Actions, resources, and condition keys for Amazon SageMaker
Amazon SageMaker (service prefix: sagemaker
) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.
Learn how to configure this service.
View a list of the API operations available for this service.
Learn how to secure this service and its resources by using IAM permission policies.
Actions defined by Amazon SageMaker
You can specify the following actions in the Action
element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.
The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource
element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource
element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.
The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition
element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.
Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.
For details about the columns in the following table, see Actions table.
Actions | Description | Access level | Resource types (*required) | Condition keys | Dependent actions |
AddAssociation | Grants permission to associate a lineage entity (artifact, context, action, experiment, experiment-trial-component) to each other | Write | |||
AddTags | Grants permission to add or overwrite one or more tags for the specified Amazon SageMaker resource | Tagging | |||
AssociateTrialComponent | Grants permission to associate a trial component with a trial | Write | |||
BatchDeleteClusterNodes | Grants permission to batch delete SageMaker HyperPod cluster nodes | Write |
eks:DescribeCluster |
BatchDescribeModelPackage | Grants permission to describe one or more ModelPackages | Read | |||
BatchGetMetrics | Grants permission to retrieve metrics associated with SageMaker Resources such as Training Jobs or Trial Components | Read | |||
BatchGetRecord | Grants permission to get a batch of records from one or more feature groups | Read | |||
BatchPutMetrics | Grants permission to publish metrics associated with a SageMaker Resource such as a Training Job or Trial Component | Write | |||
CallPartnerAppApi | Grants permission for Partner App SDK to access the Partner App for reading or writing data use cases | Write | |||
CreateAction | Grants permission to create an action | Write |
sagemaker:AddTags |
CreateAlgorithm | Grants permission to create an algorithm | Write |
sagemaker:AddTags |
CreateApp | Grants permission to create an App for a SageMaker UserProfile or Space | Write |
sagemaker:AddTags |
CreateAppImageConfig | Grants permission to create an AppImageConfig | Write |
sagemaker:AddTags |
CreateArtifact | Grants permission to create an artifact | Write |
sagemaker:AddTags |
CreateAutoMLJob | Grants permission to create an AutoML job | Write |
iam:PassRole sagemaker:AddTags |
CreateAutoMLJobV2 | Grants permission to create a V2 AutoML job | Write |
iam:PassRole sagemaker:AddTags |
CreateCluster | Grants permission to create a SageMaker HyperPod cluster | Write |
eks:AssociateAccessPolicy eks:CreateAccessEntry eks:DeleteAccessEntry eks:DescribeAccessEntry eks:DescribeCluster iam:CreateServiceLinkedRole iam:PassRole sagemaker:AddTags |
CreateClusterSchedulerConfig | Grants permission to create a cluster scheduler config | Write |
eks:AssociateAccessPolicy eks:DescribeCluster eks:ListAssociatedAccessPolicies sagemaker:AddTags sagemaker:DescribeCluster |
CreateCodeRepository | Grants permission to create a CodeRepository | Write |
sagemaker:AddTags |
CreateCompilationJob | Grants permission to create a compilation job | Write |
iam:PassRole sagemaker:AddTags |
CreateComputeQuota | Grants permission to create a compute quota | Write |
eks:AssociateAccessPolicy eks:DescribeCluster eks:ListAssociatedAccessPolicies sagemaker:AddTags sagemaker:DescribeCluster |
CreateContext | Grants permission to create a context | Write |
sagemaker:AddTags |
CreateDataQualityJobDefinition | Grants permission to create a data quality job definition | Write |
iam:PassRole sagemaker:AddTags |
CreateDeviceFleet | Grants permission to create a device fleet | Write |
iam:PassRole sagemaker:AddTags |
CreateDomain | Grants permission to create a Domain for SageMaker Studio | Write |
iam:CreateServiceLinkedRole iam:PassRole sagemaker:AddTags |
sagemaker:AppNetworkAccessType |
CreateEdgeDeploymentPlan | Grants permission to create an edge deployment plan | Write |
iam:PassRole sagemaker:AddTags |
CreateEdgeDeploymentStage | Grants permission to create an edge deployment stage | Write |
iam:PassRole sagemaker:AddTags |
CreateEdgePackagingJob | Grants permission to create an edge packaging job | Write |
iam:PassRole sagemaker:AddTags |
CreateEndpoint | Grants permission to create an endpoint using the endpoint configuration specified in the request | Write |
sagemaker:AddTags |
CreateEndpointConfig | Grants permission to create an endpoint configuration that can be deployed using Amazon SageMaker hosting services | Write |
iam:PassRole sagemaker:AddTags |
sagemaker:ServerlessMaxConcurrency |
CreateExperiment | Grants permission to create an experiment | Write |
sagemaker:AddTags |
CreateFeatureGroup | Grants permission to create a feature group | Write |
iam:PassRole sagemaker:AddTags |
sagemaker:FeatureGroupOnlineStoreKmsKey sagemaker:FeatureGroupOfflineStoreKmsKey sagemaker:FeatureGroupOfflineStoreS3Uri sagemaker:FeatureGroupEnableOnlineStore |
CreateFlowDefinition | Grants permission to create a flow definition, which defines settings for a human workflow | Write |
iam:PassRole sagemaker:AddTags |
CreateHub | Grants permission to create a hub | Write |
sagemaker:AddTags |
CreateHubContentReference | Grants permission to create hub content reference | Write |
sagemaker:AddTags |
CreateHumanTaskUi | Grants permission to define the settings you will use for the human review workflow user interface | Write |
sagemaker:AddTags |
CreateHyperParameterTuningJob | Grants permission to create a hyper parameter tuning job that can be deployed using Amazon SageMaker | Write |
iam:PassRole sagemaker:AddTags |
sagemaker:FileSystemAccessMode sagemaker:FileSystemDirectoryPath |
CreateImage | Grants permission to create a SageMaker Image | Write |
iam:PassRole sagemaker:AddTags |
CreateImageVersion | Grants permission to create a SageMaker ImageVersion | Write | |||
CreateInferenceComponent | Grants permission to create an inference component on an endpoint | Write |
sagemaker:AddTags |
CreateInferenceExperiment | Grants permission to create an inference experiment | Write |
iam:PassRole sagemaker:AddTags |
