Las traducciones son generadas a través de traducción automática. En caso de conflicto entre la traducción y la version original de inglés, prevalecerá la version en inglés.
Estas políticas AWS gestionadas añaden permisos para usar plantillas y JumpStart soluciones de proyectos de Amazon SageMaker AI integradas. Las políticas están disponibles en su AWS cuenta y las utilizan los roles de ejecución creados desde la consola de SageMaker IA.
SageMaker Proyecta y JumpStart usa AWS Service Catalog para aprovisionar AWS recursos en las cuentas de los clientes. Algunos recursos creados deben asumir un rol de ejecución. Por ejemplo, si AWS Service Catalog crea una CodePipeline canalización en nombre de un cliente para un proyecto de CI/CD de aprendizaje automático de SageMaker IA, esa canalización requiere un IAM rol.
El AmazonSageMakerServiceCatalogProductsLaunchRoleAmazonSageMakerServiceCatalogProductsLaunchRole
función transfiere una AmazonSageMakerServiceCatalogProductsUseRole
función a los recursos de productos de AWS Service Catalog aprovisionados.
Temas
- AWS política gestionada: - AmazonSageMakerAdmin ServiceCatalogProductsServiceRolePolicy
- AWS política gestionada: AmazonSageMakerPartnerServiceCatalogProductsApiGateway ServiceRolePolicy
- AWS política gestionada: AmazonSageMakerPartnerServiceCatalogProductsCloudFormation ServiceRolePolicy
- AWS política gestionada: AmazonSageMakerPartnerServiceCatalogProductsLambdaService RolePolicy
- AWS política gestionada: AmazonSageMakerServiceCatalogProductsApiGatewayService RolePolicy
- AWS política gestionada: AmazonSageMakerServiceCatalogProductsCloudformationServiceRole Política
- AWS política gestionada: AmazonSageMakerServiceCatalogProductsCodeBuildService RolePolicy
- AWS política gestionada: AmazonSageMakerServiceCatalogProductsCodePipelineService RolePolicy
- AWS política gestionada: AmazonSageMakerServiceCatalogProductsEventsServiceRole Política
- AWS política gestionada: AmazonSageMakerServiceCatalogProductsFirehoseServiceRole Política
- AWS política gestionada: AmazonSageMakerServiceCatalogProductsGlueServiceRole política
- AWS política gestionada: AmazonSageMakerServiceCatalogProductsLambdaServiceRole Política
- Amazon SageMaker AI actualiza las políticas AWS gestionadas de AWS Service Catalog
AWS
política gestionada: - AmazonSageMakerAdmin ServiceCatalogProductsServiceRolePolicy
El servicio utiliza esta política de roles de AWS Service Catalog servicio para aprovisionar productos de la cartera de Amazon SageMaker AI. La política otorga permisos a un conjunto de AWS servicios relacionados AWS CodePipeline, incluidos AWS CodeBuild AWS CodeCommit, AWS CloudFormation, AWS Glue y otros.
La AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy
política está pensada para que la utilice el AmazonSageMakerServiceCatalogProductsLaunchRole
rol creado desde la consola de SageMaker IA. La política agrega permisos para aprovisionar AWS recursos para SageMaker proyectos y JumpStart usar Service Catalog a la cuenta de un cliente.
Detalles de los permisos
Esta política incluye los siguientes permisos.
-
apigateway
— Permite que el rol llame a los puntos finales de API Gateway que estén etiquetados consagemaker:launch-source
. -
cloudformation
— Permite AWS Service Catalog crear, actualizar y eliminar CloudFormation pilas. También permite a Service Catalog etiquetar y eliminar etiquetas en los recursos. -
codebuild
— Permite que el rol que asume AWS Service Catalog y CloudFormation al que se transfiere cree, actualice y elimine CodeBuild proyectos. -
codecommit
— Permite que el rol asumido AWS Service Catalog y CloudFormation al que se transfiere cree, actualice y elimine CodeCommit repositorios. -
codepipeline
— Permite crear, actualizar AWS Service Catalog y eliminar CodePipelines el CloudFormation rol asumido y transferido. -
codestarconnections
,codestar-connections
— También permite la transferencia del rol AWS CodeConnections y AWS CodeStar las conexiones. -
cognito-idp
: permite al rol crear, actualizar y eliminar grupos y grupos de usuarios. También permite etiquetar recursos. -
ecr
— Permite que el rol que asume AWS Service Catalog y CloudFormation al que se transfiere cree y elimine ECR repositorios de Amazon. También permite etiquetar recursos. -
events
— Permite que el rol asumido AWS Service Catalog y transferido CloudFormation cree y elimine EventBridge reglas. Se utiliza para unir los distintos componentes de la CICD tubería. -
firehose
: permite al rol interactuar con flujos de Firehose. -
glue
— Permite interactuar con el rol AWS Glue. -
iam
: permite que el rol pase los roles precedidos deAmazonSageMakerServiceCatalog
. Se requiere cuando los proyectos aprovisionan un producto de AWS Service Catalog , ya que es necesario transferir un rol a AWS Service Catalog. -
lambda
: permite al rol interactuar con AWS Lambda. También permite etiquetar recursos. -
logs
: permite al rol crear, eliminar y acceder a flujos de registro. -
s3
— Permite que la función asumida AWS Service Catalog y a la que se transfiere acceda CloudFormation a los buckets de Amazon S3 donde se almacena el código de la plantilla del proyecto. -
sagemaker
— Permite que el rol interactúe con varios servicios de SageMaker IA. Esto se hace tanto CloudFormation durante el aprovisionamiento de la plantilla como CodeBuild durante la ejecución de la CICD canalización. También permite etiquetar los siguientes recursos: puntos de conexión, configuraciones de puntos de conexión, modelos, canalizaciones, proyectos y paquetes de modelos. -
states
: permite que el rol cree, elimine y actualice Step Functions precedidas desagemaker
.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AmazonSageMakerServiceCatalogAPIGatewayPermission",
"Effect": "Allow",
"Action": [
"apigateway:GET",
"apigateway:POST",
"apigateway:PUT",
"apigateway:PATCH",
"apigateway:DELETE"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aws:ResourceTag/sagemaker:launch-source": "*"
}
}
},
{
"Sid": "AmazonSageMakerServiceCatalogAPIGatewayPostPermission",
"Effect": "Allow",
"Action": [
"apigateway:POST"
],
"Resource": "*",
"Condition": {
"ForAnyValue:StringLike": {
"aws:TagKeys": [
"sagemaker:launch-source"
]
}
}
},
{
"Sid": "AmazonSageMakerServiceCatalogAPIGatewayPatchPermission",
"Effect": "Allow",
"Action": [
"apigateway:PATCH"
],
"Resource": [
"arn:aws:apigateway:*::/account"
]
},
{
"Sid": "AmazonSageMakerServiceCatalogCFnMutatePermission",
"Effect": "Allow",
"Action": [
"cloudformation:CreateStack",
"cloudformation:UpdateStack",
"cloudformation:DeleteStack"
],
"Resource": "arn:aws:cloudformation:*:*:stack/SC-*",
"Condition": {
"ArnLikeIfExists": {
"cloudformation:RoleArn": [
"arn:aws:sts::*:assumed-role/AmazonSageMakerServiceCatalog*"
]
}
}
},
{
"Sid": "AmazonSageMakerServiceCatalogCFnTagPermission",
"Effect": "Allow",
"Action": [
"cloudformation:TagResource",
"cloudformation:UntagResource"
],
"Resource": "arn:aws:cloudformation:*:*:stack/SC-*",
"Condition" : {
"Null": {
"aws:ResourceTag/sagemaker:project-name": "false"
}
}
},
{
"Sid": "AmazonSageMakerServiceCatalogCFnReadPermission",
"Effect": "Allow",
"Action": [
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStacks"
],
"Resource": "arn:aws:cloudformation:*:*:stack/SC-*"
},
{
"Sid": "AmazonSageMakerServiceCatalogCFnTemplatePermission",
"Effect": "Allow",
"Action": [
"cloudformation:GetTemplateSummary",
"cloudformation:ValidateTemplate"
],
"Resource": "*"
},
{
"Sid": "AmazonSageMakerServiceCatalogCodeBuildPermission",
"Effect": "Allow",
"Action": [
"codebuild:CreateProject",
"codebuild:DeleteProject",
"codebuild:UpdateProject"
],
"Resource": [
"arn:aws:codebuild:*:*:project/sagemaker-*"
]
},
{
"Sid": "AmazonSageMakerServiceCatalogCodeCommitPermission",
"Effect": "Allow",
"Action": [
"codecommit:CreateCommit",
"codecommit:CreateRepository",
"codecommit:DeleteRepository",
"codecommit:GetRepository",
"codecommit:TagResource"
],
"Resource": [
"arn:aws:codecommit:*:*:sagemaker-*"
]
},
{
"Sid": "AmazonSageMakerServiceCatalogCodeCommitListPermission",
