# Update IAM Roles and Policies

In [1]:
import boto3
import sagemaker
import time
from time import gmtime, strftime

sagemaker_session = sagemaker.Session()
role = sagemaker.get_execution_role()
bucket = sagemaker_session.default_bucket()
region = boto3.Session().region_name

from botocore.config import Config

config = Config(
   retries = {
      'max_attempts': 10,
      'mode': 'adaptive'
   }
)

iam = boto3.client('iam', config=config)

In [2]:
role_name = role.split('/')[-1]

print('Role name: {}'.format(role_name))

Role name: TeamRole


In [3]:
setup_iam_roles_passed=False

# **Pre-Requisite:  SageMaker notebook instance ExecutionRole contains `IAMFullAccess` Policy.**

In [4]:
pre_policies = iam.list_attached_role_policies(RoleName=role_name)['AttachedPolicies']

required_policies = ['IAMFullAccess']

for pre_policy in pre_policies:
    for role_req in required_policies:
        if pre_policy['PolicyName'] == role_req:
            print('Attached: {}'.format(pre_policy['PolicyName']))
            try:
                required_policies.remove(pre_policy['PolicyName'])
            except:
                pass
    
if len(required_policies) > 0:
    print('*************** [ERROR] You need to attach the following policies in order to continue with this workshop *****************\n')
    for required_policy in required_policies:
        print('Not Attached: {}'.format(required_policy))
else:
    print('[OK] You are all set to continue with this notebook!')

Attached: IAMFullAccess
[OK] You are all set to continue with this notebook!


# **If you see an ERROR message ^^ above ^^, please attach the IAMFullAccess Policy to the SageMaker notebook instance ExecutionRole.**

In [5]:
from botocore.exceptions import ClientError

try:
    policy='AdministratorAccess'
    response = iam.attach_role_policy(
        PolicyArn='arn:aws:iam::aws:policy/{}'.format(policy),
        RoleName=role_name
    )
    print('Policy {} has been succesfully attached to role: {}'.format(policy, role_name))
except ClientError as e:
    if e.response['Error']['Code'] == 'EntityAlreadyExists':
        print('[OK] Policy is already attached.')
    elif e.response['Error']['Code'] == 'LimitExceeded':
        print('[OK]')
    else:
        print('*************** [ERROR] {} *****************'.format(e))

time.sleep(5)

Policy AdministratorAccess has been succesfully attached to role: TeamRole


In [6]:
from botocore.exceptions import ClientError

try:
    policy='AmazonSageMakerFullAccess'
    response = iam.attach_role_policy(
        PolicyArn='arn:aws:iam::aws:policy/{}'.format(policy),
        RoleName=role_name
    )
    print('Policy {} has been succesfully attached to role: {}'.format(policy, role_name))
except ClientError as e:
    if e.response['Error']['Code'] == 'EntityAlreadyExists':
        print('[OK] Policy is already attached.')
    elif e.response['Error']['Code'] == 'LimitExceeded':
        print('[OK]')
    else:
        print('*************** [ERROR] {} *****************'.format(e))

time.sleep(5)

Policy AmazonSageMakerFullAccess has been succesfully attached to role: TeamRole


In [7]:
from botocore.exceptions import ClientError

try:
    policy='IAMFullAccess'
    response = iam.attach_role_policy(
        PolicyArn='arn:aws:iam::aws:policy/{}'.format(policy),
        RoleName=role_name
    )
    print('Policy {} has been succesfully attached to role: {}'.format(policy, role_name))
except ClientError as e:
    if e.response['Error']['Code'] == 'EntityAlreadyExists':
        print('[OK] Policy is already attached.')
    elif e.response['Error']['Code'] == 'LimitExceeded':
        print('[OK]')
    else:
        print('*************** [ERROR] {} *****************'.format(e))

time.sleep(5)

Policy IAMFullAccess has been succesfully attached to role: TeamRole


In [8]:
from botocore.exceptions import ClientError

try:
    policy='AmazonS3FullAccess'
    response = iam.attach_role_policy(
        PolicyArn='arn:aws:iam::aws:policy/{}'.format(policy),
        RoleName=role_name
    )
    print('Policy {} has been succesfully attached to role: {}'.format(policy, role_name))
except ClientError as e:
    if e.response['Error']['Code'] == 'EntityAlreadyExists':
        print('[OK] Policy is already attached.')
    elif e.response['Error']['Code'] == 'LimitExceeded':
        print('[OK]')
    else:
        print('*************** [ERROR] {} *****************'.format(e))
        
time.sleep(5)

