in source/infrastructure/forecast/aws_lambda/policies/factory.py [0:0]
def _forecast_role(self, data_bucket: Bucket, read=False, write=False):
actions = []
mode = ""
if read:
actions.extend(
[
"s3:Get*",
"s3:List*",
]
)
mode += "Read"
if write:
actions.extend(
[
"s3:PutObject",
]
)
mode += "Write"
if not read and not write:
raise ValueError(
"forecast s3 role must have read, write, or both set to true"
)
role_id = f"ForecastS3{mode}Role"
role = Role(
self,
role_id,
assumed_by=ServicePrincipal("forecast.amazonaws.com"),
inline_policies={
role_id: PolicyDocument(
statements=[
PolicyStatement(
actions=actions,
resources=[
data_bucket.arn_for_objects("*"),
data_bucket.bucket_arn,
],
)
]
)
},
)
if read:
self.kms_read_policy.attach_to_role(role)
if write:
self.kms_write_policy.attach_to_role(role)
return role