CreateInferenceRecommendationsJob | Grants permission to create an inference recommendations job | Write |
iam:PassRole sagemaker:AddTags |
CreateLabelingJob | Grants permission to start a labeling job. A labeling job takes unlabeled data in and produces labeled data as output, which can be used for training SageMaker models | Write |
iam:PassRole sagemaker:AddTags |
CreateLineageGroupPolicy | Grants permission to create a lineage group policy | Write | |||
CreateMlflowTrackingServer | Grants permission to create an MLflow tracking server | Write |
iam:PassRole sagemaker:AddTags |
CreateModel | Grants permission to create a model in Amazon SageMaker. In the request, you specify a name for the model and describe one or more containers | Write |
iam:PassRole sagemaker:AddTags |
CreateModelBiasJobDefinition | Grants permission to create a model bias job definition | Write |
iam:PassRole sagemaker:AddTags |
CreateModelCard | Grants permission to create a model card | Write |
sagemaker:AddTags |
CreateModelCardExportJob | Grants permission to create an export job for a model card | Write | |||
CreateModelExplainabilityJobDefinition | Grants permission to create a model explainability job definition | Write |
iam:PassRole sagemaker:AddTags |
CreateModelPackage | Grants permission to create a ModelPackage | Write |
sagemaker:AddTags |
sagemaker:CustomerMetadataProperties/${MetadataKey} |
CreateModelPackageGroup | Grants permission to create a ModelPackageGroup | Write |
sagemaker:AddTags |
CreateModelQualityJobDefinition | Grants permission to create a model quality job definition | Write |
iam:PassRole sagemaker:AddTags |
CreateMonitoringSchedule | Grants permission to create a monitoring schedule | Write |
iam:PassRole sagemaker:AddTags |
CreateNotebookInstance | Grants permission to create an Amazon SageMaker notebook instance. A notebook instance is an Amazon EC2 instance running on a Jupyter Notebook | Write |
iam:PassRole sagemaker:AddTags |
sagemaker:DirectInternetAccess |
CreateNotebookInstanceLifecycleConfig | Grants permission to create a notebook instance lifecycle configuration that can be deployed using Amazon SageMaker | Write | |||
CreateOptimizationJob | Grants permission to create an optimization job | Write |
iam:PassRole sagemaker:AddTags |
CreatePartnerApp | Grants permission to create an Amazon SageMaker Partner AI App | Write |
sagemaker:AddTags |
CreatePartnerAppPresignedUrl | Grants permission to return a URL that you can use from your browser to connect to the Amazon SageMaker Partner AI App | Write | |||
CreatePipeline | Grants permission to create a pipeline | Write |
iam:PassRole sagemaker:AddTags |
CreatePresignedDomainUrl | Grants permission to return a URL that you can use from your browser to connect to the Domain as a specified UserProfile when AuthMode is 'IAM' | Write | |||
CreatePresignedMlflowTrackingServerUrl | Grants permission to return a URL that you can use from your browser to connect to the MLflow tracking server | Write | |||
CreatePresignedNotebookInstanceUrl | Grants permission to create a URL that you can use from your browser to connect to the Notebook Instance | Write | |||
CreateProcessingJob | Grants permission to start a processing job. After processing completes, Amazon SageMaker saves the resulting artifacts and other optional output to an Amazon S3 location that you specify | Write |
iam:PassRole sagemaker:AddTags |
CreateProject | Grants permission to create a Project | Write |
sagemaker:AddTags |
CreateReservedCapacity [permission only] | Grants permission to create a reserved capacity | Write |
sagemaker:AddTags |
CreateSharedModel [permission only] | Grants permission to create a shared model in a SageMaker Studio application | Write | |||
CreateSpace | Grants permission to create a Space for a SageMaker Domain | Write |
sagemaker:AddTags |
CreateStudioLifecycleConfig | Grants permission to create a Studio Lifecycle Configuration that can be deployed using Amazon SageMaker | Write |
sagemaker:AddTags |
CreateTrainingJob | Grants permission to start a model training job. After training completes, Amazon SageMaker saves the resulting model artifacts and other optional output to an Amazon S3 location that you specify | Write |
iam:PassRole sagemaker:AddTags |
sagemaker:FileSystemAccessMode sagemaker:FileSystemDirectoryPath |
CreateTrainingPlan | Grants permission to create a training plan that allocates resources for scheduling workloads within a specified time range | Write |
sagemaker:AddTags sagemaker:CreateReservedCapacity |
CreateTransformJob | Grants permission to start a transform job. After the results are obtained, Amazon SageMaker saves them to an Amazon S3 location that you specify | Write |
sagemaker:AddTags |
CreateTrial | Grants permission to create a trial | Write |
sagemaker:AddTags |
CreateTrialComponent | Grants permission to create a trial component | Write |
sagemaker:AddTags |
CreateUserProfile | Grants permission to create a UserProfile for a SageMaker Domain | Write |
iam:PassRole sagemaker:AddTags |
CreateWorkforce | Grants permission to create a workforce | Write |
sagemaker:AddTags |
CreateWorkteam | Grants permission to create a workteam | Write |
sagemaker:AddTags |
DeleteAction | Grants permission to delete an action | Write | |||
DeleteAlgorithm | Grants permission to delete an algorithm | Write | |||
DeleteApp | Grants permission to delete an App | Write | |||
DeleteAppImageConfig | Grants permission to delete an AppImageConfig | Write | |||
DeleteArtifact | Grants permission to delete an artifact | Write | |||
DeleteAssociation | Grants permission to delete the association from a lineage entity (artifact, context, action, experiment, experiment-trial-component) to another | Write | |||
DeleteCluster | Grants permission to delete a SageMaker HyperPod cluster | Write |
eks:DeleteAccessEntry |
DeleteClusterSchedulerConfig | Grants permission to delete a cluster scheduler config | Write | |||
DeleteCodeRepository | Grants permission to delete a CodeRepository | Write | |||
DeleteCompilationJob | Grants permission to delete a compilation job | Write | |||
DeleteComputeQuota | Grants permission to delete a compute quota | Write | |||
DeleteContext | Grants permission to delete a context | Write | |||
DeleteDataQualityJobDefinition | Grants permission to delete the data quality job definition created using the CreateDataQualityJobDefinition API | Write | |||
DeleteDeviceFleet | Grants permission to delete a device fleet | Write | |||