Policy AmazonS3FullAccess has been succesfully attached to role: TeamRole


In [9]:
from botocore.exceptions import ClientError

try:
    policy='ComprehendFullAccess'
    response = iam.attach_role_policy(
        PolicyArn='arn:aws:iam::aws:policy/{}'.format(policy),
        RoleName=role_name
    )
    print('Policy {} has been succesfully attached to role: {}'.format(policy, role_name))
except ClientError as e:
    if e.response['Error']['Code'] == 'EntityAlreadyExists':
        print('[OK] Policy is already attached.')
    elif e.response['Error']['Code'] == 'LimitExceeded':
        print('[OK]')
    else:
        print('*************** [ERROR] {} *****************'.format(e))
        
time.sleep(5)

Policy ComprehendFullAccess has been succesfully attached to role: TeamRole


In [10]:
from botocore.exceptions import ClientError

try:
    policy='AmazonAthenaFullAccess'
    response = iam.attach_role_policy(
        PolicyArn='arn:aws:iam::aws:policy/{}'.format(policy),
        RoleName=role_name
    )
    print('Policy {} has been succesfully attached to role: {}'.format(policy, role_name))
except ClientError as e:
    if e.response['Error']['Code'] == 'EntityAlreadyExists':
        print('[OK] Policy is already attached.')
    elif e.response['Error']['Code'] == 'LimitExceeded':
        print('[OK]')
    else:
        print('*************** [ERROR] {} *****************'.format(e))
        
time.sleep(5)

Policy AmazonAthenaFullAccess has been succesfully attached to role: TeamRole


In [11]:
from botocore.exceptions import ClientError

try:
    policy='SecretsManagerReadWrite'
    response = iam.attach_role_policy(
        PolicyArn='arn:aws:iam::aws:policy/{}'.format(policy),
        RoleName=role_name
    )
    print('Policy {} has been succesfully attached to role: {}'.format(policy, role_name))
except ClientError as e:
    if e.response['Error']['Code'] == 'EntityAlreadyExists':
        print('[OK] Policy is already attached.')
    elif e.response['Error']['Code'] == 'LimitExceeded':
        print('[OK]')
    else:
        print('*************** [ERROR] {} *****************'.format(e))
        
time.sleep(5)

Policy SecretsManagerReadWrite has been succesfully attached to role: TeamRole


In [12]:
from botocore.exceptions import ClientError

try:
    policy='AmazonRedshiftFullAccess'
    response = iam.attach_role_policy(
        PolicyArn='arn:aws:iam::aws:policy/{}'.format(policy),
        RoleName=role_name
    )
    print('Policy {} has been succesfully attached to role: {}'.format(policy, role_name))
except ClientError as e:
    if e.response['Error']['Code'] == 'EntityAlreadyExists':
        print('[OK] Policy is already attached.')
    elif e.response['Error']['Code'] == 'LimitExceeded':
        print('[OK]')
    else:
        print('*************** [ERROR] {} *****************'.format(e))
        
time.sleep(5)

Policy AmazonRedshiftFullAccess has been succesfully attached to role: TeamRole


In [13]:
from botocore.exceptions import ClientError

try:
    policy='AmazonEC2ContainerRegistryFullAccess'
    response = iam.attach_role_policy(
        PolicyArn='arn:aws:iam::aws:policy/{}'.format(policy),
        RoleName=role_name
    )
    print('Policy {} has been succesfully attached to role: {}'.format(policy, role_name))
except ClientError as e:
    if e.response['Error']['Code'] == 'EntityAlreadyExists':
        print('[OK] Policy is already attached.')
    elif e.response['Error']['Code'] == 'LimitExceeded':
        print('[OK]')
    else:
        print('*************** [ERROR] {} *****************'.format(e))
        
time.sleep(5)

[OK]


In [14]:
from botocore.exceptions import ClientError

try:
    policy='AWSStepFunctionsFullAccess'
    response = iam.attach_role_policy(
        PolicyArn='arn:aws:iam::aws:policy/{}'.format(policy),
        RoleName=role_name
    )
    print('Policy {} has been succesfully attached to role: {}'.format(policy, role_name))
except ClientError as e:
    if e.response['Error']['Code'] == 'EntityAlreadyExists':
        print('[OK] Policy is already attached.')
    elif e.response['Error']['Code'] == 'LimitExceeded':
        print('[OK]')
    else:
        print('*************** [ERROR] {} *****************'.format(e))
        
time.sleep(5)