"Effect": "Allow",
"Action": [
"codecommit:ListRepositories"
],
"Resource": "*"
},
{
"Sid": "AmazonSageMakerServiceCatalogCodePipelinePermission",
"Effect": "Allow",
"Action": [
"codepipeline:CreatePipeline",
"codepipeline:DeletePipeline",
"codepipeline:GetPipeline",
"codepipeline:GetPipelineState",
"codepipeline:StartPipelineExecution",
"codepipeline:TagResource",
"codepipeline:UpdatePipeline"
],
"Resource": [
"arn:aws:codepipeline:*:*:sagemaker-*"
]
},
{
"Sid": "AmazonSageMakerServiceCatalogCIAMUserPermission",
"Effect": "Allow",
"Action": [
"cognito-idp:CreateUserPool",
"cognito-idp:TagResource"
],
"Resource": "*",
"Condition": {
"ForAnyValue:StringLike": {
"aws:TagKeys": [
"sagemaker:launch-source"
]
}
}
},
{
"Sid": "AmazonSageMakerServiceCatalogCIAMPermission",
"Effect": "Allow",
"Action": [
"cognito-idp:CreateGroup",
"cognito-idp:CreateUserPoolDomain",
"cognito-idp:CreateUserPoolClient",
"cognito-idp:DeleteGroup",
"cognito-idp:DeleteUserPool",
"cognito-idp:DeleteUserPoolClient",
"cognito-idp:DeleteUserPoolDomain",
"cognito-idp:DescribeUserPool",
"cognito-idp:DescribeUserPoolClient",
"cognito-idp:UpdateUserPool",
"cognito-idp:UpdateUserPoolClient"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aws:ResourceTag/sagemaker:launch-source": "*"
}
}
},
{
"Sid": "AmazonSageMakerServiceCatalogECRPermission",
"Effect": "Allow",
"Action": [
"ecr:CreateRepository",
"ecr:DeleteRepository",
"ecr:TagResource"
],
"Resource": [
"arn:aws:ecr:*:*:repository/sagemaker-*"
]
},
{
"Sid": "AmazonSageMakerServiceCatalogEventBridgePermission",
"Effect": "Allow",
"Action": [
"events:DescribeRule",
"events:DeleteRule",
"events:DisableRule",
"events:EnableRule",
"events:PutRule",
"events:PutTargets",
"events:RemoveTargets"
],
"Resource": [
"arn:aws:events:*:*:rule/sagemaker-*"
]
},
{
"Sid": "AmazonSageMakerServiceCatalogFirehosePermission",
"Effect": "Allow",
"Action": [
"firehose:CreateDeliveryStream",
"firehose:DeleteDeliveryStream",
"firehose:DescribeDeliveryStream",
"firehose:StartDeliveryStreamEncryption",
"firehose:StopDeliveryStreamEncryption",
"firehose:UpdateDestination"
],
"Resource": "arn:aws:firehose:*:*:deliverystream/sagemaker-*"
},
{
"Sid": "AmazonSageMakerServiceCatalogGluePermission",
"Effect": "Allow",
"Action": [
"glue:CreateDatabase",
"glue:DeleteDatabase"
],
"Resource": [
"arn:aws:glue:*:*:catalog",
"arn:aws:glue:*:*:database/sagemaker-*",
"arn:aws:glue:*:*:table/sagemaker-*",
"arn:aws:glue:*:*:userDefinedFunction/sagemaker-*"
]
},
{
"Sid": "AmazonSageMakerServiceCatalogGlueClassiferPermission",
"Effect": "Allow",
"Action": [
"glue:CreateClassifier",
"glue:DeleteClassifier",
"glue:DeleteCrawler",
"glue:DeleteJob",
"glue:DeleteTrigger",
"glue:DeleteWorkflow",
"glue:StopCrawler"
],
"Resource": [
"*"
]
},
{
"Sid": "AmazonSageMakerServiceCatalogGlueWorkflowPermission",
"Effect": "Allow",
"Action": [
"glue:CreateWorkflow"
],
"Resource": [
"arn:aws:glue:*:*:workflow/sagemaker-*"
]
},
{
"Sid": "AmazonSageMakerServiceCatalogGlueJobPermission",
"Effect": "Allow",
"Action": [
"glue:CreateJob"
],
"Resource": [
"arn:aws:glue:*:*:job/sagemaker-*"
]
},
{
"Sid": "AmazonSageMakerServiceCatalogGlueCrawlerPermission",
"Effect": "Allow",
"Action": [
"glue:CreateCrawler",
"glue:GetCrawler"
],
"Resource": [
"arn:aws:glue:*:*:crawler/sagemaker-*"
]
},
{
"Sid": "AmazonSageMakerServiceCatalogGlueTriggerPermission",
"Effect": "Allow",
"Action": [
"glue:CreateTrigger",
"glue:GetTrigger"
],
"Resource": [
"arn:aws:glue:*:*:trigger/sagemaker-*"
]
},
{
"Sid": "AmazonSageMakerServiceCatalogPassRolePermission",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/service-role/AmazonSageMakerServiceCatalog*"
]
},
{
"Sid": "AmazonSageMakerServiceCatalogLambdaPermission",
"Effect": "Allow",
"Action": [
"lambda:AddPermission",
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:GetFunction",
"lambda:GetFunctionConfiguration",
"lambda:InvokeFunction",
"lambda:RemovePermission"
],
"Resource": [
"arn:aws:lambda:*:*:function:sagemaker-*"
]
},
{
"Sid": "AmazonSageMakerServiceCatalogLambdaTagPermission",
"Effect": "Allow",
"Action": "lambda:TagResource",
"Resource": [
"arn:aws:lambda:*:*:function:sagemaker-*"
],
"Condition": {
"ForAllValues:StringLike": {
"aws:TagKeys": [
"sagemaker:*"
]
}
}
},
{
"Sid": "AmazonSageMakerServiceCatalogLogGroupPermission",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DeleteLogGroup",
"logs:DeleteLogStream",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:PutRetentionPolicy"
],
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/apigateway/AccessLogs/*",
"arn:aws:logs:*:*:log-group::log-stream:*"
]
},
{
"Sid": "AmazonSageMakerServiceCatalogS3ReadPermission",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "*",
"Condition": {
"StringEquals": {
"s3:ExistingObjectTag/servicecatalog:provisioning": "true"
}
}
},
{
"Sid": "AmazonSageMakerServiceCatalogS3ReadSagemakerResourcePermission",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::sagemaker-*"
]
},
{
"Sid": "AmazonSageMakerServiceCatalogS3MutatePermission",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:DeleteBucketPolicy",
"s3:GetBucketPolicy",
"s3:PutBucketAcl",
"s3:PutBucketNotification",
"s3:PutBucketPolicy",
"s3:PutBucketPublicAccessBlock",
"s3:PutBucketLogging",
"s3:PutEncryptionConfiguration",
"s3:PutBucketCORS",
"s3:PutBucketTagging",
"s3:PutObjectTagging"
],
"Resource": "arn:aws:s3:::sagemaker-*"
},
{
"Sid": "AmazonSageMakerServiceCatalogSageMakerPermission",
"Effect": "Allow",
"Action": [
"sagemaker:CreateEndpoint",
"sagemaker:CreateEndpointConfig",
"sagemaker:CreateModel",
"sagemaker:CreateWorkteam",
"sagemaker:DeleteEndpoint",
"sagemaker:DeleteEndpointConfig",
"sagemaker:DeleteModel",
"sagemaker:DeleteWorkteam",
"sagemaker:DescribeModel",
"sagemaker:DescribeEndpointConfig",
"sagemaker:DescribeEndpoint",
"sagemaker:DescribeWorkteam",
"sagemaker:CreateCodeRepository",
"sagemaker:DescribeCodeRepository",
"sagemaker:UpdateCodeRepository",
"sagemaker:DeleteCodeRepository"
],
"Resource": [
"arn:aws:sagemaker:*:*:*"
]
},
{
"Sid": "AmazonSageMakerServiceCatalogSageMakerTagPermission",
"Effect": "Allow",
"Action": [
"sagemaker:AddTags"
],
"Resource": [
"arn:aws:sagemaker:*:*:endpoint/*",
"arn:aws:sagemaker:*:*:endpoint-config/*",
"arn:aws:sagemaker:*:*:model/*",
"arn:aws:sagemaker:*:*:pipeline/*",
"arn:aws:sagemaker:*:*:project/*",
"arn:aws:sagemaker:*:*:model-package/*"
],
"Condition": {
"ForAllValues:StringLike": {
"aws:TagKeys": [
"sagemaker:*"
]
}
}
},
{
"Sid": "AmazonSageMakerServiceCatalogSageMakerImagePermission",
"Effect": "Allow",
"Action": [
"sagemaker:CreateImage",
"sagemaker:DeleteImage",
"sagemaker:DescribeImage",
"sagemaker:UpdateImage",
"sagemaker:ListTags"
],
"Resource": [
"arn:aws:sagemaker:*:*:image/*"
]
},
{
"Sid": "AmazonSageMakerServiceCatalogStepFunctionPermission",
"Effect": "Allow",
"Action": [
"states:CreateStateMachine",
"states:DeleteStateMachine",
"states:UpdateStateMachine"
],
"Resource": [
"arn:aws:states:*:*:stateMachine:sagemaker-*"
]
},
{
"Sid": "AmazonSageMakerServiceCatalogCodeStarPermission",
"Effect": "Allow",
"Action": "codestar-connections:PassConnection",
"Resource": "arn:aws:codestar-connections:*:*:connection/*",
"Condition": {
"StringEquals": {
"codestar-connections:PassedToService": "codepipeline.amazonaws.com"
}
}
},
{
"Sid": "AmazonSageMakerServiceCatalogCodeConnectionPermission",
"Effect": "Allow",
"Action": "codeconnections:PassConnection",
"Resource": "arn:aws:codeconnections:*:*:connection/*",
"Condition": {
"StringEquals": {
"codeconnections:PassedToService": "codepipeline.amazonaws.com"
}
}
},
]
}
AWS
política gestionada: AmazonSageMakerPartnerServiceCatalogProductsApiGateway ServiceRolePolicy
Amazon API Gateway utiliza esta política en los productos AWS Service Catalog aprovisionados de la cartera de Amazon SageMaker AI. La política está destinada a asociarse a una IAM función que se AmazonSageMakerServiceCatalogProductsLaunchRole
Detalles de los permisos
Esta política incluye los siguientes permisos.
