Scope IAM PassRole to one role name (aws#2963)

* Tensorflow BYO - fix passrole, SM v2

* Tensorflow BYO - fix kernel and formatting

* Greengrass - fix passrole

* RL markdown helper - fix passrole

* Batch BYO - fix passrole, small bugs

* Fairness - fix passrole

* Fix formatting

* Remove duplicate markdown sentence

Author: jkroll-aws

aws_sagemaker_studio/sagemaker_studio_image_build/tensorflow_bring_your_own/tensorflow_bring_your_own.ipynb

@@ -6,7 +6,7 @@
    "source": [
     "# Building your own TensorFlow container from Amazon SageMaker Studio\n",
     "\n",
-    "**STUDIO KERNEL NOTE:** If you are prompted for Kernel, choose 'Python 3 (TensorFlow CPU Optimized) \n",
+    "**STUDIO KERNEL NOTE:** If you are prompted for Kernel, choose 'Python 3 (TensorFlow 2.1 Python 3.6 CPU Optimized) \n",
     "\n",
     "With Amazon SageMaker, you can package your own algorithms that can then be trained and deployed in the SageMaker environment. This notebook guides you through an example using TensorFlow that shows you how to build a Docker container for SageMaker and use it for training and inference. \n",
     "\n",
@@ -300,9 +300,10 @@
    ]
   },
   {
-   "cell_type": "raw",
+   "cell_type": "markdown",
    "metadata": {},
    "source": [
+    "```\n",
     "{\n",
     "  \"Version\": \"2012-10-17\",\n",
     "  \"Statement\": [\n",
@@ -323,7 +324,8 @@
     "      \"Action\": \"sts:AssumeRole\"\n",
     "    }\n",
     "  ]\n",
-    "}"
+    "}\n",
+    "```"
    ]
   },
   {
@@ -338,17 +340,20 @@
     "    \n",
     "   * Open [Policies](https://console.aws.amazon.com/iam/home#/policies) in IAM\n",
     "   * Click **Create policy**\n",
-    "   * Select the JSON tab and copy/paste the policy below"
+    "   * Select the JSON tab and copy/paste the printed result of the policy below"
    ]
   },
   {
-   "cell_type": "raw",
+   "cell_type": "code",
+   "execution_count": null,
    "metadata": {},
+   "outputs": [],
    "source": [
-    "{\n",
+    "print(\n",
+    "    f\"\"\"{{\n",
     "    \"Version\": \"2012-10-17\",\n",
     "    \"Statement\": [\n",
-    "        {\n",
+    "        {{\n",
     "            \"Effect\": \"Allow\",\n",
     "            \"Action\": [\n",
     "                \"codebuild:DeleteProject\",\n",
@@ -357,26 +362,26 @@
     "                \"codebuild:StartBuild\"\n",
     "            ],\n",
     "            \"Resource\": \"arn:aws:codebuild:*:*:project/sagemaker-studio*\"\n",
-    "        },\n",
-    "        {\n",
+    "        }},\n",
+    "        {{\n",
     "            \"Effect\": \"Allow\",\n",
     "            \"Action\": \"logs:CreateLogStream\",\n",
     "            \"Resource\": \"arn:aws:logs:*:*:log-group:/aws/codebuild/sagemaker-studio*\"\n",
-    "        },\n",
-    "        {\n",
+    "        }},\n",
+    "        {{\n",
     "            \"Effect\": \"Allow\",\n",
     "            \"Action\": [\n",
     "                \"logs:GetLogEvents\",\n",
     "                \"logs:PutLogEvents\"\n",
     "            ],\n",
     "            \"Resource\": \"arn:aws:logs:*:*:log-group:/aws/codebuild/sagemaker-studio*:log-stream:*\"\n",
-    "        },\n",
-    "        {\n",
+    "        }},\n",
+    "        {{\n",
     "            \"Effect\": \"Allow\",\n",
     "            \"Action\": \"logs:CreateLogGroup\",\n",
     "            \"Resource\": \"*\"\n",
-    "        },\n",
-    "        {\n",
+    "        }},\n",
+    "        {{\n",
     "            \"Effect\": \"Allow\",\n",
     "            \"Action\": [\n",
     "                \"ecr:CreateRepository\",\n",
@@ -391,48 +396,49 @@
     "                \"ecr:PutImage\"\n",
     "            ],\n",
     "            \"Resource\": \"arn:aws:ecr:*:*:repository/sagemaker-studio*\"\n",
-    "        },\n",
-    "        {\n",
+    "        }},\n",
+    "        {{\n",
     "            \"Effect\": \"Allow\",\n",
     "            \"Action\": \"ecr:GetAuthorizationToken\",\n",
     "            \"Resource\": \"*\"\n",
-    "        },\n",
-    "        {\n",
+    "        }},\n",
+    "        {{\n",
     "            \"Effect\": \"Allow\",\n",
     "            \"Action\": [\n",
     "              \"s3:GetObject\",\n",
     "              \"s3:DeleteObject\",\n",
     "              \"s3:PutObject\"\n",
     "              ],\n",