DeleteDomain | Grants permission to delete a Domain | Write | |||
DeleteEdgeDeploymentPlan | Grants permission to delete an edge deployment plan | Write | |||
DeleteEdgeDeploymentStage | Grants permission to delete an edge deployment stage | Write | |||
DeleteEndpoint | Grants permission to delete an endpoint. Amazon SageMaker frees up all the resources that were deployed when the endpoint was created | Write | |||
DeleteEndpointConfig | Grants permission to delete the endpoint configuration created using the CreateEndpointConfig API. The DeleteEndpointConfig API deletes only the specified configuration. It does not delete any endpoints created using the configuration | Write | |||
DeleteExperiment | Grants permission to delete an experiment | Write | |||
DeleteFeatureGroup | Grants permission to delete a feature group | Write | |||
DeleteFlowDefinition | Grants permission to delete the specified flow definition | Write | |||
DeleteHub | Grants permission to delete hubs | Write | |||
DeleteHubContent | Grants permission to delete hub content | Write | |||
DeleteHubContentReference | Grants permission to delete hub content reference | Write | |||
DeleteHumanLoop | Grants permission to delete a specified human loop | Write | |||
DeleteHumanTaskUi | Grants permission to delete the specified human task user interface (worker task template) | Write | |||
DeleteHyperParameterTuningJob | Grants permission to delete a hyper parameter tuning job | Write | |||
DeleteImage | Grants permission to delete a SageMaker Image | Write | |||
DeleteImageVersion | Grants permission to delete a SageMaker ImageVersion | Write | |||
DeleteInferenceComponent | Grants permission to delete an inference component. Amazon SageMaker frees up the resources that were reserved when the inference component was created | Write | |||
DeleteInferenceExperiment | Grants permission to delete an inference experiment | Write | |||
DeleteLineageGroupPolicy | Grants permission to delete a lineage group policy | Write | |||
DeleteMlflowTrackingServer | Grants permission to delete an MLflow tracking server | Write | |||
DeleteModel | Grants permission to delete a model created using the CreateModel API. The DeleteModel API deletes only the model entry in Amazon SageMaker that you created by calling the CreateModel API. It does not delete model artifacts, inference code, or the IAM role that you specified when creating the model | Write | |||
DeleteModelBiasJobDefinition | Grants permission to delete the model bias job definition created using the CreateModelBiasJobDefinition API | Write | |||
DeleteModelCard | Grants permission to delete a model card | Write | |||
DeleteModelExplainabilityJobDefinition | Grants permission to delete the model explainability job definition created using the CreateModelExplainabilityJobDefinition API | Write | |||
DeleteModelPackage | Grants permission to delete a ModelPackage | Write | |||
DeleteModelPackageGroup | Grants permission to delete a ModelPackageGroup | Write | |||
DeleteModelPackageGroupPolicy | Grants permission to delete a ModelPackageGroup policy | Write | |||
DeleteModelQualityJobDefinition | Grants permission to delete the model quality job definition created using the CreateModelQualityJobDefinition API | Write | |||
DeleteMonitoringSchedule | Grants permission to delete a monitoring schedule | Write | |||
DeleteNotebookInstance | Grants permission to delete a Amazon SageMaker notebook instance. Before you can delete a notebook instance, you must call the StopNotebookInstance API | Write | |||
DeleteNotebookInstanceLifecycleConfig | Grants permission to delete a notebook instance lifecycle configuration | Write | |||
DeleteOptimizationJob | Grants permission to delete an optimization job | Write | |||
DeletePartnerApp | Grants permission to delete an Amazon SageMaker Partner AI App | Write | |||
DeletePipeline | Grants permission to delete a pipeline | Write | |||
DeleteProject | Grants permission to delete a project | Write | |||
DeleteRecord | Grants permission to delete a record from a feature group | Write | |||
DeleteResourcePolicy [permission only] | Grants AWS Resource Access Manager permission to delete a resource policy on a SageMaker resource that supports cross-account sharing | Write | |||
DeleteSpace | Grants permission to delete a Space | Write | |||
DeleteStudioLifecycleConfig | Grants permission to delete a Studio Lifecycle Configuration | Write | |||
DeleteTags | Grants permission to delete the specified set of tags from an Amazon SageMaker resource | Tagging | |||
DeleteTrial | Grants permission to delete a trial | Write | |||
DeleteTrialComponent | Grants permission to delete a trial component | Write | |||
DeleteUserProfile | Grants permission to delete a UserProfile | Write | |||
DeleteWorkforce | Grants permission to delete a workforce | Write | |||
DeleteWorkteam | Grants permission to delete a workteam | Write | |||
DeployHubModel | Grants permission to deploy a model in hub to an endpoint | Write | |||
DeregisterDevices | Grants permission to deregister a set of devices | Write | |||
DescribeAction | Grants permission to get information about an action | Read | |||
DescribeAlgorithm | Grants permission to describe an algorithm | Read | |||
DescribeApp | Grants permission to describe an App | Read | |||
DescribeAppImageConfig | Grants permission to describe an AppImageConfig | Read | |||
DescribeArtifact | Grants permission to get information about an artifact | Read | |||
DescribeAutoMLJob | Grants permission to describe an AutoML job that was created via the CreateAutoMLJob API | Read | |||
DescribeAutoMLJobV2 | Grants permission to describe an AutoML job that was created via the CreateAutoMLJobV2 API | Read | |||
DescribeCluster | Grants permission to return information about a SageMaker HyperPod cluster | Read | |||
DescribeClusterNode | Grants permission to return information about a SageMaker HyperPod cluster node | Read | |||
DescribeClusterSchedulerConfig | Grants permission to get information about a cluster scheduler config | Read | |||
DescribeCodeRepository | Grants permission to describe a CodeRepository | Read | |||
DescribeCompilationJob | Grants permission to return information about a compilation job | Read | |||
DescribeComputeQuota | Grants permission to get information about a compute quota | Read | |||
DescribeContext | Grants permission to get information about a context | Read | |||
DescribeDataQualityJobDefinition | Grants permission to return information about a data quality job definition | Read | |||