-
lambda
: invoca una función creada por una plantilla de socio. -
sagemaker
: invoca un punto de conexión creado por una plantilla de socio.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:*:*:function:sagemaker-*",
"Condition": {
"Null": {
"aws:ResourceTag/sagemaker:project-name": "false",
"aws:ResourceTag/sagemaker:partner": "false"
},
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Effect": "Allow",
"Action": "sagemaker:InvokeEndpoint",
"Resource": "arn:aws:sagemaker:*:*:endpoint/*",
"Condition": {
"Null": {
"aws:ResourceTag/sagemaker:project-name": "false",
"aws:ResourceTag/sagemaker:partner": "false"
},
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
}
]
}
AWS
política gestionada: AmazonSageMakerPartnerServiceCatalogProductsCloudFormation ServiceRolePolicy
Esta política se utiliza AWS CloudFormation en los productos AWS Service Catalog aprovisionados de la cartera de Amazon SageMaker AI. La política está destinada a asociarse a una IAM función que luego se AmazonSageMakerServiceCatalogProductsLaunchRole
Detalles de los permisos
Esta política incluye los siguientes permisos.
-
iam
: transfiere los rolesAmazonSageMakerServiceCatalogProductsLambdaRole
yAmazonSageMakerServiceCatalogProductsApiGatewayRole
. -
lambda
— Crear, actualizar, eliminar e invocar AWS Lambda funciones; recuperar, publicar y eliminar versiones de una capa Lambda. -
apigateway
— Crear, actualizar y eliminar recursos de Amazon API Gateway. -
s3
: recupera el archivolambda-auth-code/layer.zip
de un bucket de Amazon Simple Storage Service (Amazon S3).
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/service-role/AmazonSageMakerServiceCatalogProductsLambdaRole"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": "lambda.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/service-role/AmazonSageMakerServiceCatalogProductsApiGatewayRole"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": "apigateway.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Action": [
"lambda:DeleteFunction",
"lambda:UpdateFunctionCode",
"lambda:ListTags",
"lambda:InvokeFunction"
],
"Resource": [
"arn:aws:lambda:*:*:function:sagemaker-*"
],
"Condition": {
"Null": {
"aws:ResourceTag/sagemaker:project-name": "false",
"aws:ResourceTag/sagemaker:partner": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"lambda:CreateFunction",
"lambda:TagResource"
],
"Resource": [
"arn:aws:lambda:*:*:function:sagemaker-*"
],
"Condition": {
"Null": {
"aws:ResourceTag/sagemaker:project-name": "false",
"aws:ResourceTag/sagemaker:partner": "false"
},
"ForAnyValue:StringEquals": {
"aws:TagKeys": [
"sagemaker:project-name",
"sagemaker:partner"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"lambda:PublishLayerVersion",
"lambda:GetLayerVersion",
"lambda:DeleteLayerVersion",
"lambda:GetFunction"
],
"Resource": [
"arn:aws:lambda:*:*:layer:sagemaker-*",
"arn:aws:lambda:*:*:function:sagemaker-*"
]
},
{
"Effect": "Allow",
"Action": [
"apigateway:GET",
"apigateway:DELETE",
"apigateway:PATCH",
"apigateway:POST",
"apigateway:PUT"
],
"Resource": [
"arn:aws:apigateway:*::/restapis/*",
"arn:aws:apigateway:*::/restapis"
],
"Condition": {
"Null": {
"aws:ResourceTag/sagemaker:project-name": "false",
"aws:ResourceTag/sagemaker:partner": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"apigateway:POST",
"apigateway:PUT"
],
"Resource": [
"arn:aws:apigateway:*::/restapis",
"arn:aws:apigateway:*::/tags/*"
],
"Condition": {
"Null": {
"aws:ResourceTag/sagemaker:project-name": "false",
"aws:ResourceTag/sagemaker:partner": "false"
},
"ForAnyValue:StringEquals": {
"aws:TagKeys": [
"sagemaker:project-name",
"sagemaker:partner"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::sagemaker-*/lambda-auth-code/layer.zip"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
}
]
}
AWS
política gestionada: AmazonSageMakerPartnerServiceCatalogProductsLambdaService RolePolicy
Esta política se utiliza AWS Lambda en los productos AWS Service Catalog aprovisionados de la cartera de Amazon SageMaker AI. La política está destinada a adjuntarse a un IAM rol que luego AmazonSageMakerServiceCatalogProductsLaunchRole
Detalles de los permisos
Esta política incluye los siguientes permisos.
-
secretsmanager
: recupera datos de los secretos proporcionados por el socio para una plantilla de socio.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "secretsmanager:GetSecretValue",
"Resource": "arn:aws:secretsmanager:*:*:secret:*",
"Condition": {
"Null": {
"aws:ResourceTag/sagemaker:partner": false
},
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
}
]
}
AWS
política gestionada: AmazonSageMakerServiceCatalogProductsApiGatewayService RolePolicy
Amazon API Gateway utiliza esta política en los productos AWS Service Catalog aprovisionados de la cartera de Amazon SageMaker AI. La política está destinada a asociarse a una IAM función que se AmazonSageMakerServiceCatalogProductsLaunchRole
Detalles de los permisos
Esta política incluye los siguientes permisos.
-
logs
— Cree y lea grupos, transmisiones y eventos de CloudWatch registros; actualice eventos; describa varios recursos.Estos permisos se limitan a los recursos cuyo prefijo de grupo de registros comience por ·aws/apigateway/·.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogDelivery",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DeleteLogDelivery",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:DescribeResourcePolicies",
"logs:DescribeDestinations",
"logs:DescribeExportTasks",
"logs:DescribeMetricFilters",
"logs:DescribeQueries",
"logs:DescribeQueryDefinitions",
"logs:DescribeSubscriptionFilters",
"logs:GetLogDelivery",
"logs:GetLogEvents",
"logs:PutLogEvents",
"logs:PutResourcePolicy",
"logs:UpdateLogDelivery"
],
"Resource": "arn:aws:logs:*:*:log-group:/aws/apigateway/*"
}
]
}
AWS
política gestionada: AmazonSageMakerServiceCatalogProductsCloudformationServiceRole Política
Esta política se utiliza AWS CloudFormation en los productos AWS Service Catalog aprovisionados de la cartera de Amazon SageMaker AI. La política está destinada a asociarse a una IAM función que luego se AmazonSageMakerServiceCatalogProductsLaunchRole
Detalles de los permisos
Esta política incluye los siguientes permisos.
