bug: Sandbox stack does not properly grant AssumeRole on ProjectSudoRole

[athewsey]

Although the sandbox.yml stack grants the user's execution role permission to sts:AssumeRole on the SudoRole, the SudoRole's trust policy is not updated to add the new principal - so the access is still blocked... Resulting in an error something like the below at the end of notebook 1:

An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::123456789012:assumed-role/AmazonSageMaker-ExecutionRole-XYZ/SageMaker is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::123456789012:role/forestcover/forestcover-ProjectSudoRole

The manual fix is to open the SudoRole in the IAM console, go to the "Trust Relationships" tab, and add an entry something like:

    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/AmazonSageMaker-ExecutionRole-XYZ"
      },
      "Action": "sts:AssumeRole"
    }

...But the templates should be updated to automate this process