Skip to content

Commit

Permalink
Merge pull request #290 from awslabs/fix/policies-2024-11-13
Browse files Browse the repository at this point in the history 
Added missing actions/constraints to User/Project policies
  • Loading branch information
@dustins
dustins authored Nov 19, 2024
2 parents a3a17ee + 07a643a commit c1daca9
Show file tree
Hide file tree
Showing 5 changed files with 125 additions and 14 deletions.
43 changes: 41 additions & 2 deletions backend/src/ml_space_lambda/utils/iam_manager.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,25 @@ def __init__(self, iam_client=None, sts_client=None):
"sagemaker:CreateProcessingJob",
"sagemaker:CreateHyperParameterTuningJob",
"sagemaker:CreateTransformJob",
"sagemaker:DeleteModel",
"sagemaker:DescribeModel",
"sagemaker:DeleteEndpoint",
"sagemaker:DescribeEndpoint",
"sagemaker:InvokeEndpoint",
"sagemaker:DeleteEndpointConfig",
"sageamker:DescribeEndpointConfig",
"sagemaker:DescribeLabelingJob",
"sagemaker:StopLabelingJob",
"sagemaker:DescribeTrainingJob",
"sagemaker:StopTrainingJob",
"sagemaker:DescribeProcessingJob",
"sageamker:StopProcessingJob",
"sagemaker:DescribeHyperParameterTuningJob",
"sagemaker:StopHyperParameterTuningJob",
"sagemaker:DescribeTransformJob",
"sagemaker:StopTransformJob",
"sagemaker:UpdateEndpoint",
"sagemaker:UpdateEndpointWeightsAndCapacities",
"bedrock:Associate*",
"bedrock:Create*",
"bedrock:BatchDelete*",
Expand All @@ -109,7 +128,8 @@ def __init__(self, iam_client=None, sts_client=None):
"Resource": "*",
"Condition": {
"StringNotEqualsIgnoreCase": {
"aws:RequestTag/project": "$PROJECT_NAME"
"aws:RequestTag/project": "$PROJECT_NAME",
"aws:ResourceTag/project": "$PROJECT_NAME"
}
}
},
Expand Down Expand Up @@ -491,6 +511,25 @@ def _generate_user_policy(self, user: str) -> str:
"sagemaker:CreateProcessingJob",
"sagemaker:CreateHyperParameterTuningJob",
"sagemaker:CreateTransformJob",
"sagemaker:DeleteModel",
"sagemaker:DescribeModel",
"sagemaker:DeleteEndpoint",
"sagemaker:DescribeEndpoint",
"sagemaker:InvokeEndpoint",
"sagemaker:DeleteEndpointConfig",
"sageamker:DescribeEndpointConfig",
"sagemaker:DescribeLabelingJob",
"sagemaker:StopLabelingJob",
"sagemaker:DescribeTrainingJob",
"sagemaker:StopTrainingJob",
"sagemaker:DescribeProcessingJob",
"sageamker:StopProcessingJob",
"sagemaker:DescribeHyperParameterTuningJob",
"sagemaker:StopHyperParameterTuningJob",
"sagemaker:DescribeTransformJob",
"sagemaker:StopTransformJob",
"sagemaker:UpdateEndpoint",
"sagemaker:UpdateEndpointWeightsAndCapacities",
"bedrock:Associate*",
"bedrock:Create*",
"bedrock:BatchDelete*",
Expand All @@ -507,7 +546,7 @@ def _generate_user_policy(self, user: str) -> str:
"bedrock:Retrieve*",
],
"Resource": "*",
"Condition": {"StringNotEqualsIgnoreCase": {"aws:RequestTag/user": user}},
"Condition": {"StringNotEqualsIgnoreCase": {"aws:RequestTag/user": user, "aws:ResourceTag/user": user}},
},
],
}
Expand Down
24 changes: 21 additions & 3 deletions frontend/docs/admin-guide/security/policies/project-policy-raw.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,25 @@
"sagemaker:CreateProcessingJob",
"sagemaker:CreateHyperParameterTuningJob",
"sagemaker:CreateTransformJob",

"sagemaker:DeleteModel",
"sagemaker:DescribeModel",
"sagemaker:DeleteEndpoint",
"sagemaker:DescribeEndpoint",
"sagemaker:InvokeEndpoint",
"sagemaker:DeleteEndpointConfig",
"sageamker:DescribeEndpointConfig",
"sagemaker:DescribeLabelingJob",
"sagemaker:StopLabelingJob",
"sagemaker:DescribeTrainingJob",
"sagemaker:StopTrainingJob",
"sagemaker:DescribeProcessingJob",
"sageamker:StopProcessingJob",
"sagemaker:DescribeHyperParameterTuningJob",
"sagemaker:StopHyperParameterTuningJob",
"sagemaker:DescribeTransformJob",
"sagemaker:StopTransformJob",
"sagemaker:UpdateEndpoint",
"sagemaker:UpdateEndpointWeightsAndCapacities",
"bedrock:Associate*",
"bedrock:Create*",
"bedrock:BatchDelete*",
Expand All @@ -48,7 +66,6 @@
"bedrock:Retrieve*",
"bedrock:Start*",
"bedrock:Update*",

