in infrastructure/lib/sageMakerConstruct.ts [31:59]
constructor(scope: cdk.Construct, id: string, props: SageMakerConstructProps) {
super(scope, id);
this.sagemakerArtifactBucket = new s3.Bucket(this, 'SageMakerArtifactBucket', {
blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL,
encryption: s3.BucketEncryption.S3_MANAGED
});
this.sagemakerExecutionRole = new iam.Role(this, 'SageMakerExecutionRole', {
assumedBy: new iam.ServicePrincipal('sagemaker.amazonaws.com'),
managedPolicies: [iam.ManagedPolicy.fromAwsManagedPolicyName('AmazonSageMakerFullAccess')],
});
this.sagemakerExecutionRole.addToPolicy(
iam.PolicyStatement.fromJson({
Effect: 'Allow',
Action: ['s3:GetObject', 's3:ListBucket'],
Resource: [props.dataBucket.bucketArn, `${props.dataBucket.bucketArn}/*`],
})
);
this.sagemakerExecutionRole.addToPolicy(
iam.PolicyStatement.fromJson({
Effect: 'Allow',
Action: ['s3:GetObject', 's3:PutObject', 's3:ListBucket'],
Resource: [this.sagemakerArtifactBucket.bucketArn, `${this.sagemakerArtifactBucket.bucketArn}/*`],
})
);
}