forked from aws/amazon-sagemaker-examples
-
Notifications
You must be signed in to change notification settings - Fork 0
/
iam_helper.py
65 lines (50 loc) · 1.88 KB
/
iam_helper.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
import boto3
import json
iam = boto3.client("iam")
def create_lambda_role(role_name):
try:
response = iam.create_role(
RoleName=role_name,
AssumeRolePolicyDocument=json.dumps(
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {"Service": "lambda.amazonaws.com"},
"Action": "sts:AssumeRole",
}
],
}
),
Description="Role for Lambda to call SageMaker functions",
)
role_arn = response["Role"]["Arn"]
response = iam.attach_role_policy(
RoleName=role_name, PolicyArn="arn:aws:iam::aws:policy/AWSLambda_FullAccess"
)
response = iam.attach_role_policy(
RoleName=role_name,
PolicyArn="arn:aws:iam::aws:policy/AmazonSageMakerFullAccess",
)
response = iam.attach_role_policy(
RoleName=role_name, PolicyArn="arn:aws:iam::aws:policy/ComprehendFullAccess"
)
return role_arn
except iam.exceptions.EntityAlreadyExistsException:
print(f"Using ARN from existing role: {role_name}")
response = iam.get_role(RoleName=role_name)
return response["Role"]["Arn"]
def delete_lambda_role(role_name):
response = iam.detach_role_policy(
RoleName=role_name, PolicyArn="arn:aws:iam::aws:policy/AWSLambda_FullAccess"
)
response = iam.detach_role_policy(
RoleName=role_name,
PolicyArn="arn:aws:iam::aws:policy/AmazonSageMakerFullAccess",
)
response = iam.detach_role_policy(
RoleName=role_name, PolicyArn="arn:aws:iam::aws:policy/ComprehendFullAccess"
)
response = iam.delete_role(RoleName=role_name)
return response