Skip to content

fix(dataops-project): grant SMUS user role read access to job scripts in project bucket#55

Open
marcinc wants to merge 2 commits into
aws:mainfrom
marcinc:fix/smus-user-role-no-script-access
Open

fix(dataops-project): grant SMUS user role read access to job scripts in project bucket#55
marcinc wants to merge 2 commits into
aws:mainfrom
marcinc:fix/smus-user-role-no-script-access

Conversation

@marcinc

@marcinc marcinc commented May 20, 2026

Copy link
Copy Markdown

Issue #, if available: #54

Related issue: #52

Description of changes:

SMUS per-user roles (datazone_usr_role_<projectId>_<userId>) are created dynamically by AWS at session time and are unknown to MDAA at deploy time. The project bucket's catch-all deny policy was blocking these roles from reading Glue job scripts under deployment/*, causing script load failures when users clicked Script in the SMUS Data Processing Jobs view.

Two changes to createProjectBucket:

  • Add SmusUserRoleDeploymentRead: Allow s3:GetObject* on deployment/* for any principal matching arn:aws:iam::<account>:role/datazone_usr_role_*
  • Add the same pattern to principalExcludes so the catch-all deny does not fire for SMUS user roles (mirrors the existing dz-user role treatment)

Tests:

  • project.compliance.test.ts: asserts SmusUserRoleDeploymentRead statement
  • project.synth.test.ts Comprehensive SynthTest: asserts Allow and Deny statements include the datazone_usr_role_* ARN pattern

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

marcinc added 2 commits May 22, 2026 16:05
… in project bucket

SMUS per-user roles (datazone_usr_role_<projectId>_<userId>) are created
dynamically by AWS at session time and are unknown to MDAA at deploy time.
The project bucket's catch-all deny policy was blocking these roles from
reading Glue job scripts under deployment/*, causing script load failures
when users clicked Script in the SMUS Data Processing Jobs view.

Two changes to createProjectBucket:
- Add SmusUserRoleDeploymentRead: Allow s3:GetObject* on deployment/* for
  any principal matching arn:aws:iam::<account>:role/datazone_usr_role_*
- Add the same pattern to principalExcludes so the catch-all deny does not
  fire for SMUS user roles (mirrors the existing dz-user role treatment)

Tests:
- project.compliance.test.ts: asserts SmusUserRoleDeploymentRead statement
- project.synth.test.ts Comprehensive SynthTest: asserts Allow and Deny
  statements include the datazone_usr_role_* ARN pattern
- Snapshots updated
… S3 read access

Regenerated CDK diff baselines for all four sample configs (minimal, comprehensive,
datazone, sagemaker) to reflect the new S3 GetObject/ListBucket permissions granted
to the SMUS user role on the project script bucket. Makes job scripts accessible
to the SageMaker Unified Studio user without requiring script access workarounds.
@marcinc marcinc force-pushed the fix/smus-user-role-no-script-access branch from 90e8b6e to 3395577 Compare May 22, 2026 15:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant