Integration ExamplesΒΆ
Examples showing how to use IAM infrastructure provisioned by the SEC Provisioner with common AWS services and workflows.
Table of ContentsΒΆ
Adding Users to GroupsΒΆ
The SEC Provisioner creates IAM groups but does not manage user membership. Add users to groups after deployment:
AWS CLIΒΆ
# Add a data scientist to the data_scientists group
aws iam add-user-to-group \
--user-name jane.doe \
--group-name edge-prod-b001-group-data-scientists
# Add an ML engineer to the ml_engineers group
aws iam add-user-to-group \
--user-name john.smith \
--group-name edge-prod-b001-group-ml-engineers
# Verify group membership
aws iam get-group \
--group-name edge-prod-b001-group-data-scientists \
--query 'Users[].UserName'
Boto3ΒΆ
import boto3
iam = boto3.client('iam')
# Add user to group
iam.add_user_to_group(
GroupName='edge-prod-b001-group-data-scientists',
UserName='jane.doe'
)
# List group members
response = iam.get_group(GroupName='edge-prod-b001-group-data-scientists')
for user in response['Users']:
print(f" {user['UserName']}")
Assuming RolesΒΆ
Cross-Function Role AssumptionΒΆ
An ML engineer assuming the data scientist role for temporary access:
# Assume the adata_scientist role
CREDS=$(aws sts assume-role \
--role-arn arn:aws:iam::123456789012:role/edge-prod-b001-role-adata-scientist \
--role-session-name ml-engineer-session \
--query 'Credentials' --output json)
# Extract credentials
export AWS_ACCESS_KEY_ID=$(echo $CREDS | jq -r '.AccessKeyId')
export AWS_SECRET_ACCESS_KEY=$(echo $CREDS | jq -r '.SecretAccessKey')
export AWS_SESSION_TOKEN=$(echo $CREDS | jq -r '.SessionToken')
# Now operating with data scientist permissions
aws s3 ls s3://edge-prod-b001-us-west-1-s3/solutions/customer-churn/
Elevation Role AssumptionΒΆ
A governance team member assuming the model approver role:
import boto3
sts = boto3.client('sts')
# Assume model_approver role
response = sts.assume_role(
RoleArn='arn:aws:iam::123456789012:role/edge-prod-b001-role-model-approver',
RoleSessionName='governance-approval-session',
DurationSeconds=3600 # 1 hour
)
# Create SageMaker client with assumed role credentials
sagemaker = boto3.client(
'sagemaker',
aws_access_key_id=response['Credentials']['AccessKeyId'],
aws_secret_access_key=response['Credentials']['SecretAccessKey'],
aws_session_token=response['Credentials']['SessionToken']
)
# Approve a model package
sagemaker.update_model_package(
ModelPackageArn='arn:aws:sagemaker:us-west-1:123456789012:model-package/customer-churn/1',
ModelApprovalStatus='Approved'
)
Security Admin ElevationΒΆ
# Assume security_admin role for incident response
response = sts.assume_role(
RoleArn='arn:aws:iam::123456789012:role/edge-prod-b001-role-security-admin',
RoleSessionName='incident-response-session',
DurationSeconds=3600
)
# Create GuardDuty client with elevated permissions
guardduty = boto3.client(
'guardduty',
aws_access_key_id=response['Credentials']['AccessKeyId'],
aws_secret_access_key=response['Credentials']['SecretAccessKey'],
aws_session_token=response['Credentials']['SessionToken']
)
# Archive resolved findings
guardduty.archive_findings(
DetectorId='detector-id',
FindingIds=['finding-1', 'finding-2']
)
SageMaker IntegrationΒΆ
Using SEC Service RolesΒΆ
import sagemaker
from sagemaker.estimator import Estimator
# Use the sagemaker_execution role created by SEC Provisioner
# Discover role ARN from SSM Parameter Store
ssm = boto3.client('ssm', region_name='us-west-1')
role_arn = ssm.get_parameter(
Name='/security/edge-prod-b001-us-west-1-medium-sec/SagemakerExecutionRoleArn'
)['Parameter']['Value']
estimator = Estimator(
image_uri="123456789012.dkr.ecr.us-west-1.amazonaws.com/ml-training:latest",
role=role_arn,
instance_count=1,
instance_type="ml.m5.xlarge",
output_path="s3://edge-prod-b001-us-west-1-s3/solutions/customer-churn/models/",
)
estimator.fit({
"train": "s3://edge-prod-b001-us-west-1-s3/solutions/customer-churn/data/processed/train/"
})
Lambda with SEC RoleΒΆ
import boto3
lambda_client = boto3.client('lambda')
# Discover Lambda role ARN from SSM
ssm = boto3.client('ssm', region_name='us-west-1')
lambda_role = ssm.get_parameter(
Name='/security/edge-prod-b001-us-west-1-medium-sec/LambdaMlPipelineRoleArn'
)['Parameter']['Value']
# Create Lambda function using SEC-provisioned role
lambda_client.create_function(
FunctionName='edge-prod-b001-inference-pipeline',
Runtime='python3.13',
Role=lambda_role,
Handler='handler.lambda_handler',
Code={'S3Bucket': 'edge-prod-b001-us-west-1-s3', 'S3Key': 'solutions/customer-churn/code/lambda.zip'},
Timeout=300,
MemorySize=512
)
CI/CD Pipeline IntegrationΒΆ
GitHub Actions with SEC RolesΒΆ
name: Deploy ML Model
on:
push:
branches: [main]
paths: ['models/**']
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::123456789012:role/edge-prod-b001-role-ci-cd-deployment-role
aws-region: us-west-1
- name: Deploy model to SageMaker
run: |
aws sagemaker create-model \
--model-name customer-churn-v2 \
--primary-container \
Image=123456789012.dkr.ecr.us-west-1.amazonaws.com/ml-inference:latest,\
ModelDataUrl=s3://edge-prod-b001-us-west-1-s3/solutions/customer-churn/models/latest/model.tar.gz \
--execution-role-arn arn:aws:iam::123456789012:role/edge-prod-b001-role-sagemaker-execution
CodeBuild with SEC RoleΒΆ
# buildspec.yml
version: 0.2
phases:
build:
commands:
# CodeBuild uses edge-prod-b001-role-codebuild-service
- aws ecr get-login-password | docker login --username AWS --password-stdin 123456789012.dkr.ecr.us-west-1.amazonaws.com
- docker build -t ml-training:latest .