-
sagemaker
— Permita el acceso a varios recursos de SageMaker IA, incluidos los dominios, los perfiles de usuario, las aplicaciones y las definiciones de flujos. -
iam
: transfiere los rolesAmazonSageMakerServiceCatalogProductsCodeBuildRole
yAmazonSageMakerServiceCatalogProductsExecutionRole
.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sagemaker:AddAssociation",
"sagemaker:AddTags",
"sagemaker:AssociateTrialComponent",
"sagemaker:BatchDescribeModelPackage",
"sagemaker:BatchGetMetrics",
"sagemaker:BatchGetRecord",
"sagemaker:BatchPutMetrics",
"sagemaker:CreateAction",
"sagemaker:CreateAlgorithm",
"sagemaker:CreateApp",
"sagemaker:CreateAppImageConfig",
"sagemaker:CreateArtifact",
"sagemaker:CreateAutoMLJob",
"sagemaker:CreateCodeRepository",
"sagemaker:CreateCompilationJob",
"sagemaker:CreateContext",
"sagemaker:CreateDataQualityJobDefinition",
"sagemaker:CreateDeviceFleet",
"sagemaker:CreateDomain",
"sagemaker:CreateEdgePackagingJob",
"sagemaker:CreateEndpoint",
"sagemaker:CreateEndpointConfig",
"sagemaker:CreateExperiment",
"sagemaker:CreateFeatureGroup",
"sagemaker:CreateFlowDefinition",
"sagemaker:CreateHumanTaskUi",
"sagemaker:CreateHyperParameterTuningJob",
"sagemaker:CreateImage",
"sagemaker:CreateImageVersion",
"sagemaker:CreateInferenceRecommendationsJob",
"sagemaker:CreateLabelingJob",
"sagemaker:CreateLineageGroupPolicy",
"sagemaker:CreateModel",
"sagemaker:CreateModelBiasJobDefinition",
"sagemaker:CreateModelExplainabilityJobDefinition",
"sagemaker:CreateModelPackage",
"sagemaker:CreateModelPackageGroup",
"sagemaker:CreateModelQualityJobDefinition",
"sagemaker:CreateMonitoringSchedule",
"sagemaker:CreateNotebookInstance",
"sagemaker:CreateNotebookInstanceLifecycleConfig",
"sagemaker:CreatePipeline",
"sagemaker:CreatePresignedDomainUrl",
"sagemaker:CreatePresignedNotebookInstanceUrl",
"sagemaker:CreateProcessingJob",
"sagemaker:CreateProject",
"sagemaker:CreateTrainingJob",
"sagemaker:CreateTransformJob",
"sagemaker:CreateTrial",
"sagemaker:CreateTrialComponent",
"sagemaker:CreateUserProfile",
"sagemaker:CreateWorkforce",
"sagemaker:CreateWorkteam",
"sagemaker:DeleteAction",
"sagemaker:DeleteAlgorithm",
"sagemaker:DeleteApp",
"sagemaker:DeleteAppImageConfig",
"sagemaker:DeleteArtifact",
"sagemaker:DeleteAssociation",
"sagemaker:DeleteCodeRepository",
"sagemaker:DeleteContext",
"sagemaker:DeleteDataQualityJobDefinition",
"sagemaker:DeleteDeviceFleet",
"sagemaker:DeleteDomain",
"sagemaker:DeleteEndpoint",
"sagemaker:DeleteEndpointConfig",
"sagemaker:DeleteExperiment",
"sagemaker:DeleteFeatureGroup",
"sagemaker:DeleteFlowDefinition",
"sagemaker:DeleteHumanLoop",
"sagemaker:DeleteHumanTaskUi",
"sagemaker:DeleteImage",
"sagemaker:DeleteImageVersion",
"sagemaker:DeleteLineageGroupPolicy",
"sagemaker:DeleteModel",
"sagemaker:DeleteModelBiasJobDefinition",
"sagemaker:DeleteModelExplainabilityJobDefinition",
"sagemaker:DeleteModelPackage",
"sagemaker:DeleteModelPackageGroup",
"sagemaker:DeleteModelPackageGroupPolicy",
"sagemaker:DeleteModelQualityJobDefinition",
"sagemaker:DeleteMonitoringSchedule",
"sagemaker:DeleteNotebookInstance",
"sagemaker:DeleteNotebookInstanceLifecycleConfig",
"sagemaker:DeletePipeline",
"sagemaker:DeleteProject",
"sagemaker:DeleteRecord",
"sagemaker:DeleteTags",
"sagemaker:DeleteTrial",
"sagemaker:DeleteTrialComponent",
"sagemaker:DeleteUserProfile",
"sagemaker:DeleteWorkforce",
"sagemaker:DeleteWorkteam",
"sagemaker:DeregisterDevices",
"sagemaker:DescribeAction",
"sagemaker:DescribeAlgorithm",
"sagemaker:DescribeApp",
"sagemaker:DescribeAppImageConfig",
"sagemaker:DescribeArtifact",
"sagemaker:DescribeAutoMLJob",
"sagemaker:DescribeCodeRepository",
"sagemaker:DescribeCompilationJob",
"sagemaker:DescribeContext",
"sagemaker:DescribeDataQualityJobDefinition",
"sagemaker:DescribeDevice",
"sagemaker:DescribeDeviceFleet",
"sagemaker:DescribeDomain",
"sagemaker:DescribeEdgePackagingJob",
"sagemaker:DescribeEndpoint",
"sagemaker:DescribeEndpointConfig",
"sagemaker:DescribeExperiment",
"sagemaker:DescribeFeatureGroup",
"sagemaker:DescribeFlowDefinition",
"sagemaker:DescribeHumanLoop",
"sagemaker:DescribeHumanTaskUi",
"sagemaker:DescribeHyperParameterTuningJob",
"sagemaker:DescribeImage",
"sagemaker:DescribeImageVersion",
"sagemaker:DescribeInferenceRecommendationsJob",
"sagemaker:DescribeLabelingJob",
"sagemaker:DescribeLineageGroup",
"sagemaker:DescribeModel",
"sagemaker:DescribeModelBiasJobDefinition",
"sagemaker:DescribeModelExplainabilityJobDefinition",
"sagemaker:DescribeModelPackage",
"sagemaker:DescribeModelPackageGroup",
"sagemaker:DescribeModelQualityJobDefinition",
"sagemaker:DescribeMonitoringSchedule",
"sagemaker:DescribeNotebookInstance",
"sagemaker:DescribeNotebookInstanceLifecycleConfig",
"sagemaker:DescribePipeline",
"sagemaker:DescribePipelineDefinitionForExecution",
"sagemaker:DescribePipelineExecution",
"sagemaker:DescribeProcessingJob",
"sagemaker:DescribeProject",
"sagemaker:DescribeSubscribedWorkteam",
"sagemaker:DescribeTrainingJob",
"sagemaker:DescribeTransformJob",
"sagemaker:DescribeTrial",
"sagemaker:DescribeTrialComponent",
"sagemaker:DescribeUserProfile",
"sagemaker:DescribeWorkforce",
"sagemaker:DescribeWorkteam",
"sagemaker:DisableSagemakerServicecatalogPortfolio",
"sagemaker:DisassociateTrialComponent",
"sagemaker:EnableSagemakerServicecatalogPortfolio",
"sagemaker:GetDeviceFleetReport",
"sagemaker:GetDeviceRegistration",
"sagemaker:GetLineageGroupPolicy",
"sagemaker:GetModelPackageGroupPolicy",
"sagemaker:GetRecord",
"sagemaker:GetSagemakerServicecatalogPortfolioStatus",
"sagemaker:GetSearchSuggestions",
"sagemaker:InvokeEndpoint",
"sagemaker:InvokeEndpointAsync",
"sagemaker:ListActions",
"sagemaker:ListAlgorithms",
"sagemaker:ListAppImageConfigs",
"sagemaker:ListApps",
"sagemaker:ListArtifacts",
"sagemaker:ListAssociations",
"sagemaker:ListAutoMLJobs",
"sagemaker:ListCandidatesForAutoMLJob",
"sagemaker:ListCodeRepositories",
"sagemaker:ListCompilationJobs",
"sagemaker:ListContexts",
"sagemaker:ListDataQualityJobDefinitions",
"sagemaker:ListDeviceFleets",
"sagemaker:ListDevices",
"sagemaker:ListDomains",
"sagemaker:ListEdgePackagingJobs",
"sagemaker:ListEndpointConfigs",
"sagemaker:ListEndpoints",
"sagemaker:ListExperiments",
"sagemaker:ListFeatureGroups",
"sagemaker:ListFlowDefinitions",
"sagemaker:ListHumanLoops",
"sagemaker:ListHumanTaskUis",
"sagemaker:ListHyperParameterTuningJobs",
"sagemaker:ListImageVersions",
"sagemaker:ListImages",
"sagemaker:ListInferenceRecommendationsJobs",
"sagemaker:ListLabelingJobs",
"sagemaker:ListLabelingJobsForWorkteam",
"sagemaker:ListLineageGroups",
"sagemaker:ListModelBiasJobDefinitions",
"sagemaker:ListModelExplainabilityJobDefinitions",
"sagemaker:ListModelMetadata",
"sagemaker:ListModelPackageGroups",
"sagemaker:ListModelPackages",
"sagemaker:ListModelQualityJobDefinitions",
"sagemaker:ListModels",
"sagemaker:ListMonitoringExecutions",
"sagemaker:ListMonitoringSchedules",
"sagemaker:ListNotebookInstanceLifecycleConfigs",
"sagemaker:ListNotebookInstances",
"sagemaker:ListPipelineExecutionSteps",
"sagemaker:ListPipelineExecutions",
"sagemaker:ListPipelineParametersForExecution",
"sagemaker:ListPipelines",
"sagemaker:ListProcessingJobs",
