import boto3
import sagemaker
import pandas as pd

sess   = sagemaker.Session()
bucket = sess.default_bucket()
role = sagemaker.get_execution_role()
region = boto3.Session().region_name

sts = boto3.Session().client(service_name='sts', region_name=region)
iam = boto3.Session().client(service_name='iam', region_name=region)

# Create Kinesis Role

In [None]:
iam_kinesis_role_name = 'DSOAWS_Kinesis'

In [None]:
iam_kinesis_role_passed = False

In [None]:
assume_role_policy_doc = {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "kinesis.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "firehose.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "kinesisanalytics.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }            
  ]
} 

In [None]:
import json
import time

from botocore.exceptions import ClientError

try:
    iam_role_kinesis = iam.create_role(
        RoleName=iam_kinesis_role_name,
        AssumeRolePolicyDocument=json.dumps(assume_role_policy_doc),
        Description='DSOAWS Kinesis Role'
    )
    print('Role succesfully created.')
    iam_kinesis_role_passed = True
except ClientError as e:
    if e.response['Error']['Code'] == 'EntityAlreadyExists':
        iam_role_kinesis = iam.get_role(RoleName=iam_kinesis_role_name)
        print('Role already exists. That is OK.')
        iam_kinesis_role_passed = True
    else:
        print('Unexpected error: %s' % e)
        
time.sleep(30)

In [None]:
iam_role_kinesis_name = iam_role_kinesis['Role']['RoleName']
print('Role Name: {}'.format(iam_role_kinesis_name))

In [None]:
iam_role_kinesis_arn = iam_role_kinesis['Role']['Arn']
print('Role ARN: {}'.format(iam_role_kinesis_arn))

In [None]:
account_id = sts.get_caller_identity()['Account']

# Specify Stream Name

In [None]:
stream_name = 'dsoaws-kinesis-data-stream'

# Specify Firehose Name

In [None]:
firehose_name = 'dsoaws-kinesis-data-firehose'

# Specify Lambda Function Name

In [None]:
lambda_fn_name = 'DeliverKinesisAnalyticsToCloudWatch'

In [None]:
lambda_fn_name_invoke_sm_endpoint = 'InvokeSageMakerEndpointFromKinesis'

# Create Policy

In [None]:
kinesis_policy_doc = {
    
    "Version": "2012-10-17",
    "Statement": [
        {      
            "Effect": "Allow",      
            "Action": [
                "s3:AbortMultipartUpload",
                "s3:GetBucketLocation",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:ListBucketMultipartUploads",
                "s3:PutObject"
            ],      
            "Resource": [        
                "arn:aws:s3:::{}".format(bucket),
                "arn:aws:s3:::{}/*".format(bucket)
            ]    
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:PutLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:{}:{}:log-group:/*".format(region, account_id)
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "kinesis:Get*",
                "kinesis:DescribeStream",
                "kinesis:Put*",
                "kinesis:List*",
            ],
            "Resource": [
                "arn:aws:kinesis:{}:{}:stream/{}".format(region, account_id, stream_name)
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "firehose:*",
            ],
            "Resource": [
                "arn:aws:firehose:{}:{}:deliverystream/{}".format(region, account_id, firehose_name)
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "kinesisanalytics:*",
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "UseLambdaFunction",
            "Effect": "Allow",
            "Action": [
                "lambda:InvokeFunction",
                "lambda:GetFunctionConfiguration"
            ],
            "Resource": [
                "*"
            ]    
        },
        {
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": [
                "arn:aws:iam::*:role/service-role/kinesis*"
            ]   
        }
    ]
}

print(json.dumps(kinesis_policy_doc, indent=4, sort_keys=True, default=str))

# Update Policy

In [None]:
import time

response = iam.put_role_policy(
    RoleName=iam_role_kinesis_name,
    PolicyName='DSOAWS_KinesisPolicy',
    PolicyDocument=json.dumps(kinesis_policy_doc)
)

time.sleep(30)

In [None]:
print(json.dumps(response, indent=4, sort_keys=True, default=str))

# Create AWS Lambda IAM Role

In [None]:
iam_lambda_role_name = 'DSOAWS_Lambda'

In [None]:
iam_lambda_role_passed = False

In [None]:
assume_role_policy_doc = {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "lambda.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        },
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "kinesisanalytics.amazonaws.com"
        },
            "Action": "sts:AssumeRole"
        }
    ]
}

In [None]:
import time

from botocore.exceptions import ClientError

try:
    iam_role_lambda = iam.create_role(
        RoleName=iam_lambda_role_name,
        AssumeRolePolicyDocument=json.dumps(assume_role_policy_doc),
        Description='DSOAWS Lambda Role'
    )
    print('Role succesfully created.')
    iam_lambda_role_passed = True
except ClientError as e:
    if e.response['Error']['Code'] == 'EntityAlreadyExists':
        iam_role_lambda = iam.get_role(RoleName=iam_lambda_role_name)
        print('Role already exists. This is OK.')
        iam_lambda_role_passed = True
    else:
        print('Unexpected error: %s' % e)
        
time.sleep(30)

In [None]:
iam_role_lambda_name = iam_role_lambda['Role']['RoleName']
print('Role Name: {}'.format(iam_role_lambda_name))

In [None]:
iam_role_lambda_arn = iam_role_lambda['Role']['Arn']
print('Role ARN: {}'.format(iam_role_lambda_arn))

# Create AWS Lambda IAM Policy

In [None]:
lambda_policy_doc = {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "UseLambdaFunction",
            "Effect": "Allow",
            "Action": [
                "lambda:InvokeFunction",
                "lambda:GetFunctionConfiguration"
            ],
            "Resource": "arn:aws:lambda:{}:{}:function:*".format(region, account_id)
        },
        {
            "Effect": "Allow",
            "Action": "cloudwatch:*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "logs:CreateLogGroup",
            "Resource": "arn:aws:logs:{}:{}:*".format(region, account_id)
        },
        {
            "Effect": "Allow",
            "Action": "sagemaker:InvokeEndpoint",
            "Resource": "*"
        },        
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "arn:aws:logs:{}:{}:log-group:/aws/lambda/*".format(region, account_id)
        }
    ]
}

In [None]:
print(json.dumps(lambda_policy_doc, indent=4, sort_keys=True, default=str))

In [None]:
import time

response = iam.put_role_policy(
    RoleName=iam_role_lambda_name,
    PolicyName='DSOAWS_LambdaPolicy',
    PolicyDocument=json.dumps(lambda_policy_doc)
)

time.sleep(30)

In [None]:
print(json.dumps(response, indent=4, sort_keys=True, default=str))

# Store Variables for Next Notebooks

In [None]:
%store stream_name

In [None]:
%store firehose_name

In [None]:
%store iam_kinesis_role_name

In [None]:
%store iam_role_kinesis_arn

In [None]:
%store iam_lambda_role_name

In [None]:
%store iam_role_lambda_arn

In [None]:
%store lambda_fn_name

In [None]:
%store iam_kinesis_role_passed

In [None]:
%store iam_lambda_role_passed

In [None]:
%store

In [None]:
%%javascript
Jupyter.notebook.save_checkpoint();
Jupyter.notebook.session.delete();