Skip to content

Commit 0554c70

Browse files
author
EC2 Default User
committed
Smoothing out grantRead() policies.
1 parent ca51eb9 commit 0554c70

File tree

3 files changed

+82
-29
lines changed

3 files changed

+82
-29
lines changed

bin/aws.ts

Lines changed: 0 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -26,7 +26,6 @@ const chemblStack = new ChemblStack(app, 'ChemblStack', {
2626
dataLakeBucket: coreDataLake.DataLakeBucket
2727
});
2828

29-
3029
const openTargetsStack = new OpenTargetsStack(app, 'OpenTargetsStack', {
3130
sourceBucket: baseline.OpenTargetsSourceBucket,
3231
sourceBucketDataPrefix: '/opentargets/sourceExports/19.11/output/',
@@ -40,7 +39,3 @@ const analyticsStack = new AnalyticsStack(app, 'AnalyticsStack', {
4039

4140
chemblStack.grantRead(analyticsStack.NotebookRole);
4241
openTargetsStack.grantRead(analyticsStack.NotebookRole);
43-
44-
45-
// chemblStack.grantRead(analyticsStack.NotebookRole);
46-
// openTargetsStack.grantRead(analyticsStack.NotebookRole);

lib/analytics-stack.ts

Lines changed: 29 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -25,16 +25,14 @@ export class AnalyticsStack extends cdk.Stack {
2525
vpc: props.targetVpc
2626
});
2727

28-
const athenaSagingDirectory = new s3.Bucket(this, 'athenaStagingDir', {});
29-
30-
28+
const athenaStagingDirectory = new s3.Bucket(this, 'athenaStagingDir', {});
3129

3230
const lifecycleCode = [
3331
{"content": cdk.Fn.base64(`
3432
wget -O /home/ec2-user/SageMaker/opentargets.chembl.example.ipynb https://raw.githubusercontent.com/paulu-aws/chembl-opentargets-data-lake-example/master/scripts/sagemaker.opentargets.chembl.example.ipynb
3533
sudo chown ec2-user /home/ec2-user/SageMaker/opentargets.chembl.example.ipynb
36-
sed -i 's/XXXXAthenaStagingDirectoryXXXX/${athenaSagingDirectory.bucketName}/g' opentargets.chembl.example.ipynb
37-
sed -i 's/XXXXAthenaRegionXXXX/${cdk.Stack.of(this).region}/g' opentargets.chembl.example.ipynb
34+
sed -i 's/XXXXAthenaStagingDirectoryXXXX/${athenaStagingDirectory.bucketName}/g' /home/ec2-user/SageMaker/opentargets.chembl.example.ipynb
35+
sed -i 's/XXXXAthenaRegionXXXX/${cdk.Stack.of(this).region}/g' /home/ec2-user/SageMaker/opentargets.chembl.example.ipynb
3836
`) }
3937
];
4038
const sageMakerIntanceLifecyclePolicy = new sagemaker.CfnNotebookInstanceLifecycleConfig(this, 'notebookLifecyclePolicy', {
@@ -43,12 +41,36 @@ export class AnalyticsStack extends cdk.Stack {
4341

4442
});
4543

44+
const notebookPolicy = {
45+
"Version": "2012-10-17",
46+
"Statement": [
47+
{
48+
"Effect": "Allow",
49+
"Action": [
50+
"cloudwatch:PutMetricData",
51+
"logs:CreateLogStream",
52+
"logs:PutLogEvents",
53+
"logs:CreateLogGroup",
54+
"logs:DescribeLogStreams",
55+
],
56+
"Resource": "*"
57+
}
58+
]
59+
};
60+
61+
const notebookPolicyDoc = iam.PolicyDocument.fromJson(notebookPolicy);
62+
4663
this.NotebookRole = new iam.Role(this, 'notebookInstanceRole', {
4764
roleName: "chemblOpenTargetsNotebookRole",
48-
assumedBy: new iam.ServicePrincipal('sagemaker')
65+
assumedBy: new iam.ServicePrincipal('sagemaker'),
66+
inlinePolicies: {
67+
"notebookPermissions": notebookPolicyDoc
68+
}
4969
});
5070