DescribeDevice | Grants permission to access information about a device | Read | |||
DescribeDeviceFleet | Grants permission to access information about a device fleet | Read | |||
DescribeDomain | Grants permission to describe a Domain | Read | |||
DescribeEdgeDeploymentPlan | Grants permission to access information about an edge deployment plan | Read | |||
DescribeEdgePackagingJob | Grants permission to access information about an edge packaging job | Read | |||
DescribeEndpoint | Grants permission to return the description of an endpoint | Read | |||
DescribeEndpointConfig | Grants permission to return the description of an endpoint configuration, which was created using the CreateEndpointConfig API | Read | |||
DescribeExperiment | Grants permission to return information about an experiment | Read | |||
DescribeFeatureGroup | Grants permission to return information about a feature group | Read | |||
DescribeFeatureMetadata | Grants permission to return information about a feature metadata | Read | |||
DescribeFlowDefinition | Grants permission to return information about the specified flow definition | Read | |||
DescribeHub | Grants permission to describe hubs | Read | |||
DescribeHubContent | Grants permission to describe hub content | Read | |||
DescribeHumanLoop | Grants permission to return information about the specified human loop | Read | |||
DescribeHumanTaskUi | Grants permission to return detailed information about the specified human review workflow user interface | Read | |||
DescribeHyperParameterTuningJob | Grants permission to describe a hyper parameter tuning job that was created via the CreateHyperParameterTuningJob API | Read | |||
DescribeImage | Grants permission to return information about a SageMaker Image | Read | |||
DescribeImageVersion | Grants permission to return information about a SageMaker ImageVersion | Read | |||
DescribeInferenceComponent | Grants permission to return the description of an inference component | Read | |||
DescribeInferenceExperiment | Grants permission to get information about an inference experiment | Read | |||
DescribeInferenceRecommendationsJob | Grants permission to get information about an inference recommendations job | Read | |||
DescribeLabelingJob | Grants permission to return information about a labeling job | Read | |||
DescribeLineageGroup | Grants permission to describe a lineage group | Read | |||
DescribeMlflowTrackingServer | Grants permission to get information about an MLflow tracking server | Read | |||
DescribeModel | Grants permission to describe a model that you created using the CreateModel API | Read | |||
DescribeModelBiasJobDefinition | Grants permission to return information about a model bias job definition | Read | |||
DescribeModelCard | Grants permission to get information about a model card | Read | |||
DescribeModelCardExportJob | Grants permission to get information about a model card export job | Read | |||
DescribeModelExplainabilityJobDefinition | Grants permission to return information about a model explainability job definition | Read | |||
DescribeModelPackage | Grants permission to describe a ModelPackage | Read | |||
DescribeModelPackageGroup | Grants permission to describe a ModelPackageGroup | Read | |||
DescribeModelQualityJobDefinition | Grants permission to return information about a model quality job definition | Read | |||
DescribeMonitoringSchedule | Grants permission to return information about a monitoring schedule | Read | |||
DescribeNotebookInstance | Grants permission to return information about a notebook instance | Read | |||
DescribeNotebookInstanceLifecycleConfig | Grants permission to describe a notebook instance lifecycle configuration that was created via the CreateNotebookInstanceLifecycleConfig API | Read | |||
DescribeOptimizationJob | Grants permission to return information about an optimization job | Read | |||
DescribePartnerApp | Grants permission to describe an Amazon SageMaker Partner AI App | Read | |||
DescribePipeline | Grants permission to get information about a pipeline | Read | |||
DescribePipelineDefinitionForExecution | Grants permission to get the pipeline definition for a pipeline execution | Read | |||
DescribePipelineExecution | Grants permission to get information about a pipeline execution | Read | |||
DescribeProcessingJob | Grants permission to return information about a processing job | Read | |||
DescribeProject | Grants permission to describe a project | Read | |||
DescribeSharedModel [permission only] | Grants permission to describe a shared model in a SageMaker Studio application | Read | |||
DescribeSpace | Grants permission to describe a Space | Read | |||
DescribeStudioLifecycleConfig | Grants permission to describe a Studio Lifecycle Configuration | Read | |||
DescribeSubscribedWorkteam | Grants permission to return information about a subscribed workteam | Read | |||
DescribeTrainingJob | Grants permission to return information about a training job | Read | |||
DescribeTrainingPlan | Grants permission to return information about a specified training plan | Read | |||
DescribeTransformJob | Grants permission to return information about a transform job | Read | |||
DescribeTrial | Grants permission to return information about a trial | Read | |||
DescribeTrialComponent | Grants permission to return information about a trial component | Read | |||
DescribeUserProfile | Grants permission to describe a UserProfile | Read | |||
DescribeWorkforce | Grants permission to return information about a workforce | Read | |||
DescribeWorkteam | Grants permission to return information about a workteam | Read | |||
DisableSagemakerServicecatalogPortfolio | Grants permission to disable a SageMaker Service Catalog Portfolio | Write | |||
DisassociateTrialComponent | Grants permission to disassociate a trial component from a trial | Write | |||
EnableSagemakerServicecatalogPortfolio | Grants permission to enable a SageMaker Service Catalog Portfolio | Write | |||
GetDeployments | Grants permission to get deployment plan for device | Read | |||
GetDeviceFleetReport | Grants permission to access a summary of the devices in a device fleet | Read | |||
GetDeviceRegistration | Grants permission to get device registration. After you deploy a model onto edge devices this api is used to get current device registration | Read | |||
GetLineageGroupPolicy | Grants permission to retreive a lineage group policy | Read | |||