"sagemaker:ListProjects",
"sagemaker:ListSubscribedWorkteams",
"sagemaker:ListTags",
"sagemaker:ListTrainingJobs",
"sagemaker:ListTrainingJobsForHyperParameterTuningJob",
"sagemaker:ListTransformJobs",
"sagemaker:ListTrialComponents",
"sagemaker:ListTrials",
"sagemaker:ListUserProfiles",
"sagemaker:ListWorkforces",
"sagemaker:ListWorkteams",
"sagemaker:PutLineageGroupPolicy",
"sagemaker:PutModelPackageGroupPolicy",
"sagemaker:PutRecord",
"sagemaker:QueryLineage",
"sagemaker:RegisterDevices",
"sagemaker:RenderUiTemplate",
"sagemaker:Search",
"sagemaker:SendHeartbeat",
"sagemaker:SendPipelineExecutionStepFailure",
"sagemaker:SendPipelineExecutionStepSuccess",
"sagemaker:StartHumanLoop",
"sagemaker:StartMonitoringSchedule",
"sagemaker:StartNotebookInstance",
"sagemaker:StartPipelineExecution",
"sagemaker:StopAutoMLJob",
"sagemaker:StopCompilationJob",
"sagemaker:StopEdgePackagingJob",
"sagemaker:StopHumanLoop",
"sagemaker:StopHyperParameterTuningJob",
"sagemaker:StopInferenceRecommendationsJob",
"sagemaker:StopLabelingJob",
"sagemaker:StopMonitoringSchedule",
"sagemaker:StopNotebookInstance",
"sagemaker:StopPipelineExecution",
"sagemaker:StopProcessingJob",
"sagemaker:StopTrainingJob",
"sagemaker:StopTransformJob",
"sagemaker:UpdateAction",
"sagemaker:UpdateAppImageConfig",
"sagemaker:UpdateArtifact",
"sagemaker:UpdateCodeRepository",
"sagemaker:UpdateContext",
"sagemaker:UpdateDeviceFleet",
"sagemaker:UpdateDevices",
"sagemaker:UpdateDomain",
"sagemaker:UpdateEndpoint",
"sagemaker:UpdateEndpointWeightsAndCapacities",
"sagemaker:UpdateExperiment",
"sagemaker:UpdateImage",
"sagemaker:UpdateModelPackage",
"sagemaker:UpdateMonitoringSchedule",
"sagemaker:UpdateNotebookInstance",
"sagemaker:UpdateNotebookInstanceLifecycleConfig",
"sagemaker:UpdatePipeline",
"sagemaker:UpdatePipelineExecution",
"sagemaker:UpdateProject",
"sagemaker:UpdateTrainingJob",
"sagemaker:UpdateTrial",
"sagemaker:UpdateTrialComponent",
"sagemaker:UpdateUserProfile",
"sagemaker:UpdateWorkforce",
"sagemaker:UpdateWorkteam"
],
"NotResource": [
"arn:aws:sagemaker:*:*:domain/*",
"arn:aws:sagemaker:*:*:user-profile/*",
"arn:aws:sagemaker:*:*:app/*",
"arn:aws:sagemaker:*:*:flow-definition/*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/service-role/AmazonSageMakerServiceCatalogProductsCodeBuildRole",
"arn:aws:iam::*:role/service-role/AmazonSageMakerServiceCatalogProductsExecutionRole"
]
}
]
}
AWS
política gestionada: AmazonSageMakerServiceCatalogProductsCodeBuildService RolePolicy
Esta política se utiliza AWS CodeBuild en los productos AWS Service Catalog aprovisionados de la cartera de Amazon SageMaker AI. La política está destinada a asociarse a una IAM función que luego se AmazonSageMakerServiceCatalogProductsLaunchRole
Detalles de los permisos
Esta política incluye los siguientes permisos.
-
sagemaker
— Permitir el acceso a varios recursos de SageMaker IA. -
codecommit
— Sube CodeCommit archivos a los CodeBuild pipelines, consulta el estado de las subidas y cancela las subidas; obtén información sobre sucursales y confirmaciones. Estos permisos se limitan a los recursos cuyo nombre comience por “sagemaker-”. -
ecr
— Crea ECR repositorios de Amazon e imágenes de contenedores; carga capas de imágenes. Estos permisos se limitan a los repositorios cuyo nombre comience por “sagemaker-”.ecr
: lee todos los recursos. -
iam
: transfiere los siguientes roles:-
AmazonSageMakerServiceCatalogProductsCloudformationRole
para AWS CloudFormation. -
AmazonSageMakerServiceCatalogProductsCodeBuildRole
para AWS CodeBuild. -
AmazonSageMakerServiceCatalogProductsCodePipelineRole
para AWS CodePipeline. -
AmazonSageMakerServiceCatalogProductsEventsRole
a Amazon EventBridge. -
AmazonSageMakerServiceCatalogProductsExecutionRole
a Amazon SageMaker AI.
-
-
logs
— Cree y lea grupos, transmisiones y eventos de CloudWatch registros; actualice eventos; describa varios recursos.Estos permisos se limitan a los recursos cuyo prefijo de nombre comience por “aws/codebuild/”.
-
s3
: crea, lee y enumera buckets de Amazon S3. Estos permisos se limitan a los buckets cuyo nombre comience por “sagemaker-”. -
codestarconnections
,codestar-connections
— Uso AWS CodeConnections y AWS CodeStar conexiones.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AmazonSageMakerCodeBuildCodeCommitPermission",
"Effect": "Allow",
"Action": [
"codecommit:CancelUploadArchive",
"codecommit:GetBranch",
"codecommit:GetCommit",
"codecommit:GetUploadArchiveStatus",
"codecommit:UploadArchive"
],
"Resource": "arn:aws:codecommit:*:*:sagemaker-*"
},
{
"Sid": "AmazonSageMakerCodeBuildECRReadPermission",
"Effect": "Allow",
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:DescribeImageScanFindings",
"ecr:DescribeRegistry",
"ecr:DescribeImageReplicationStatus",
"ecr:DescribeRepositories",
"ecr:DescribeImageReplicationStatus",
"ecr:GetAuthorizationToken",
"ecr:GetDownloadUrlForLayer"
],
"Resource": [
"*"
]
},
{
"Sid": "AmazonSageMakerCodeBuildECRWritePermission",
"Effect": "Allow",
"Action": [
"ecr:CompleteLayerUpload",
"ecr:CreateRepository",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart"
],
"Resource": [
"arn:aws:ecr:*:*:repository/sagemaker-*"
]
},
{
"Sid": "AmazonSageMakerCodeBuildPassRoletPermission",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/service-role/AmazonSageMakerServiceCatalogProductsEventsRole",
"arn:aws:iam::*:role/service-role/AmazonSageMakerServiceCatalogProductsCodePipelineRole",
"arn:aws:iam::*:role/service-role/AmazonSageMakerServiceCatalogProductsCloudformationRole",
"arn:aws:iam::*:role/service-role/AmazonSageMakerServiceCatalogProductsCodeBuildRole",
"arn:aws:iam::*:role/service-role/AmazonSageMakerServiceCatalogProductsExecutionRole"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"events.amazonaws.com",
"codepipeline.amazonaws.com",
"cloudformation.amazonaws.com",
"codebuild.amazonaws.com",
"sagemaker.amazonaws.com"
]
}
}
},
{
"Sid": "AmazonSageMakerCodeBuildLogPermission",
"Effect": "Allow",
"Action": [
"logs:CreateLogDelivery",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DeleteLogDelivery",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:DescribeResourcePolicies",
"logs:DescribeDestinations",
"logs:DescribeExportTasks",
"logs:DescribeMetricFilters",
"logs:DescribeQueries",
"logs:DescribeQueryDefinitions",
"logs:DescribeSubscriptionFilters",
"logs:GetLogDelivery",
"logs:GetLogEvents",
"logs:ListLogDeliveries",
"logs:PutLogEvents",
"logs:PutResourcePolicy",
"logs:UpdateLogDelivery"
],
"Resource": "arn:aws:logs:*:*:log-group:/aws/codebuild/*"
},
{
"Sid": "AmazonSageMakerCodeBuildS3Permission",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:GetBucketAcl",
"s3:GetBucketCors",
"s3:GetBucketLocation",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:PutBucketCors",
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::aws-glue-*",
"arn:aws:s3:::sagemaker-*"
]
},
{
"Sid": "AmazonSageMakerCodeBuildSageMakerPermission",
"Effect": "Allow",
"Action": [
"sagemaker:AddAssociation",
"sagemaker:AddTags",
"sagemaker:AssociateTrialComponent",
"sagemaker:BatchDescribeModelPackage",
"sagemaker:BatchGetMetrics",
"sagemaker:BatchGetRecord",
"sagemaker:BatchPutMetrics",
