Add permission for get secret value for hf access token secret

awslabs · Jul 12, 2024 · 74150f9 · 74150f9
1 parent 4e9462d
commit 74150f9
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -32,6 +32,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - fix opensearch removal policy
 - update MWAA to 2.9.2
 - update mwaa constraints
+- add permission for get secret value in `hf_import_models` template
 
 ## v1.2.0
 

diff --git a/...ervice-catalog/templates/hf_import_models/pipeline_constructs/build_pipeline_construct.py b/...ervice-catalog/templates/hf_import_models/pipeline_constructs/build_pipeline_construct.py
@@ -224,6 +224,16 @@ def __init__(
                 resources=[sagemaker_seedcode_bucket.bucket_arn],
             )
         )
+        codebuild_role.add_to_policy(
+            iam.PolicyStatement(
+                actions=[
+                    "secretsmanager:GetSecretValue",
+                ],
+                resources=[
+                    f"arn:aws:secretsmanager:{Aws.REGION}:{Aws.ACCOUNT_ID}:secret:{hf_access_token_secret}-??????"
+                ],
+            )
+        )
 
         # Create the CodeBuild project
         sm_pipeline_build = codebuild.PipelineProject(