diff --git a/ci-isolation/pom.xml b/ci-isolation/pom.xml
index 3d45cd2..6e0c47d 100644
--- a/ci-isolation/pom.xml
+++ b/ci-isolation/pom.xml
@@ -38,7 +38,7 @@
         <dependency>
             <groupId>com.exasol</groupId>
             <artifactId>ci-isolation-aws</artifactId>
-            <version>2.0.0</version>
+            <version>2.0.1</version>
         </dependency>
     </dependencies>
 </project>
\ No newline at end of file
diff --git a/ci-isolation/src/main/java/com/exasol/adapter/document/files/ciisolation/CiIsolationApp.java b/ci-isolation/src/main/java/com/exasol/adapter/document/files/ciisolation/CiIsolationApp.java
index 5486105..33593c4 100644
--- a/ci-isolation/src/main/java/com/exasol/adapter/document/files/ciisolation/CiIsolationApp.java
+++ b/ci-isolation/src/main/java/com/exasol/adapter/document/files/ciisolation/CiIsolationApp.java
@@ -2,6 +2,7 @@
 
 import com.exasol.ciisolation.aws.PolicyReader;
 import com.exasol.ciisolation.aws.ciuser.CiUserStack;
+import com.exasol.ciisolation.aws.ciuser.CiUserStack.CiUserStackProps;
 
 import software.amazon.awscdk.App;
 
@@ -12,10 +13,12 @@ public class CiIsolationApp {
     public static void main(final String[] args) {
         final App app = new App();
         final PolicyReader policyReader = new PolicyReader();
-        new CiUserStack(app, CiUserStack.CiUserStackProps.builder().projectName("exasol-sagemaker-extension")
+        CiUserStackProps props = CiUserStack.CiUserStackProps.builder().projectName("exasol-sagemaker-extension")
                 .addRequiredPermissions(
                     policyReader.readPolicyFromResources("s3-access.json"),
-                    policyReader.readPolicyFromResources("sagemaker-access.json")).build());
+                    policyReader.readPolicyFromResources("sagemaker-access.json")).build();
+        new CiUserStack(app, props);
+        new SageMakerRoleStack(app, "protected-exasol-sagemaker-extension-role-stack", props);
         app.synth();
     }
 }
diff --git a/ci-isolation/src/main/java/com/exasol/adapter/document/files/ciisolation/SageMakerRoleStack.java b/ci-isolation/src/main/java/com/exasol/adapter/document/files/ciisolation/SageMakerRoleStack.java
new file mode 100644
index 0000000..b87174d
--- /dev/null
+++ b/ci-isolation/src/main/java/com/exasol/adapter/document/files/ciisolation/SageMakerRoleStack.java
@@ -0,0 +1,20 @@
+package com.exasol.adapter.document.files.ciisolation;
+
+import com.exasol.ciisolation.aws.TaggedStack;
+import com.exasol.ciisolation.aws.ciuser.CiUserStack.CiUserStackProps;
+
+import software.amazon.awscdk.services.iam.*;
+import software.constructs.Construct;
+
+class SageMakerRoleStack extends TaggedStack {
+    SageMakerRoleStack(final Construct scope, final String id, final CiUserStackProps props) {
+        super(scope, id, null, props.projectName());
+        Role role = Role.Builder.create(this, "Role")
+                .assumedBy(new CompositePrincipal(new ServicePrincipal("sagemaker.amazonaws.com")))
+                .description(
+                        "Allows SageMaker notebook instances, training jobs, and models to access S3, ECR, and CloudWatch on your behalf.")
+                .build();
+        tagResource(role);
+        role.addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName("AmazonSageMakerFullAccess"));
+    }
+}