"sagemaker:CreateAction",
"sagemaker:CreateAlgorithm",
"sagemaker:CreateApp",
"sagemaker:CreateAppImageConfig",
"sagemaker:CreateArtifact",
"sagemaker:CreateAutoMLJob",
"sagemaker:CreateCodeRepository",
"sagemaker:CreateCompilationJob",
"sagemaker:CreateContext",
"sagemaker:CreateDataQualityJobDefinition",
"sagemaker:CreateDeviceFleet",
"sagemaker:CreateDomain",
"sagemaker:CreateEdgePackagingJob",
"sagemaker:CreateEndpoint",
"sagemaker:CreateEndpointConfig",
"sagemaker:CreateExperiment",
"sagemaker:CreateFeatureGroup",
"sagemaker:CreateFlowDefinition",
"sagemaker:CreateHumanTaskUi",
"sagemaker:CreateHyperParameterTuningJob",
"sagemaker:CreateImage",
"sagemaker:CreateImageVersion",
"sagemaker:CreateInferenceRecommendationsJob",
"sagemaker:CreateLabelingJob",
"sagemaker:CreateLineageGroupPolicy",
"sagemaker:CreateModel",
"sagemaker:CreateModelBiasJobDefinition",
"sagemaker:CreateModelExplainabilityJobDefinition",
"sagemaker:CreateModelPackage",
"sagemaker:CreateModelPackageGroup",
"sagemaker:CreateModelQualityJobDefinition",
"sagemaker:CreateMonitoringSchedule",
"sagemaker:CreateNotebookInstance",
"sagemaker:CreateNotebookInstanceLifecycleConfig",
"sagemaker:CreatePipeline",
"sagemaker:CreatePresignedDomainUrl",
"sagemaker:CreatePresignedNotebookInstanceUrl",
"sagemaker:CreateProcessingJob",
"sagemaker:CreateProject",
"sagemaker:CreateTrainingJob",
"sagemaker:CreateTransformJob",
"sagemaker:CreateTrial",
"sagemaker:CreateTrialComponent",
"sagemaker:CreateUserProfile",
"sagemaker:CreateWorkforce",
"sagemaker:CreateWorkteam",
"sagemaker:DeleteAction",
"sagemaker:DeleteAlgorithm",
"sagemaker:DeleteApp",
"sagemaker:DeleteAppImageConfig",
"sagemaker:DeleteArtifact",
"sagemaker:DeleteAssociation",
"sagemaker:DeleteCodeRepository",
"sagemaker:DeleteContext",
"sagemaker:DeleteDataQualityJobDefinition",
"sagemaker:DeleteDeviceFleet",
"sagemaker:DeleteDomain",
"sagemaker:DeleteEndpoint",
"sagemaker:DeleteEndpointConfig",
"sagemaker:DeleteExperiment",
"sagemaker:DeleteFeatureGroup",
"sagemaker:DeleteFlowDefinition",
"sagemaker:DeleteHumanLoop",
"sagemaker:DeleteHumanTaskUi",
"sagemaker:DeleteImage",
"sagemaker:DeleteImageVersion",
"sagemaker:DeleteLineageGroupPolicy",
"sagemaker:DeleteModel",
"sagemaker:DeleteModelBiasJobDefinition",
"sagemaker:DeleteModelExplainabilityJobDefinition",
"sagemaker:DeleteModelPackage",
"sagemaker:DeleteModelPackageGroup",
"sagemaker:DeleteModelPackageGroupPolicy",
"sagemaker:DeleteModelQualityJobDefinition",
"sagemaker:DeleteMonitoringSchedule",
"sagemaker:DeleteNotebookInstance",
"sagemaker:DeleteNotebookInstanceLifecycleConfig",
"sagemaker:DeletePipeline",
"sagemaker:DeleteProject",
"sagemaker:DeleteRecord",
"sagemaker:DeleteTags",
"sagemaker:DeleteTrial",
"sagemaker:DeleteTrialComponent",
"sagemaker:DeleteUserProfile",
"sagemaker:DeleteWorkforce",
"sagemaker:DeleteWorkteam",
"sagemaker:DeregisterDevices",
"sagemaker:DescribeAction",
"sagemaker:DescribeAlgorithm",
"sagemaker:DescribeApp",
"sagemaker:DescribeAppImageConfig",
"sagemaker:DescribeArtifact",
"sagemaker:DescribeAutoMLJob",
"sagemaker:DescribeCodeRepository",
"sagemaker:DescribeCompilationJob",
"sagemaker:DescribeContext",
"sagemaker:DescribeDataQualityJobDefinition",
"sagemaker:DescribeDevice",
"sagemaker:DescribeDeviceFleet",
"sagemaker:DescribeDomain",
"sagemaker:DescribeEdgePackagingJob",
"sagemaker:DescribeEndpoint",
"sagemaker:DescribeEndpointConfig",
"sagemaker:DescribeExperiment",
"sagemaker:DescribeFeatureGroup",
"sagemaker:DescribeFlowDefinition",
"sagemaker:DescribeHumanLoop",
"sagemaker:DescribeHumanTaskUi",
"sagemaker:DescribeHyperParameterTuningJob",
"sagemaker:DescribeImage",
"sagemaker:DescribeImageVersion",
"sagemaker:DescribeInferenceRecommendationsJob",
"sagemaker:DescribeLabelingJob",
"sagemaker:DescribeLineageGroup",
"sagemaker:DescribeModel",
"sagemaker:DescribeModelBiasJobDefinition",
"sagemaker:DescribeModelExplainabilityJobDefinition",
"sagemaker:DescribeModelPackage",
"sagemaker:DescribeModelPackageGroup",
"sagemaker:DescribeModelQualityJobDefinition",
"sagemaker:DescribeMonitoringSchedule",
"sagemaker:DescribeNotebookInstance",
"sagemaker:DescribeNotebookInstanceLifecycleConfig",
"sagemaker:DescribePipeline",
"sagemaker:DescribePipelineDefinitionForExecution",
"sagemaker:DescribePipelineExecution",
"sagemaker:DescribeProcessingJob",
"sagemaker:DescribeProject",
"sagemaker:DescribeSubscribedWorkteam",
"sagemaker:DescribeTrainingJob",
"sagemaker:DescribeTransformJob",
"sagemaker:DescribeTrial",
"sagemaker:DescribeTrialComponent",
"sagemaker:DescribeUserProfile",
"sagemaker:DescribeWorkforce",
"sagemaker:DescribeWorkteam",
"sagemaker:DisableSagemakerServicecatalogPortfolio",
"sagemaker:DisassociateTrialComponent",
"sagemaker:EnableSagemakerServicecatalogPortfolio",
"sagemaker:GetDeviceFleetReport",
"sagemaker:GetDeviceRegistration",
"sagemaker:GetLineageGroupPolicy",
"sagemaker:GetModelPackageGroupPolicy",
"sagemaker:GetRecord",
"sagemaker:GetSagemakerServicecatalogPortfolioStatus",
"sagemaker:GetSearchSuggestions",
"sagemaker:InvokeEndpoint",
"sagemaker:InvokeEndpointAsync",
"sagemaker:ListActions",
"sagemaker:ListAlgorithms",
"sagemaker:ListAppImageConfigs",
"sagemaker:ListApps",
"sagemaker:ListArtifacts",
"sagemaker:ListAssociations",
"sagemaker:ListAutoMLJobs",
"sagemaker:ListCandidatesForAutoMLJob",
"sagemaker:ListCodeRepositories",
"sagemaker:ListCompilationJobs",
"sagemaker:ListContexts",
"sagemaker:ListDataQualityJobDefinitions",
"sagemaker:ListDeviceFleets",
"sagemaker:ListDevices",
"sagemaker:ListDomains",
"sagemaker:ListEdgePackagingJobs",
"sagemaker:ListEndpointConfigs",
"sagemaker:ListEndpoints",
"sagemaker:ListExperiments",
"sagemaker:ListFeatureGroups",
"sagemaker:ListFlowDefinitions",
"sagemaker:ListHumanLoops",
"sagemaker:ListHumanTaskUis",
"sagemaker:ListHyperParameterTuningJobs",
"sagemaker:ListImageVersions",
"sagemaker:ListImages",
"sagemaker:ListInferenceRecommendationsJobs",
"sagemaker:ListLabelingJobs",
"sagemaker:ListLabelingJobsForWorkteam",
"sagemaker:ListLineageGroups",
"sagemaker:ListModelBiasJobDefinitions",
"sagemaker:ListModelExplainabilityJobDefinitions",
"sagemaker:ListModelMetadata",
"sagemaker:ListModelPackageGroups",
"sagemaker:ListModelPackages",
"sagemaker:ListModelQualityJobDefinitions",
"sagemaker:ListModels",
"sagemaker:ListMonitoringExecutions",
"sagemaker:ListMonitoringSchedules",
"sagemaker:ListNotebookInstanceLifecycleConfigs",
"sagemaker:ListNotebookInstances",
"sagemaker:ListPipelineExecutionSteps",
"sagemaker:ListPipelineExecutions",
"sagemaker:ListPipelineParametersForExecution",
"sagemaker:ListPipelines",
"sagemaker:ListProcessingJobs",
"sagemaker:ListProjects",
"sagemaker:ListSubscribedWorkteams",
"sagemaker:ListTags",
"sagemaker:ListTrainingJobs",
"sagemaker:ListTrainingJobsForHyperParameterTuningJob",
"sagemaker:ListTransformJobs",
"sagemaker:ListTrialComponents",
"sagemaker:ListTrials",
"sagemaker:ListUserProfiles",
"sagemaker:ListWorkforces",
"sagemaker:ListWorkteams",
"sagemaker:PutLineageGroupPolicy",
"sagemaker:PutModelPackageGroupPolicy",
"sagemaker:PutRecord",
"sagemaker:QueryLineage",
"sagemaker:RegisterDevices",
"sagemaker:RenderUiTemplate",
"sagemaker:Search",
"sagemaker:SendHeartbeat",
