def _set_permissions()

in source/infrastructure/personalize/aws_lambda/functions/create_batch_segment_job.py [0:0]

• 32 lines of code
• 1 McCabe index (conditional complexity)

    def _set_permissions(self):
        # personalize resource permissions
        self.function.add_to_role_policy(
            statement=iam.PolicyStatement(
                actions=[
                    "personalize:DescribeDatasetGroup",
                    "personalize:ListBatchSegmentJobs",
                    "personalize:ListSolutionVersions",
                    "personalize:ListSolutions",
                    "personalize:CreateBatchSegmentJob",
                    "personalize:DescribeBatchSegmentJob",
                    "personalize:DescribeSolution",
                    "personalize:DescribeSolutionVersion",
                ],
                effect=iam.Effect.ALLOW,
                resources=[
                    f"arn:{Aws.PARTITION}:personalize:{Aws.REGION}:{Aws.ACCOUNT_ID}:dataset-group/*",
                    f"arn:{Aws.PARTITION}:personalize:{Aws.REGION}:{Aws.ACCOUNT_ID}:batch-segment-job/*",
                    f"arn:{Aws.PARTITION}:personalize:{Aws.REGION}:{Aws.ACCOUNT_ID}:solution/*",
                ],
            )
        )
        self.personalize_bucket.grant_read_write(self.function, "batch/*")

        # passrole permissions
        self.function.add_to_role_policy(
            statement=iam.PolicyStatement(
                effect=iam.Effect.ALLOW,
                actions=["iam:PassRole"],
                resources=[self.personalize_batch_inference_rw_role.role_arn],
            )
        )
        self.function.add_environment(
            "ROLE_ARN", self.personalize_batch_inference_rw_role.role_arn
        )