[OK]


In [15]:
from botocore.exceptions import ClientError

try:
    policy='AmazonKinesisFullAccess'
    response = iam.attach_role_policy(
        PolicyArn='arn:aws:iam::aws:policy/{}'.format(policy),
        RoleName=role_name
    )
    print('Policy {} has been succesfully attached to role: {}'.format(policy, role_name))
except ClientError as e:
    if e.response['Error']['Code'] == 'EntityAlreadyExists':
        print('[OK] Policy is already attached.')
    elif e.response['Error']['Code'] == 'LimitExceeded':
        print('[OK]')
    else:
        print('*************** [ERROR] {} *****************'.format(e))
        
time.sleep(5)

[OK]


In [16]:
from botocore.exceptions import ClientError

try:
    policy='AmazonKinesisFirehoseFullAccess'
    response = iam.attach_role_policy(
        PolicyArn='arn:aws:iam::aws:policy/{}'.format(policy),
        RoleName=role_name
    )
    print('Policy {} has been succesfully attached to role: {}'.format(policy, role_name))
except ClientError as e:
    if e.response['Error']['Code'] == 'EntityAlreadyExists':
        print('[OK] Policy is already attached.')
    elif e.response['Error']['Code'] == 'LimitExceeded':
        print('[OK]')
    else:
        print('*************** [ERROR] {} *****************'.format(e))
        
time.sleep(5)

[OK]


In [17]:
from botocore.exceptions import ClientError

try:
    policy='AmazonKinesisAnalyticsFullAccess'
    response = iam.attach_role_policy(
        PolicyArn='arn:aws:iam::aws:policy/{}'.format(policy),
        RoleName=role_name
    )
    print('Policy {} has been succesfully attached to role: {}'.format(policy, role_name))
except ClientError as e:
    if e.response['Error']['Code'] == 'EntityAlreadyExists':
        print('[OK] Policy is already attached.')
    elif e.response['Error']['Code'] == 'LimitExceeded':
        print('[OK]')
    else:
        print('*************** [ERROR] {} *****************'.format(e))
        
time.sleep(5)

[OK]


# *Final Check*

In [18]:
#role = iam.get_role(RoleName=role_name)
post_policies = iam.list_attached_role_policies(RoleName=role_name)['AttachedPolicies']

required_policies = [
                     'AdministratorAccess',
                     'SecretsManagerReadWrite', 
                     'IAMFullAccess', 
                     'AmazonS3FullAccess', 
                     'AmazonAthenaFullAccess', 
                     'ComprehendFullAccess',
                     'AmazonEC2ContainerRegistryFullAccess',
                     'AmazonRedshiftFullAccess',
                     'AWSStepFunctionsFullAccess',
                     'AmazonSageMakerFullAccess',
                     'AmazonKinesisFullAccess',
                     'AmazonKinesisFirehoseFullAccess',
                     'AmazonKinesisAnalyticsFullAccess'
                    ]

admin = False

for post_policy in post_policies:
    if post_policy['PolicyName'] == 'AdministratorAccess':
        admin = True
        try:
            required_policies.remove(post_policy['PolicyName'])
        except:
            break
    else: 
        try:
            required_policies.remove(post_policy['PolicyName'])
        except:
            pass

if not admin and len(required_policies) > 0:
    print('*************** [ERROR] RE-RUN THIS NOTEBOOK *****************')
    for required_policy in required_policies:
        print('Not Attached: {}'.format(required_policy))
else:
    setup_iam_roles_passed=True
    print('[OK] You are all set up to continue with this workshop!')

[OK] You are all set up to continue with this workshop!


In [19]:
%store setup_iam_roles_passed

Stored 'setup_iam_roles_passed' (bool)


In [20]:
%store

Stored variables and their in-db values:
setup_dependencies_passed               -> True
setup_iam_roles_passed                  -> True
setup_instance_check_passed             -> True
setup_s3_bucket_passed                  -> True


# Release Resources

In [None]:
%%javascript
Jupyter.notebook.save_checkpoint();
Jupyter.notebook.session.delete();