"sagemaker:SendPipelineExecutionStepFailure",
"sagemaker:SendPipelineExecutionStepSuccess",
"sagemaker:StartHumanLoop",
"sagemaker:StartMonitoringSchedule",
"sagemaker:StartNotebookInstance",
"sagemaker:StartPipelineExecution",
"sagemaker:StopAutoMLJob",
"sagemaker:StopCompilationJob",
"sagemaker:StopEdgePackagingJob",
"sagemaker:StopHumanLoop",
"sagemaker:StopHyperParameterTuningJob",
"sagemaker:StopInferenceRecommendationsJob",
"sagemaker:StopLabelingJob",
"sagemaker:StopMonitoringSchedule",
"sagemaker:StopNotebookInstance",
"sagemaker:StopPipelineExecution",
"sagemaker:StopProcessingJob",
"sagemaker:StopTrainingJob",
"sagemaker:StopTransformJob",
"sagemaker:UpdateAction",
"sagemaker:UpdateAppImageConfig",
"sagemaker:UpdateArtifact",
"sagemaker:UpdateCodeRepository",
"sagemaker:UpdateContext",
"sagemaker:UpdateDeviceFleet",
"sagemaker:UpdateDevices",
"sagemaker:UpdateDomain",
"sagemaker:UpdateEndpoint",
"sagemaker:UpdateEndpointWeightsAndCapacities",
"sagemaker:UpdateExperiment",
"sagemaker:UpdateImage",
"sagemaker:UpdateModelPackage",
"sagemaker:UpdateMonitoringSchedule",
"sagemaker:UpdateNotebookInstance",
"sagemaker:UpdateNotebookInstanceLifecycleConfig",
"sagemaker:UpdatePipeline",
"sagemaker:UpdatePipelineExecution",
"sagemaker:UpdateProject",
"sagemaker:UpdateTrainingJob",
"sagemaker:UpdateTrial",
"sagemaker:UpdateTrialComponent",
"sagemaker:UpdateUserProfile",
"sagemaker:UpdateWorkforce",
"sagemaker:UpdateWorkteam"
],
"Resource": [
"arn:aws:sagemaker:*:*:endpoint/*",
"arn:aws:sagemaker:*:*:endpoint-config/*",
"arn:aws:sagemaker:*:*:model/*",
"arn:aws:sagemaker:*:*:pipeline/*",
"arn:aws:sagemaker:*:*:project/*",
"arn:aws:sagemaker:*:*:model-package/*"
]
},
{
"Sid" : "AmazonSageMakerCodeBuildCodeStarConnectionPermission",
"Effect": "Allow",
"Action": [
"codestar-connections:UseConnection"
],
"Resource": [
"arn:aws:codestar-connections:*:*:connection/*"
],
"Condition": {
"StringEqualsIgnoreCase": {
"aws:ResourceTag/sagemaker": "true"
}
}
},
{
"Sid" : "AmazonSageMakerCodeBuildCodeConnectionPermission",
"Effect": "Allow",
"Action": [
"codeconnections:UseConnection"
],
"Resource": [
"arn:aws:codeconnections:*:*:connection/*"
],
"Condition": {
"StringEqualsIgnoreCase": {
"aws:ResourceTag/sagemaker": "true"
}
}
}
]
}
AWS
política gestionada: AmazonSageMakerServiceCatalogProductsCodePipelineService RolePolicy
Esta política se utiliza AWS CodePipeline en los productos AWS Service Catalog aprovisionados de la cartera de Amazon SageMaker AI. La política está destinada a asociarse a una IAM función que luego se AmazonSageMakerServiceCatalogProductsLaunchRole
Detalles de los permisos
Esta política incluye los siguientes permisos.
-
cloudformation
— Crear, leer, eliminar y actualizar CloudFormation pilas; crear, leer, eliminar y ejecutar conjuntos de cambios; establecer una política de pila; etiquetar y desetiquetar los recursos. Estos permisos se limitan a los recursos cuyo nombre comience por “sagemaker-”. -
s3
— Crear, leer, enumerar y eliminar buckets de Amazon S3; añadir, leer y eliminar objetos de los buckets; leer y establecer la CORS configuración; leer la lista de control de acceso (ACL); y leer la AWS región en la que reside el bucket.Estos permisos se limitan a los buckets cuyo nombre comience por “sagemaker-” or “aws-glue-”.
-
iam
: transfiere el rolAmazonSageMakerServiceCatalogProductsCloudformationRole
. -
codebuild
— Obtenga información sobre la CodeBuild compilación e inicie las compilaciones. Estos permisos se limitan a los proyectos y recursos de compilación cuyo nombre comience por “sagemaker-”. -
codecommit
— Sube CodeCommit archivos a los CodeBuild pipelines, consulta el estado de las subidas y cancela las subidas; obtén información sobre sucursales y confirmaciones. -
codestarconnections
,codestar-connections
— Uso AWS CodeConnections y conexiones. AWS CodeStar
{
"Version": "2012-10-17",
"Statement": [
{
"Sid" : "AmazonSageMakerCodePipelineCFnPermission",
"Effect": "Allow",
"Action": [
"cloudformation:CreateChangeSet",
"cloudformation:CreateStack",
"cloudformation:DescribeChangeSet",
"cloudformation:DeleteChangeSet",
"cloudformation:DeleteStack",
"cloudformation:DescribeStacks",
"cloudformation:ExecuteChangeSet",
"cloudformation:SetStackPolicy",
"cloudformation:UpdateStack"
],
"Resource": "arn:aws:cloudformation:*:*:stack/sagemaker-*"
},
{
"Sid" : "AmazonSageMakerCodePipelineCFnTagPermission",
"Effect": "Allow",
"Action": [
"cloudformation:TagResource",
"cloudformation:UntagResource"
],
"Resource": "arn:aws:cloudformation:*:*:stack/sagemaker-*"
"Condition" : {
"ForAnyValue:StringEquals": {
"aws:TagKeys": [
"sagemaker:project-name"
]
}
},
{
"Sid" : "AmazonSageMakerCodePipelineS3Permission",
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::sagemaker-*"
]
},
{
"Sid" : "AmazonSageMakerCodePipelinePassRolePermission",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/service-role/AmazonSageMakerServiceCatalogProductsCloudformationRole"
]
},
{
"Sid" : "AmazonSageMakerCodePipelineCodeBuildPermission",
"Effect": "Allow",
"Action": [
"codebuild:BatchGetBuilds",
"codebuild:StartBuild"
],
"Resource": [
"arn:aws:codebuild:*:*:project/sagemaker-*",
"arn:aws:codebuild:*:*:build/sagemaker-*"
]
},
{
"Sid" : "AmazonSageMakerCodePipelineCodeCommitPermission",
"Effect": "Allow",
"Action": [
"codecommit:CancelUploadArchive",
"codecommit:GetBranch",
"codecommit:GetCommit",
"codecommit:GetUploadArchiveStatus",
"codecommit:UploadArchive"
],
"Resource": "arn:aws:codecommit:*:*:sagemaker-*"
},
{
"Sid" : "AmazonSageMakerCodePipelineCodeStarConnectionPermission",
"Effect": "Allow",
"Action": [
"codestar-connections:UseConnection"
],
"Resource": [
"arn:aws:codestar-connections:*:*:connection/*"
],
"Condition": {
"StringEqualsIgnoreCase": {
"aws:ResourceTag/sagemaker": "true"
}
}
},
{
"Sid" : "AmazonSageMakerCodePipelineCodeConnectionPermission",
"Effect": "Allow",
"Action": [
"codeconnections:UseConnection"
],
"Resource": [
"arn:aws:codeconnections:*:*:connection/*"
],
"Condition": {
"StringEqualsIgnoreCase": {
"aws:ResourceTag/sagemaker": "true"
}
}
}
]
}
AWS
política gestionada: AmazonSageMakerServiceCatalogProductsEventsServiceRole Política
Amazon utiliza esta política EventBridge en los productos AWS Service Catalog aprovisionados de la cartera de Amazon SageMaker AI. La política está destinada a asociarse a un IAM rol que luego se AmazonSageMakerServiceCatalogProductsLaunchRole
Detalles de los permisos
Esta política incluye los siguientes permisos.
-
codepipeline
— Iniciar una CodeBuild ejecución. Estos permisos se limitan a canalizaciones cuyo nombre comience por “sagemaker-”.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "codepipeline:StartPipelineExecution",
"Resource": "arn:aws:codepipeline:*:*:sagemaker-*"
}
]
}
AWS
política gestionada: AmazonSageMakerServiceCatalogProductsFirehoseServiceRole Política
Amazon Data Firehose utiliza esta política en los productos AWS Service Catalog aprovisionados de la cartera de Amazon SageMaker AI. La política está destinada a adjuntarse a un IAM rol que luego AmazonSageMakerServiceCatalogProductsLaunchRole
Detalles de los permisos
Esta política incluye los siguientes permisos.