GetModelPackageGroupPolicy | Grants permission to get a ModelPackageGroup policy | Read | |||
GetRecord | Grants permission to get a record from a feature group | Read | |||
GetResourcePolicy [permission only] | Grants AWS Resource Access Manager permission to retrieve a resource policy on a SageMaker resource that supports cross-account sharing | Read | |||
GetSagemakerServicecatalogPortfolioStatus | Grants permission to get a SageMaker Service Catalog Portfolio | Read | |||
GetScalingConfigurationRecommendation | Grants permission to get a scaling policy configuration recommendation | Read | |||
GetSearchSuggestions | Grants permission to get search suggestions when provided with a keyword | Read | |||
ImportHubContent | Grants permission to import hub content | Write |
sagemaker:AddTags |
InvokeEndpoint | Grants permission to invoke an endpoint. After you deploy a model into production using Amazon SageMaker hosting services, your client applications use this API to get inferences from the model hosted at the specified endpoint | Read | |||
InvokeEndpointAsync | Grants permission to get inferences from the hosted model at the specified endpoint in an asynchronous manner | Read | |||
InvokeEndpointWithResponseStream | Grants permission to get the inference response as a stream from the specified endpoint | Read | |||
ListActions | Grants permission to list actions | List | |||
ListAlgorithms | Grants permission to list Algorithms | List | |||
ListAliases | Grants permission to list Aliases that belong to a SageMaker Image or Sagemaker ImageVersion | List | |||
ListAppImageConfigs | Grants permission to list the AppImageConfigs in your account | List | |||
ListApps | Grants permission to list the Apps in your account | List | |||
ListArtifacts | Grants permission to list artifacts | List | |||
ListAssociations | Grants permission to list associations | List | |||
ListAutoMLJobs | Grants permission to list AutoML jobs | List | |||
ListCandidatesForAutoMLJob | Grants permission to lists candidates for an AutoML job | List | |||
ListClusterNodes | Grants permission to list nodes within a SageMaker HyperPod cluster | List | |||
ListClusterSchedulerConfigs | Grants permission to list cluster scheduler configs | List | |||
ListClusters | Grants permission to list SageMaker HyperPod clusters | List | |||
ListCodeRepositories | Grants permission to list code repositories | List | |||
ListCompilationJobs | Grants permission to list compilation jobs | List | |||
ListComputeQuotas | Grants permission to list compute quotas | List | |||
ListContexts | Grants permission to list contexts | List | |||
ListDataQualityJobDefinitions | Grants permission to list data quality job definitions | List | |||
ListDeviceFleets | Grants permission to list device fleets | List | |||
ListDevices | Grants permission to list devices | List | |||
ListDomains | Grants permission to list the Domains in your account | List | |||
ListEdgeDeploymentPlans | Grants permission to list edge deployment plans | List | |||
ListEdgePackagingJobs | Grants permission to list edge packaging jobs | List | |||
ListEndpointConfigs | Grants permission to list endpoint configurations | List | |||
ListEndpoints | Grants permission to list endpoints | List | |||
ListExperiments | Grants permission to list experiments | List | |||
ListFeatureGroups | Grants permission to list feature groups | List | |||
ListFlowDefinitions | Grants permission to return summary information about flow definitions, given the specified parameters | List | |||
ListHubContentVersions | Grants permission to list all versions of hub content | List | |||
ListHubContents | Grants permission to list newest versions of hub content | List | |||
ListHubs | Grants permission to list hubs | List | |||
ListHumanLoops | Grants permission to return summary information about human loops, given the specified parameters | List | |||
ListHumanTaskUis | Grants permission to return summary information about human review workflow user interfaces, given the specified parameters | List | |||
ListHyperParameterTuningJobs | Grants permission to list hyper parameter tuning jobs | List | |||
ListImageVersions | Grants permission to list ImageVersions that belong to a SageMaker Image | List | |||
ListImages | Grants permission to list SageMaker Images in your account | List | |||
ListInferenceComponents | Grants permission to list inference components | List | |||
ListInferenceExperiments | Grants permission to list inference experiments | List | |||
ListInferenceRecommendationsJobSteps | Grants permission to list inference recommendations job steps | List | |||
ListInferenceRecommendationsJobs | Grants permission to list inference recommendations jobs | List | |||
ListLabelingJobs | Grants permission to list labeling jobs | List | |||
ListLabelingJobsForWorkteam | Grants permission to list labeling jobs for workteam | List | |||
ListLineageGroups | Grants permission to list lineage groups | List | |||
ListMlflowTrackingServers | Grants permission to list MLflow tracking servers | List | |||
ListModelBiasJobDefinitions | Grants permission to list model bias job definitions | List | |||
ListModelCardExportJobs | Grants permission to list export jobs for a model card | List | |||
ListModelCardVersions | Grants permission to list versions of a model card | List | |||
ListModelCards | Grants permission to list model cards | List | |||
ListModelExplainabilityJobDefinitions | Grants permission to list model explainability job definitions | List | |||
ListModelMetadata | Grants permission to list model metadata for inference recommendations jobs | List | |||
ListModelPackageGroups | Grants permission to list ModelPackageGroups | List | |||
ListModelPackages | Grants permission to list ModelPackages | List | |||
ListModelQualityJobDefinitions | Grants permission to list model quality job definitions | List | |||
ListModels | Grants permission to list the models created with the CreateModel API | List | |||
ListMonitoringAlertHistory | Grants permission to list the history of a monitoring alert | List | |||
ListMonitoringAlerts | Grants permission to list monitoring alerts | List | |||
ListMonitoringExecutions | Grants permission to list monitoring executions | List | |||
ListMonitoringSchedules | Grants permission to list monitoring schedules | List | |||
ListNotebookInstanceLifecycleConfigs | Grants permission to list the notebook instance lifecycle configurations that can be deployed using Amazon SageMaker | List | |||