51-
athenaSagingDirectory.grantReadWrite(this.NotebookRole)
71+
athenaStagingDirectory.grantReadWrite(this.NotebookRole);
72+
73+
5274

5375
new sagemaker.CfnNotebookInstance(this, 'analyticsNotebook', {
5476
instanceType : 'ml.t2.medium',

lib/datalake-stack.ts

Lines changed: 53 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -47,26 +47,62 @@ export class DataLakeEnrollment extends cdk.Construct {
4747
public grantRead(principal: iam.Role){
4848

4949

50-
const dataLakeBucket = s3.Bucket.fromBucketName(this, 'dataLakeBucket', this.DataEnrollment.DataLakeBucketName);
51-
dataLakeBucket.grantRead(principal, this.DataEnrollment.DataLakePrefix + "*")
50+
const s3Policy = {
51+
"Action": [
52+
"s3:GetObject*",
53+
"s3:GetBucket*",
54+
"s3:List*"
55+
],
56+
"Resource": [
57+
`arn:aws:s3:::${this.DataEnrollment.DataLakeBucketName}`,
58+
`arn:aws:s3:::${this.DataEnrollment.DataLakeBucketName}${this.DataEnrollment.DataLakePrefix}*`
59+
],
60+
"Effect": "Allow"
61+
};
62+
63+
64+
const s3PolicyStatement = iam.PolicyStatement.fromJson(s3Policy);
65+
66+
const gluePolicy = {
67+
"Action": [
68+
"glue:GetDatabase",
69+
"glue:GetTable",
70+
],
71+
"Resource": [
72+
`arn:aws:glue:${cdk.Stack.of(this).region}:${cdk.Stack.of(this).account}:catalog`,
73+
`arn:aws:glue:${cdk.Stack.of(this).region}:${cdk.Stack.of(this).account}:database/default`,
74+
this.DataEnrollment.Dataset_Datalake.databaseArn,
75+
`arn:aws:glue:${cdk.Stack.of(this).region}:${cdk.Stack.of(this).account}:table/${this.DataEnrollment.Dataset_Datalake.databaseName}/*`
76+
],
77+
"Effect": "Allow"
78+
};
79+
const gluePolicyStatement = iam.PolicyStatement.fromJson(gluePolicy);
80+
81+
82+
const athenaPolicy = {
83+
"Action": [
84+
"athena:BatchGetNamedQuery",
85+
"athena:BatchGetQueryExecution",
86+
"athena:GetQueryExecution",
87+
"athena:GetQueryResults",
88+
"athena:GetQueryResultsStream",
89+
"athena:GetWorkGroup",
90+
"athena:ListTagsForResource"
91+
],
92+
"Resource": [
93+
`arn:aws:athena:${cdk.Stack.of(this).region}:${cdk.Stack.of(this).account}:*`
94+
95+
],
96+
"Effect": "Allow"
97+
};
98+
const athenaPolicyStatement = iam.PolicyStatement.fromJson(athenaPolicy);
5299

53-
const gluePolicy = new iam.PolicyStatement({
54-
actions: ["glue:GetDatabase"],
55-
effect: iam.Effect.ALLOW,
56-
resources: [`arn:aws:glue:${cdk.Stack.of(this).region}:${cdk.Stack.of(this).account}:catalog`,
57-
`arn:aws:glue:${cdk.Stack.of(this).region}:${cdk.Stack.of(this).account}:database/default`,
58-
this.DataEnrollment.Dataset_Datalake.databaseArn
59-
]
60-
});
61100

62-
const athenaPolicy = new iam.PolicyStatement({
63-
actions: ["athena:*"],
64-
effect: iam.Effect.ALLOW,
65-
resources: ["*"],
66-
});
101+
102+
principal.addToPolicy(gluePolicyStatement);
103+
principal.addToPolicy(s3PolicyStatement);
104+
principal.addToPolicy(athenaPolicyStatement);
67105

68-
principal.addToPolicy(gluePolicy);
69-
principal.addToPolicy(athenaPolicy);
70106

71107

72108
}

0 commit comments

Comments
 (0)