From 74150f94a580620b1819a8aeaa2a8f15b845d5a8 Mon Sep 17 00:00:00 2001
From: Ethan Bunce <ebunce@amazon.com>
Date: Fri, 12 Jul 2024 08:40:45 +0000
Subject: [PATCH] Add permission for get secret value for hf access token
 secret

---
 CHANGELOG.md                                           |  1 +
 .../pipeline_constructs/build_pipeline_construct.py    | 10 ++++++++++
 2 files changed, 11 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a647b44e..c10b57ec 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -32,6 +32,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - fix opensearch removal policy
 - update MWAA to 2.9.2
 - update mwaa constraints
+- add permission for get secret value in `hf_import_models` template
 
 ## v1.2.0
 
diff --git a/modules/sagemaker/sagemaker-templates-service-catalog/templates/hf_import_models/pipeline_constructs/build_pipeline_construct.py b/modules/sagemaker/sagemaker-templates-service-catalog/templates/hf_import_models/pipeline_constructs/build_pipeline_construct.py
index 9da4e612..60c95523 100644
--- a/modules/sagemaker/sagemaker-templates-service-catalog/templates/hf_import_models/pipeline_constructs/build_pipeline_construct.py
+++ b/modules/sagemaker/sagemaker-templates-service-catalog/templates/hf_import_models/pipeline_constructs/build_pipeline_construct.py
@@ -224,6 +224,16 @@ def __init__(
                 resources=[sagemaker_seedcode_bucket.bucket_arn],
             )
         )
+        codebuild_role.add_to_policy(
+            iam.PolicyStatement(
+                actions=[
+                    "secretsmanager:GetSecretValue",
+                ],
+                resources=[
+                    f"arn:aws:secretsmanager:{Aws.REGION}:{Aws.ACCOUNT_ID}:secret:{hf_access_token_secret}-??????"
+                ],
+            )
+        )
 
         # Create the CodeBuild project
         sm_pipeline_build = codebuild.PipelineProject(