ListNotebookInstances | Grants permission to list the Amazon SageMaker notebook instances in the requester's account in an AWS Region | List | |||
ListOptimizationJobs | Grants permission to list optimization jobs | List | |||
ListPartnerApps | Grants permission to list the Amazon SageMaker Partner AI Apps in your account | List | |||
ListPipelineExecutionSteps | Grants permission to list steps for a pipeline execution | List | |||
ListPipelineExecutions | Grants permission to list executions for a pipeline | List | |||
ListPipelineParametersForExecution | Grants permission to list parameters for a pipeline execution | List | |||
ListPipelines | Grants permission to list pipelines | List | |||
ListProcessingJobs | Grants permission to list processing jobs | List | |||
ListProjects | Grants permission to list Projects | List | |||
ListResourceCatalogs | Grants permission to list resource catalogs | List | |||
ListSharedModelEvents [permission only] | Grants permission to list shared model events | List | |||
ListSharedModelVersions [permission only] | Grants permission to list shared model versions | List | |||
ListSharedModels [permission only] | Grants permission to list shared models | List | |||
ListSpaces | Grants permission to list the Spaces in your account | List | |||
ListStageDevices | Grants permission to list stage devices | List | |||
ListStudioLifecycleConfigs | Grants permission to list the Studio Lifecycle Configurations that can be deployed using Amazon SageMaker | List | |||
ListSubscribedWorkteams | Grants permission to list subscribed workteams | List | |||
ListTags | Grants permission to list the tag set associated with the specified resource | List | |||
ListTrainingJobs | Grants permission to list training jobs | List | |||
ListTrainingJobsForHyperParameterTuningJob | Grants permission to list training jobs for a hyper parameter tuning job | List | |||
ListTrainingPlans | Grants permission to list all the training plans that have been created in a specified account | List | |||
ListTransformJobs | Grants permission to list transform jobs | List | |||
ListTrialComponents | Grants permission to list trial components | List | |||
ListTrials | Grants permission to list trials | List | |||
ListUserProfiles | Grants permission to list the UserProfiles in your account | List | |||
ListWorkforces | Grants permission to list workforces | List | |||
ListWorkteams | Grants permission to list workteams | List | |||
PutLineageGroupPolicy | Grants permission to put a lineage group policy | Write | |||
PutModelPackageGroupPolicy | Grants permission to put a ModelPackageGroup policy | Write | |||
PutRecord | Grants permission to put a record to a feature group | Write | |||
PutResourcePolicy [permission only] | Grants AWS Resource Access Manager permission to create a resource policy on a SageMaker resource that supports cross-account sharing | Write | |||
QueryLineage | Grants permission to explore the lineage graph | List | |||
RegisterDevices | Grants permission to register a set of devices | Write | |||
RenderUiTemplate | Grants permission to render a UI template used for a human annotation task | Read |
iam:PassRole |
RetryPipelineExecution | Grants permission to retry a pipeline execution | Write | |||
Search | Grants permission to search for SageMaker objects | Read | |||
SearchTrainingPlanOfferings | Grants permissions to search for the available training plan offerings that best match specified capacity requirements | Read | |||
SendHeartbeat | Grants permission to publish heartbeat data from devices. After you deploy a model onto edge devices this api is used to report device status | Write | |||
SendPipelineExecutionStepFailure | Grants permission to fail a pending callback step | Write | |||
SendPipelineExecutionStepSuccess | Grants permission to succeed a pending callback step | Write | |||
SendSharedModelEvent [permission only] | Grants permission to send a shared model event | Write | |||
StartEdgeDeploymentStage | Grants permission to start an edge deployment stage | Write | |||
StartHumanLoop | Grants permission to start a human loop | Write | |||
StartInferenceExperiment | Grants permission to start an inference experiment | Write | |||
StartMlflowTrackingServer | Grants permission to start an MLfLow tracking server | Write | |||
StartMonitoringSchedule | Grants permission to start a monitoring schedule | Write | |||
StartNotebookInstance | Grants permission to start a notebook instance. This launches an EC2 instance with the latest version of the libraries and attaches your EBS volume | Write | |||
StartPipelineExecution | Grants permission to start a pipeline execution | Write | |||
StopAutoMLJob | Grants permission to stop a running AutoML job | Write | |||
StopCompilationJob | Grants permission to stop a compilation job | Write | |||
StopEdgeDeploymentStage | Grants permission to stop an edge deployment stage | Write | |||
StopEdgePackagingJob | Grants permission to stop an edge packaging job | Write | |||
StopHumanLoop | Grants permission to stop a specified human loop | Write | |||
StopHyperParameterTuningJob | Grants permission to stop a running hyper parameter tuning job create via the CreateHyperParameterTuningJob | Write | |||
StopInferenceExperiment | Grants permission to stop an inference experiment | Write | |||
StopInferenceRecommendationsJob | Grants permission to stop an inference recommendations job | Write | |||
StopLabelingJob | Grants permission to stop a labeling job. Any labels already generated will be exported before stopping | Write | |||
StopMlflowTrackingServer | Grants permission to stop an MLflow tracking server | Write | |||
StopMonitoringSchedule | Grants permission to stop a monitoring schedule | Write | |||
StopNotebookInstance | Grants permission to stop a notebook instance. This terminates the EC2 instance. Before terminating the instance, Amazon SageMaker disconnects the EBS volume from it. Amazon SageMaker preserves the EBS volume | Write | |||
StopOptimizationJob | Grants permission to stop an optimization job | Write | |||
StopPipelineExecution | Grants permission to stop a pipeline execution | Write | |||
StopProcessingJob | Grants permission to stop a processing job. To stop a job, Amazon SageMaker sends the algorithm the SIGTERM signal, which delays job termination for 120 seconds | Write | |||
StopTrainingJob | Grants permission to stop a training job. To stop a job, Amazon SageMaker sends the algorithm the SIGTERM signal, which delays job termination for 120 seconds | Write | |||