- docker tag ml-training:latest 123456789012.dkr.ecr.us-west-1.amazonaws.com/ml-training:latest
- docker push 123456789012.dkr.ecr.us-west-1.amazonaws.com/ml-training:latest
Cross-Account AccessΒΆ
Assuming Cross-Account Deployment RoleΒΆ
# From trusted account, assume the deployment role in target account
CREDS=$(aws sts assume-role \
--role-arn arn:aws:iam::123456789012:role/edge-prod-b001-xacct-deployment-role \
--role-session-name cross-account-deploy \
--external-id "deployment-external-id-12345" \
--query 'Credentials' --output json)
export AWS_ACCESS_KEY_ID=$(echo $CREDS | jq -r '.AccessKeyId')
export AWS_SECRET_ACCESS_KEY=$(echo $CREDS | jq -r '.SecretAccessKey')
export AWS_SESSION_TOKEN=$(echo $CREDS | jq -r '.SessionToken')
# Now operating in target account
aws cloudformation list-stacks --region us-west-1
Cross-Account MonitoringΒΆ
# From monitoring account, assume monitoring role (enterprise tier)
sts = boto3.client('sts')
response = sts.assume_role(
RoleArn='arn:aws:iam::123456789012:role/edge-prod-b001-xacct-monitoring-role',
RoleSessionName='monitoring-session',
ExternalId='monitoring-external-id-67890'
)
# Create CloudWatch client in target account
cloudwatch = boto3.client(
'cloudwatch',
aws_access_key_id=response['Credentials']['AccessKeyId'],
aws_secret_access_key=response['Credentials']['SecretAccessKey'],
aws_session_token=response['Credentials']['SessionToken'],
region_name='us-west-1'
)
# Read metrics from target account
metrics = cloudwatch.get_metric_data(
MetricDataQueries=[{
'Id': 'sagemaker_invocations',
'MetricStat': {
'Metric': {
'Namespace': 'AWS/SageMaker',
'MetricName': 'Invocations',
},
'Period': 3600,
'Stat': 'Sum'
}
}],
StartTime='2026-04-01T00:00:00Z',
EndTime='2026-04-02T00:00:00Z'
)
Cross-Provisioner IntegrationΒΆ
Discover All Resources via SSMΒΆ
import boto3
ssm = boto3.client('ssm', region_name='us-west-1')
# Get SEC role ARNs
sec_params = ssm.get_parameters_by_path(
Path='/security/edge-prod-b001-us-west-1-medium-sec/',
Recursive=True
)
print("SEC Resources:")
for param in sec_params['Parameters']:
key = param['Name'].split('/')[-1]
print(f" {key}: {param['Value']}")
Full Stack ExampleΒΆ
# 1. Get SageMaker role from SEC
role_arn = ssm.get_parameter(
Name='/security/edge-prod-b001-us-west-1-medium-sec/SagemakerExecutionRoleArn'
)['Parameter']['Value']
# 2. Use S3 bucket from S3 Provisioner
bucket = "edge-prod-b001-us-west-1-s3"
# 3. Run in VPC from VPC Provisioner
subnets = ["subnet-0a1b2c3d", "subnet-4e5f6g7h"]
# 4. Create SageMaker training job using all three
estimator = Estimator(
role=role_arn, # From SEC
output_path=f"s3://{bucket}/...", # From S3
subnets=subnets, # From VPC
instance_type="ml.m5.xlarge",
instance_count=1,
)
SDK ExamplesΒΆ
Boto3 β List Provisioned IAM ResourcesΒΆ
import boto3
iam = boto3.client('iam')
prefix = "edge-prod-b001"
# List groups
groups = iam.list_groups()
my_groups = [g for g in groups['Groups'] if g['GroupName'].startswith(prefix)]
print(f"Groups ({len(my_groups)}):")
for g in my_groups:
print(f" {g['GroupName']}")
# List roles
roles = iam.list_roles()
my_roles = [r for r in roles['Roles'] if r['RoleName'].startswith(prefix)]
print(f"\nRoles ({len(my_roles)}):")
for r in my_roles:
print(f" {r['RoleName']}")
AWS CLI β Verify DeploymentΒΆ
# List groups
aws iam list-groups \
--query 'Groups[?starts_with(GroupName, `edge-prod-b001`)].GroupName'
# List roles
aws iam list-roles \
--query 'Roles[?starts_with(RoleName, `edge-prod-b001`)].RoleName'
# Check stack
aws cloudformation describe-stacks \
--stack-name edge-prod-b001-us-west-1-medium-sec-stack \
--query 'Stacks[0].StackStatus'
# List SSM parameters
aws ssm get-parameters-by-path \
--path /security/edge-prod-b001-us-west-1-medium-sec/ \
--query 'Parameters[].Name'