# MLExample Setup: Create SageMaker and Lambda Execution Roles

This notebook will create the required IAM roles for SageMaker and Lambda execution, attach the necessary policies, and print the resulting ARNs for use in your ML pipeline notebook.

In [1]:
import boto3
import json
import os

os.environ["AWS_PROFILE"] = "rjawsprofile"

iam = boto3.client('iam')

sagemaker_role_name = "ml-example-sagemaker-execution-role"
sagemaker_trust_policy = {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {"Service": "sagemaker.amazonaws.com"},
            "Action": "sts:AssumeRole"
        }
    ]
}

try:
    sagemaker_role = iam.create_role(
        RoleName=sagemaker_role_name,
        AssumeRolePolicyDocument=json.dumps(sagemaker_trust_policy),
        Description="SageMaker execution role for MLExample"
    )
    print(f"Created SageMaker role: {sagemaker_role['Role']['Arn']}")
except iam.exceptions.EntityAlreadyExistsException:
    sagemaker_role = iam.get_role(RoleName=sagemaker_role_name)
    print(f"SageMaker role already exists: {sagemaker_role['Role']['Arn']}")

# Attach policies
policies = [
    "arn:aws:iam::aws:policy/AmazonSageMakerFullAccess",
    "arn:aws:iam::aws:policy/AmazonS3FullAccess"
]
for policy_arn in policies:
    try:
        iam.attach_role_policy(RoleName=sagemaker_role_name, PolicyArn=policy_arn)
    except Exception as e:
        print(f"Policy {policy_arn} may already be attached: {e}")

print(f"SageMaker execution role ARN: {sagemaker_role['Role']['Arn']}")


Created SageMaker role: arn:aws:iam::054116116033:role/ml-example-sagemaker-execution-role
SageMaker execution role ARN: arn:aws:iam::054116116033:role/ml-example-sagemaker-execution-role
SageMaker execution role ARN: arn:aws:iam::054116116033:role/ml-example-sagemaker-execution-role


In [2]:
lambda_role_name = "ml-example-lambda-execution-role"
lambda_trust_policy = {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {"Service": "lambda.amazonaws.com"},
            "Action": "sts:AssumeRole"
        }
    ]
}

try:
    lambda_role = iam.create_role(
        RoleName=lambda_role_name,
        AssumeRolePolicyDocument=json.dumps(lambda_trust_policy),
        Description="Lambda execution role for MLExample"
    )
    print(f"Created Lambda role: {lambda_role['Role']['Arn']}")
except iam.exceptions.EntityAlreadyExistsException:
    lambda_role = iam.get_role(RoleName=lambda_role_name)
    print(f"Lambda role already exists: {lambda_role['Role']['Arn']}")

# Attach policies
policies = [
    "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
    "arn:aws:iam::aws:policy/AmazonSageMakerFullAccess",
    "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
]
for policy_arn in policies:
    try:
        iam.attach_role_policy(RoleName=lambda_role_name, PolicyArn=policy_arn)
    except Exception as e:
        print(f"Policy {policy_arn} may already be attached: {e}")

print(f"Lambda execution role ARN: {lambda_role['Role']['Arn']}")


Created Lambda role: arn:aws:iam::054116116033:role/ml-example-lambda-execution-role
Lambda execution role ARN: arn:aws:iam::054116116033:role/ml-example-lambda-execution-role
Lambda execution role ARN: arn:aws:iam::054116116033:role/ml-example-lambda-execution-role