StopTransformJob | Grants permission to stop a transform job. When Amazon SageMaker receives a StopTransformJob request, the status of the job changes to Stopping. After Amazon SageMaker stops the job, the status is set to Stopped | Write | |||
TrainHubModel | Grants permission to train a model in hub | Write | |||
UpdateAction | Grants permission to update an action | Write | |||
UpdateAppImageConfig | Grants permission to update an AppImageConfig | Write | |||
UpdateArtifact | Grants permission to update an artifact | Write | |||
UpdateCluster | Grants permission to update a SageMaker HyperPod cluster | Write |
eks:AssociateAccessPolicy eks:CreateAccessEntry eks:DeleteAccessEntry eks:DescribeAccessEntry eks:DescribeCluster iam:PassRole sagemaker:BatchDeleteClusterNodes |
UpdateClusterSchedulerConfig | Grants permission to update a cluster scheduler config | Write | |||
UpdateClusterSoftware | Grants permission to update platform software for a SageMaker HyperPod cluster | Write |
eks:DescribeCluster |
UpdateCodeRepository | Grants permission to update a CodeRepository | Write | |||
UpdateComputeQuota | Grants permission to update a compute quota | Write | |||
UpdateContext | Grants permission to update a context | Write | |||
UpdateDeviceFleet | Grants permission to update a device fleet | Write | |||
UpdateDevices | Grants permission to update a set of devices | Write | |||
UpdateDomain | Grants permission to update a Domain | Write | |||
sagemaker:DomainSharingOutputKmsKey |
UpdateEndpoint | Grants permission to update an endpoint to use the endpoint configuration specified in the request | Write | |||
UpdateEndpointWeightsAndCapacities | Grants permission to update variant weight, capacity, or both of one or more variants associated with an endpoint | Write | |||
UpdateExperiment | Grants permission to update an experiment | Write | |||
UpdateFeatureGroup | Grants permission to update a feature group | Write | |||
UpdateFeatureMetadata | Grants permission to update a feature metadata | Write | |||
UpdateHub | Grants permission to update hubs | Write | |||
UpdateHubContent | Grants permission to update hub content | Write | |||
UpdateHubContentReference | Grants permission to update hub content reference | Write | |||
UpdateImage | Grants permission to update the properties of a SageMaker Image | Write |
iam:PassRole |
UpdateImageVersion | Grants permission to update the properties of a SageMaker ImageVersion | Write | |||
UpdateInferenceComponent | Grants permission to update an inference component to use the specification and configurations specified in the request | Write | |||
UpdateInferenceComponentRuntimeConfig | Grants permission to update the runtime config of a given inference component | Write | |||
UpdateInferenceExperiment | Grants permission to update an inference experiment | Write | |||
UpdateMlflowTrackingServer | Grants permission to update an MLflow tracking server | Write | |||
UpdateModelCard | Grants permission to update a model card | Write | |||
UpdateModelPackage | Grants permission to update a ModelPackage | Write | |||
sagemaker:CustomerMetadataProperties/${MetadataKey} sagemaker:CustomerMetadataPropertiesToRemove |
UpdateMonitoringAlert | Grants permission to update a monitoring alert | Write | |||
UpdateMonitoringSchedule | Grants permission to update a monitoring schedule | Write |
iam:PassRole |
UpdateNotebookInstance | Grants permission to update a notebook instance. Notebook instance updates include upgrading or downgrading the EC2 instance used for your notebook instance to accommodate changes in your workload requirements | Write | |||
UpdateNotebookInstanceLifecycleConfig | Grants permission to updates a notebook instance lifecycle configuration created with the CreateNotebookInstanceLifecycleConfig API | Write | |||
UpdatePartnerApp | Grants permission to update an Amazon SageMaker Partner AI App | Write | |||
UpdatePipeline | Grants permission to update a pipeline | Write |
iam:PassRole |
UpdatePipelineExecution | Grants permission to update a pipeline execution | Write | |||
UpdateProject | Grants permission to update a Project | Write | |||
UpdateSharedModel [permission only] | Grants permission to update a shared model | Write | |||
UpdateSpace | Grants permission to update a Space | Write | |||
UpdateTrainingJob | Grants permission to update a training job | Write | |||
UpdateTrial | Grants permission to update a trial | Write | |||
UpdateTrialComponent | Grants permission to update a trial component | Write | |||
UpdateUserProfile | Grants permission to update a UserProfile | Write | |||
UpdateWorkforce | Grants permission to update a workforce | Write | |||
UpdateWorkteam | Grants permission to update a workteam | Write |
Resource types defined by Amazon SageMaker
The following resource types are defined by this service and can be used in the Resource
element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see Resource types table.
Resource types | ARN | Condition keys |
device |
device-fleet |
edge-packaging-job |
edge-deployment-plan |
human-loop |
flow-definition |
human-task-ui |
hub |
hub-content |
inference-recommendations-job |
inference-experiment |
labeling-job |
workteam |
workforce |
domain |
user-profile |
space |
app |
app-image-config |
studio-lifecycle-config |
notebook-instance |
notebook-instance-lifecycle-config |
code-repository |
image |
image-version |
algorithm |
cluster |
training-job |
processing-job |
hyper-parameter-tuning-job |
training-plan |
reserved-capacity |
project |
model-package |
model-package-group |
model |
endpoint-config |
endpoint |
inference-component |
transform-job |
compilation-job |
optimization-job |
automl-job |
monitoring-schedule |
monitoring-schedule-alert |
data-quality-job-definition |
model-quality-job-definition |
model-bias-job-definition |
model-explainability-job-definition |
experiment |
experiment-trial |
experiment-trial-component |
feature-group |
pipeline |
pipeline-execution |
artifact |
context |
action |
lineage-group |
model-card |
model-card-export-job |
shared-model |
shared-model-event |
sagemaker-catalog |
mlflow-tracking-server |
compute-quota |
cluster-scheduler-config |
partner-app |
Condition keys for Amazon SageMaker
Amazon SageMaker defines the following condition keys that can be used in the Condition
element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.
To view the global condition keys that are available to all services, see Available global condition keys.