     "            \"Resource\": \"arn:aws:s3:::sagemaker-*/*\"\n",
-    "        },\n",
-    "        {\n",
+    "        }},\n",
+    "        {{\n",
     "            \"Effect\": \"Allow\",\n",
     "            \"Action\": [\n",
     "                \"s3:CreateBucket\"\n",
     "            ],\n",
     "            \"Resource\": \"arn:aws:s3:::sagemaker*\"\n",
-    "        },\n",
-    "        {\n",
+    "        }},\n",
+    "        {{\n",
     "            \"Effect\": \"Allow\",\n",
     "            \"Action\": [\n",
     "                \"iam:GetRole\",\n",
     "                \"iam:ListRoles\"\n",
     "            ],\n",
     "            \"Resource\": \"*\"\n",
-    "        },\n",
-    "        {\n",
+    "        }},\n",
+    "        {{\n",
     "            \"Effect\": \"Allow\",\n",
     "            \"Action\": \"iam:PassRole\",\n",
-    "            \"Resource\": \"arn:aws:iam::*:role/*\",\n",
-    "            \"Condition\": {\n",
-    "                \"StringLikeIfExists\": {\n",
+    "            \"Resource\": \"{role}\",\n",
+    "            \"Condition\": {{\n",
+    "                \"StringLikeIfExists\": {{\n",
     "                    \"iam:PassedToService\": \"codebuild.amazonaws.com\"\n",
-    "                }\n",
-    "            }\n",
-    "        }\n",
+    "                }}\n",
+    "            }}\n",
+    "        }}\n",
     "    ]\n",
-    "}"
+    "}}\"\"\"\n",
+    ")"
    ]
   },
   {
@@ -446,7 +452,7 @@
     "We now need to attach our policy to the Execution Role attached to this notebook environment.  \n",
     "\n",
     "  * Go back to [Roles](https://console.aws.amazon.com/iam/home#/roles) in IAM\n",
-    "  * Select the SageMaker Execution Role from abovee\n",
+    "  * Select the SageMaker Execution Role from above\n",
     "  * On the **Permissions** tab, click **Attach policies**\n",
     "  * Search for the Policy we created above `Studio-Image-Build-Policy`\n",
     "  * Select the policy and click **Attach policy**"
@@ -647,9 +653,10 @@
     "\n",
     "estimator = Estimator(\n",
     "    role=role,\n",
-    "    train_instance_count=1,\n",
-    "    train_instance_type=instance_type,\n",
+    "    instance_count=1,\n",
+    "    instance_type=instance_type,\n",
     "    image_name=ecr_image,\n",
+    "    image_uri=ecr_image,\n",
     "    hyperparameters=hyperparameters,\n",
     ")\n",
     "\n",
@@ -740,8 +747,6 @@
     "import imageio as imageio\n",
     "import numpy\n",
     "\n",
-    "from sagemaker.predictor import json_serializer, json_deserializer\n",
-    "\n",
     "image = imageio.imread(\"data/cat.png\")\n",
     "print(image.shape)\n",
     "\n",
@@ -758,20 +763,16 @@
   {
    "cell_type": "code",
    "execution_count": null,
-   "metadata": {
-    "jupyter": {
-     "source_hidden": true
-    }
-   },
+   "metadata": {},
    "outputs": [],
    "source": [
     "# The request and response format is JSON for TensorFlow Serving.\n",
     "# For more information: https://www.tensorflow.org/serving/api_rest#predict_api\n",
-    "predictor.accept = \"application/json\"\n",
-    "predictor.content_type = \"application/json\"\n",
+    "from sagemaker.serializers import JSONSerializer\n",
+    "from sagemaker.deserializers import JSONDeserializer\n",
     "\n",
-    "predictor.serializer = json_serializer\n",
-    "predictor.deserializer = json_deserializer\n",
+    "predictor.serializer = JSONSerializer()\n",
+    "predictor.deserializer = JSONDeserializer()\n",
     "\n",
     "# For more information on the predictor class.\n",
     "# https://github.com/aws/sagemaker-python-sdk/blob/master/src/sagemaker/predictor.py\n",
@@ -821,9 +822,9 @@
  "metadata": {
   "instance_type": "ml.t3.medium",
   "kernelspec": {
-   "display_name": "Python 3 (TensorFlow CPU Optimized)",
+   "display_name": "Python 3 (TensorFlow 2.1 Python 3.6 CPU Optimized)",
    "language": "python",
-   "name": "python3__SAGEMAKER_INTERNAL__arn:aws:sagemaker:us-west-2:236514542706:image/tensorflow-1.15-cpu-py36"
+   "name": "python3__SAGEMAKER_INTERNAL__arn:aws:sagemaker:us-east-2:429704687514:image/tensorflow-2.1-cpu-py36"
   },
   "language_info": {
    "codemirror_mode": {
@@ -835,7 +836,7 @@
    "name": "python",
    "nbconvert_exporter": "python",
    "pygments_lexer": "ipython3",
-   "version": "3.6.9"
+   "version": "3.6.13"
   }
  },
  "nbformat": 4,