"bedrock:Apply*",
"bedrock:Detect*",
"bedrock:List*",
Expand All @@ -59,7 +76,8 @@
"Resource": "*",
"Condition": {
"StringNotEqualsIgnoreCase": {
"aws:RequestTag/project": "Project001v20241002"
"aws:RequestTag/project": "Project001v20241002",
"aws:ResourceTag/project": "Project001v20241002"
}
}
},
Expand Down
24 changes: 21 additions & 3 deletions frontend/docs/admin-guide/security/policies/project-policy.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,15 +73,32 @@ These actions grants a role the ability to create the specified SageMaker and Be
"sagemaker:CreateProcessingJob",
"sagemaker:CreateHyperParameterTuningJob",
"sagemaker:CreateTransformJob",
"sagemaker:DeleteModel",
"sagemaker:DescribeModel",
"sagemaker:DeleteEndpoint",
"sagemaker:DescribeEndpoint",
"sagemaker:InvokeEndpoint",
"sagemaker:DeleteEndpointConfig",
"sageamker:DescribeEndpointConfig",
"sagemaker:DescribeLabelingJob",
"sagemaker:StopLabelingJob",
"sagemaker:DescribeTrainingJob",
"sagemaker:StopTrainingJob",
"sagemaker:DescribeProcessingJob",
"sageamker:StopProcessingJob",
"sagemaker:DescribeHyperParameterTuningJob",
"sagemaker:StopHyperParameterTuningJob",
"sagemaker:DescribeTransformJob",
"sagemaker:StopTransformJob",
"sagemaker:UpdateEndpoint",
"sagemaker:UpdateEndpointWeightsAndCapacities",
"bedrock:Associate*",
"bedrock:Create*",
"bedrock:BatchDelete*",
"bedrock:Delete*",
"bedrock:Put*",
"bedrock:Start*",
"bedrock:Update*",
"bedrock:Apply*",
"bedrock:Detect*",
"bedrock:List*",
Expand All @@ -92,7 +109,8 @@ These actions grants a role the ability to create the specified SageMaker and Be
"Resource": "*",
"Condition": {
"StringNotEqualsIgnoreCase": {
"aws:RequestTag/project": "Project001"
"aws:RequestTag/project": "Project001",
"aws:ResourceTag/project": "Project001v20241002"
}
}
},
Expand Down
24 changes: 21 additions & 3 deletions frontend/docs/admin-guide/security/policies/user-policy-raw.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,25 @@
"sagemaker:CreateProcessingJob",
"sagemaker:CreateHyperParameterTuningJob",
"sagemaker:CreateTransformJob",

"sagemaker:DeleteModel",
"sagemaker:DescribeModel",
"sagemaker:DeleteEndpoint",
"sagemaker:DescribeEndpoint",
"sagemaker:InvokeEndpoint",
"sagemaker:DeleteEndpointConfig",
"sageamker:DescribeEndpointConfig",
"sagemaker:DescribeLabelingJob",
"sagemaker:StopLabelingJob",
"sagemaker:DescribeTrainingJob",
"sagemaker:StopTrainingJob",
"sagemaker:DescribeProcessingJob",
"sageamker:StopProcessingJob",
"sagemaker:DescribeHyperParameterTuningJob",
"sagemaker:StopHyperParameterTuningJob",
"sagemaker:DescribeTransformJob",
"sagemaker:StopTransformJob",
"sagemaker:UpdateEndpoint",
"sagemaker:UpdateEndpointWeightsAndCapacities",
"bedrock:Associate*",
"bedrock:Create*",
"bedrock:BatchDelete*",
Expand All @@ -79,7 +97,6 @@
"bedrock:Retrieve*",
"bedrock:Start*",
"bedrock:Update*",

"bedrock:Apply*",
"bedrock:Detect*",
"bedrock:List*",
Expand All @@ -90,7 +107,8 @@
"Resource": "*",
"Condition": {
"StringNotEqualsIgnoreCase": {
"aws:RequestTag/user": "jdoe"
"aws:RequestTag/user": "jdoe",
"aws:ResourceTag/user": "jdoe"
}
}
}
Expand Down
24 changes: 21 additions & 3 deletions frontend/docs/admin-guide/security/policies/user-policy.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -125,7 +125,25 @@ These actions grants a role the ability to create the specified SageMaker and Be
"sagemaker:CreateProcessingJob",
"sagemaker:CreateHyperParameterTuningJob",
"sagemaker:CreateTransformJob",
"sagemaker:DeleteModel",
"sagemaker:DescribeModel",
"sagemaker:DeleteEndpoint",
"sagemaker:DescribeEndpoint",
"sagemaker:InvokeEndpoint",
"sagemaker:DeleteEndpointConfig",
"sageamker:DescribeEndpointConfig",
"sagemaker:DescribeLabelingJob",
"sagemaker:StopLabelingJob",
"sagemaker:DescribeTrainingJob",
"sagemaker:StopTrainingJob",
"sagemaker:DescribeProcessingJob",
"sageamker:StopProcessingJob",
"sagemaker:DescribeHyperParameterTuningJob",
"sagemaker:StopHyperParameterTuningJob",
"sagemaker:DescribeTransformJob",
"sagemaker:StopTransformJob",
"sagemaker:UpdateEndpoint",
"sagemaker:UpdateEndpointWeightsAndCapacities",
"bedrock:Associate*",
"bedrock:Create*",
"bedrock:BatchDelete*",
Expand All @@ -134,7 +152,6 @@ These actions grants a role the ability to create the specified SageMaker and Be
"bedrock:Retrieve*",
"bedrock:Start*",
"bedrock:Update*",
"bedrock:Apply*",
"bedrock:Detect*",
"bedrock:List*",
Expand All @@ -145,7 +162,8 @@ These actions grants a role the ability to create the specified SageMaker and Be
"Resource": "*",
"Condition": {
"StringNotEqualsIgnoreCase": {
"aws:RequestTag/user": "jdoe"
"aws:RequestTag/user": "jdoe",
"aws:ResourceTag/user": "jdoe"
}
}
}
Expand Down

0 comments on commit c1daca9

Please sign in to comment.