Condition keys | Description | Type |
aws:RequestTag/${TagKey} | Filters access by a key that is present in the request the user makes to the SageMaker service | String |
aws:ResourceTag/${TagKey} | Filters access by a tag key and value pair | String |
aws:TagKeys | Filters access by the list of all the tag key names associated with the resource in the request | ArrayOfString |
sagemaker:AcceleratorTypes | Filters access by the list of all accelerator types associated with the resource in the request | ArrayOfString |
sagemaker:AppNetworkAccessType | Filters access by the app network access type associated with the resource in the request | String |
sagemaker:CustomerMetadataProperties/${MetadataKey} | Filters access by a metadata key and value pair | String |
sagemaker:CustomerMetadataPropertiesToRemove | Filters access by the list of metadata properties associated with the model-package resource in the request | ArrayOfString |
sagemaker:DirectGatedModelAccess | Used to deny direct access to SageMaker gated ModelReferences | String |
sagemaker:DirectInternetAccess | Filters access by the direct internet access associated with the resource in the request | String |
sagemaker:DomainId | You can use the domainId as a policy variable to filter requests from specific SageMaker Domains | String |
sagemaker:DomainSharingOutputKmsKey | Filters access by the Domain sharing output KMS key associated with the resource in the request | ARN |
sagemaker:EnableRemoteDebug | Filters access by the remote debug config in the request | Bool |
sagemaker:FeatureGroupDisableGlueTableCreation | Filters access by the DisableGlueTableCreation flag associated with the feature group resource in the request | Bool |
sagemaker:FeatureGroupEnableOnlineStore | Filters access by the EnableOnlineStore flag associated with feature group in the request | Bool |
sagemaker:FeatureGroupOfflineStoreConfig | Filters access by the presence of an OfflineStoreConfig in the feature group resource in the request. This access filter only supports the null-conditional operator | Bool |
sagemaker:FeatureGroupOfflineStoreKmsKey | Filters access by the offline store kms key associated with the feature group resource in the request | ARN |
sagemaker:FeatureGroupOfflineStoreS3Uri | Filters access by the offline store s3 uri associated with the feature group resource in the request | String |
sagemaker:FeatureGroupOnlineStoreKmsKey | Filters access by the online store kms key associated with the feature group resource in the request | ARN |
sagemaker:FileSystemAccessMode | Filters access by a file system access mode associated with the resource in the request | String |
sagemaker:FileSystemDirectoryPath | Filters access by a file system directory path associated with the resource in the request | String |
sagemaker:FileSystemId | Filters access by a file system ID associated with the resource in the request | String |
sagemaker:FileSystemType | Filters access by a file system type associated with the resource in the request | String |
sagemaker:HomeEfsFileSystemKmsKey | Filters access by a key that is present in the request the user makes to the SageMaker service. This key is deprecated. It has been replaced by sagemaker:VolumeKmsKey | ARN |
sagemaker:ImageArns | Filters access by the list of all image arns associated with the resource in the request | ArrayOfARN |
sagemaker:ImageVersionArns | Filters access by the list of all image version arns associated with the resource in the request | ArrayOfARN |
sagemaker:InstanceTypes | Filters access by the list of all instance types associated with the resource in the request | ArrayOfString |
sagemaker:InterContainerTrafficEncryption | Filters access by the inter container traffic encryption associated with the resource in the request | Bool |
sagemaker:KeepAlivePeriod | Filters access by the keep-alive period associated with the resource in the request | Numeric |
sagemaker:MaxRuntimeInSeconds | Filters access by the max runtime in seconds associated with the resource in the request | Numeric |
sagemaker:MinimumInstanceMetadataServiceVersion | Filters access by the minimum instance metadata service version used by the resource in the request | String |
sagemaker:ModelApprovalStatus | Filters access by the model approval status with the model-package in the request | String |
sagemaker:ModelArn | Filters access by the model arn associated with the resource in the request | ARN |
sagemaker:ModelLifeCycle:Stage | Filters access by stage field in the model life cycle object associated with the model-package resource in the request | String |
sagemaker:ModelLifeCycle:StageStatus | Filters access by stageStatus field in the model life cycle object associated with the model-package resource in the request | String |
sagemaker:NetworkIsolation | Filters access by the network isolation associated with the resource in the request | Bool |
sagemaker:OutputKmsKey | Filters access by the output kms key associated with the resource in the request | ARN |
sagemaker:OwnerUserProfileArn | Filters access by the OwnerUserProfile arn associated with the space in the request | ARN |
sagemaker:ResourceTag/ | Filters access by the preface string for a tag key and value pair attached to a resource | String |
sagemaker:ResourceTag/${TagKey} | Filters access by a tag key and value pair | String |
sagemaker:RootAccess | Filters access by the root access associated with the resource in the request | String |
sagemaker:SearchVisibilityCondition/${FilterKey} | Limits the results of your search request to the resources that you can access. ${FilterKey} is a key that the VisibilityConditions configuration presents in the Search request | String |
sagemaker:ServerlessMaxConcurrency | Filters access by limiting maximum concurrency used for Serverless inference in the request | Numeric |
sagemaker:ServerlessMemorySize | Filters access by limiting memory size used for Serverless inference in the request | Numeric |
sagemaker:SpaceSharingType | Filters access by the sharing type associated with the space in the request | String |
sagemaker:TaggingAction | Filters access by the API actions to which a user can apply tags. Uses the name of the API operation that creates a taggable resource to filter access | String |
sagemaker:TargetModel | Filters access by the target model associated with the Multi-Model Endpoint in the request | String |
sagemaker:UserProfileName | You can use the UserProfileName as a policy variable to filter requests from specific user profiles within a SageMaker Domain. This context key is not applicable to user profiles within shared spaces | String |
sagemaker:VolumeKmsKey | Filters access by the volume kms key associated with the resource in the request | ARN |
sagemaker:VpcSecurityGroupIds | Filters access by the list of all VPC security group ids associated with the resource in the request | ArrayOfString |
sagemaker:VpcSubnets | Filters access by the list of all VPC subnets associated with the resource in the request | ArrayOfString |
sagemaker:WorkteamArn | Filters access by the workteam arn associated to the request | ARN |
sagemaker:WorkteamType | Filters access by the workteam type associated to the request. This can be public-crowd, private-crowd or vendor-crowd | String |