in lab/setup_utils.py [0:0]
def modify_device_role(iot_device_role_name):
iam_client = boto3.client('iam')
# Create a policy
download_component_policy = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::*SageMaker*",
"arn:aws:s3:::*Sagemaker*",
"arn:aws:s3:::*sagemaker*"
]
}
]
}
response = iam_client.create_policy(
PolicyName='download_component_policy' + str(time.time()).split(".")[0],
PolicyDocument=json.dumps(download_component_policy)
)
policy_attach_res = iam_client.attach_role_policy(
RoleName=iot_device_role_name,
PolicyArn=response['Policy']['Arn']
)
policy_attach_res = iam_client.attach_role_policy(
RoleName=iot_device_role_name,
PolicyArn="arn:aws:iam::aws:policy/service-role/AmazonSageMakerEdgeDeviceFleetPolicy"
)
response = iam_client.update_assume_role_policy(
PolicyDocument='''{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {"Service": "credentials.iot.amazonaws.com"},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {"Service": "sagemaker.amazonaws.com"},
"Action": "sts:AssumeRole"
}
]
}''',
RoleName=iot_device_role_name,
)
## wait for 30 secs until IAM changes fully propogate
time.sleep(30)
account_id = get_execution_role().split(":")[4]
role_arn = f"arn:aws:iam::{account_id}:role/{iot_device_role_name}"
return role_arn