/
sagemaker-custom-resource.yml
108 lines (104 loc) · 3.84 KB
/
sagemaker-custom-resource.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
Description: Template for sagemaker lambda and cloud formation custom resources
Transform: AWS::Serverless-2016-10-31
Resources:
AddTransformHeaderFunction:
Type: AWS::Serverless::Function
Properties:
FunctionName: mlops-add-transform-header
CodeUri: .
Handler: sagemaker_add_transform_header.lambda_handler
Runtime: python3.7
Role: !GetAtt SagemakerCustomResourceRole.Arn
Description: "Prepend header to a batch transform job"
CreateExperimentFunction:
Type: AWS::Serverless::Function
Properties:
FunctionName: mlops-create-experiment
CodeUri: .
Handler: sagemaker_create_experiment.lambda_handler
Runtime: python3.7
Role: !GetAtt SagemakerCustomResourceRole.Arn
Description: "Create a SageMaker experiment and trial"
QueryDriftFunction:
Type: AWS::Serverless::Function
Properties:
FunctionName: mlops-query-drift
CodeUri: .
Handler: sagemaker_query_drift.lambda_handler
Runtime: python3.7
Role: !GetAtt SagemakerCustomResourceRole.Arn
Description: "Query processing job to return drift"
QueryTrainingFunction:
Type: AWS::Serverless::Function
Properties:
FunctionName: mlops-query-evaluation
CodeUri: .
Handler: sagemaker_query_evaluation.lambda_handler
Runtime: python3.7
Role: !GetAtt SagemakerCustomResourceRole.Arn
Description: "Query training job to return results"
SagemakerCustomResourceRole:
Type: AWS::IAM::Role
Properties:
RoleName: sagemaker-cfn-custom-resource
AssumeRolePolicyDocument:
Statement:
- Action:
- sts:AssumeRole
Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Version: "2012-10-17"
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
Policies:
- PolicyDocument:
Statement:
- Sid: AllowSageMaker
Effect: Allow
Action:
- sagemaker:CreateExperiment
- sagemaker:CreateTrial
- sagemaker:CreateTrainingJob
- sagemaker:DescribeTrainingJob
- sagemaker:StopTrainingJob
- sagemaker:DescribeEndpoint
- sagemaker:UpdateEndpoint
- sagemaker:CreateEndpointConfig
- sagemaker:DescribeEndpointConfig
- sagemaker:DeleteEndpointConfig
- sagemaker:DescribeProcessingJob
- sagemaker:CreateProcessingJob
- sagemaker:StopProcessingJob
- kms:CreateGrant # Required if KmsKeyId specified
Resource:
- !Sub arn:aws:sagemaker:${AWS::Region}:${AWS::AccountId}:*/*
- Sid: S3Resources
Effect: Allow
Action:
- s3:GetObject*
- s3:PutObject
Resource:
- !Sub arn:aws:s3:::sagemaker-${AWS::Region}-${AWS::AccountId}/*
- !Sub arn:aws:s3:::sagemaker-${AWS::Region}-${AWS::AccountId}
- Sid: AllowLambda
Effect: Allow
Action:
- lambda:*
Resource: "*"
- Sid: AllowEvents
Effect: Allow
Action:
- events:* # Requires at least events:PutRule/events:RemoveTargets
Resource: "*"
- Sid: AllowPassRole
Effect: Allow
Action:
- iam:PassRole
Resource: "*"
Condition:
StringEquals:
iam:PassedToService: sagemaker.amazonaws.com
Version: "2012-10-17"
PolicyName: SagemakerCustomResource