-
firehose
: permite enviar registros de Firehose. Estos permisos se limitan a los recursos cuyo nombre de transmisión de entrega comience por “sagemaker-”.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"firehose:PutRecord",
"firehose:PutRecordBatch"
],
"Resource": "arn:aws:firehose:*:*:deliverystream/sagemaker-*"
}
]
}
AWS
política gestionada: AmazonSageMakerServiceCatalogProductsGlueServiceRole política
AWS Glue utiliza esta política en los productos aprovisionados por AWS Service Catalog de la cartera de Amazon SageMaker AI. La política está destinada a adjuntarse a un IAM rol que luego AmazonSageMakerServiceCatalogProductsLaunchRole
Detalles de los permisos
Esta política incluye los siguientes permisos.
-
glue
— Crear, leer y eliminar particiones, tablas y versiones de tablas de AWS Glue. Estos permisos se limitan a los recursos cuyo nombre comience por “sagemaker-”. Crea y lee bases de datos de AWS Glue. Estos permisos se limitan a las bases de datos cuyo nombre sea “default”, “global_temp” o comience por “sagemaker-”. Funciones definidas por el usuario. -
s3
— Crear, leer, enumerar y eliminar buckets de Amazon S3; añadir, leer y eliminar objetos de los buckets; leer y establecer la CORS configuración; leer la lista de control de acceso (ACL) y leer la AWS región en la que reside el bucket.Estos permisos se limitan a los buckets cuyo nombre comience por “sagemaker-” or “aws-glue-”.
-
logs
— Cree, lea y elimine CloudWatch los registros, el grupo de registros, las transmisiones y las entregas, y cree una política de recursos.Estos permisos se limitan a los recursos cuyo prefijo de nombre comience por “aws/glue/”.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"glue:BatchCreatePartition",
"glue:BatchDeletePartition",
"glue:BatchDeleteTable",
"glue:BatchDeleteTableVersion",
"glue:BatchGetPartition",
"glue:CreateDatabase",
"glue:CreatePartition",
"glue:CreateTable",
"glue:DeletePartition",
"glue:DeleteTable",
"glue:DeleteTableVersion",
"glue:GetDatabase",
"glue:GetPartition",
"glue:GetPartitions",
"glue:GetTable",
"glue:GetTables",
"glue:GetTableVersion",
"glue:GetTableVersions",
"glue:SearchTables",
"glue:UpdatePartition",
"glue:UpdateTable",
"glue:GetUserDefinedFunctions"
],
"Resource": [
"arn:aws:glue:*:*:catalog",
"arn:aws:glue:*:*:database/default",
"arn:aws:glue:*:*:database/global_temp",
"arn:aws:glue:*:*:database/sagemaker-*",
"arn:aws:glue:*:*:table/sagemaker-*",
"arn:aws:glue:*:*:tableVersion/sagemaker-*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:GetBucketAcl",
"s3:GetBucketCors",
"s3:GetBucketLocation",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:PutBucketCors"
],
"Resource": [
"arn:aws:s3:::aws-glue-*",
"arn:aws:s3:::sagemaker-*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::aws-glue-*",
"arn:aws:s3:::sagemaker-*"
]
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogDelivery",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DeleteLogDelivery",
"logs:Describe*",
"logs:GetLogDelivery",
"logs:GetLogEvents",
"logs:ListLogDeliveries",
"logs:PutLogEvents",
"logs:PutResourcePolicy",
"logs:UpdateLogDelivery"
],
"Resource": "arn:aws:logs:*:*:log-group:/aws/glue/*"
}
]
}
AWS
política gestionada: AmazonSageMakerServiceCatalogProductsLambdaServiceRole Política
Esta política se utiliza AWS Lambda en los productos AWS Service Catalog aprovisionados de la cartera de Amazon SageMaker AI. La política está destinada a adjuntarse a un IAM rol que luego AmazonSageMakerServiceCatalogProductsLaunchRole
Detalles de los permisos
Esta política incluye los siguientes permisos.
-
sagemaker
— Permitir el acceso a varios recursos de SageMaker IA. -
ecr
— Crear y eliminar ECR repositorios de Amazon; crear, leer y eliminar imágenes de contenedores; cargar capas de imágenes. Estos permisos se limitan a los repositorios cuyo nombre comience por “sagemaker-”. -
events
— Crear, leer y eliminar EventBridge reglas de Amazon; y crear y eliminar objetivos. Estos permisos se limitan a las reglas cuyo nombre comience por “sagemaker-”. -
s3
— Crear, leer, enumerar y eliminar buckets de Amazon S3; añadir, leer y eliminar objetos de los buckets; leer y establecer la CORS configuración; leer la lista de control de acceso (ACL) y leer la AWS región en la que reside el bucket.Estos permisos se limitan a los buckets cuyo nombre comience por “sagemaker-” or “aws-glue-”.
-
iam
: transfiere el rolAmazonSageMakerServiceCatalogProductsExecutionRole
. -
logs
— Cree, lea y elimine CloudWatch los registros, el grupo de registros, las transmisiones y las entregas, y cree una política de recursos.Estos permisos se limitan a los recursos cuyo prefijo de nombre comience por “aws/lambda/”.
-
codebuild
— Comience y obtenga información sobre las AWS CodeBuild compilaciones.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid" : "AmazonSageMakerLambdaECRPermission",
"Effect": "Allow",
"Action": [
"ecr:DescribeImages",
"ecr:BatchDeleteImage",
"ecr:CompleteLayerUpload",
"ecr:CreateRepository",
"ecr:DeleteRepository",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart"
],
"Resource": [
"arn:aws:ecr:*:*:repository/sagemaker-*"
]
},
{
"Sid" : "AmazonSageMakerLambdaEventBridgePermission",
"Effect": "Allow",
"Action": [
"events:DeleteRule",
"events:DescribeRule",
"events:PutRule",
"events:PutTargets",
"events:RemoveTargets"
],
"Resource": [
"arn:aws:events:*:*:rule/sagemaker-*"
]
},
{
"Sid" : "AmazonSageMakerLambdaS3BucketPermission",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:GetBucketAcl",
"s3:GetBucketCors",
"s3:GetBucketLocation",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:PutBucketCors"
],
"Resource": [
"arn:aws:s3:::aws-glue-*",
"arn:aws:s3:::sagemaker-*"
]
},
{
"Sid" : "AmazonSageMakerLambdaS3ObjectPermission",
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::aws-glue-*",
"arn:aws:s3:::sagemaker-*"
]
},
{
"Sid" : "AmazonSageMakerLambdaSageMakerPermission",
"Effect": "Allow",
"Action": [
"sagemaker:AddAssociation",
"sagemaker:AddTags",
"sagemaker:AssociateTrialComponent",
"sagemaker:BatchDescribeModelPackage",
"sagemaker:BatchGetMetrics",
"sagemaker:BatchGetRecord",
"sagemaker:BatchPutMetrics",
"sagemaker:CreateAction",
"sagemaker:CreateAlgorithm",
"sagemaker:CreateApp",
"sagemaker:CreateAppImageConfig",
"sagemaker:CreateArtifact",
"sagemaker:CreateAutoMLJob",
"sagemaker:CreateCodeRepository",
"sagemaker:CreateCompilationJob",
"sagemaker:CreateContext",
"sagemaker:CreateDataQualityJobDefinition",
"sagemaker:CreateDeviceFleet",
"sagemaker:CreateDomain",
"sagemaker:CreateEdgePackagingJob",
"sagemaker:CreateEndpoint",
"sagemaker:CreateEndpointConfig",
"sagemaker:CreateExperiment",
"sagemaker:CreateFeatureGroup",
"sagemaker:CreateFlowDefinition",
"sagemaker:CreateHumanTaskUi",
"sagemaker:CreateHyperParameterTuningJob",
"sagemaker:CreateImage",
"sagemaker:CreateImageVersion",
"sagemaker:CreateInferenceRecommendationsJob",
"sagemaker:CreateLabelingJob",
"sagemaker:CreateLineageGroupPolicy",
"sagemaker:CreateModel",
"sagemaker:CreateModelBiasJobDefinition",
"sagemaker:CreateModelExplainabilityJobDefinition",
"sagemaker:CreateModelPackage",
"sagemaker:CreateModelPackageGroup",
"sagemaker:CreateModelQualityJobDefinition",
"sagemaker:CreateMonitoringSchedule",
"sagemaker:CreateNotebookInstance",
"sagemaker:CreateNotebookInstanceLifecycleConfig",
"sagemaker:CreatePipeline",
"sagemaker:CreatePresignedDomainUrl",
"sagemaker:CreatePresignedNotebookInstanceUrl",
"sagemaker:CreateProcessingJob",
"sagemaker:CreateProject",
"sagemaker:CreateTrainingJob",
"sagemaker:CreateTransformJob",
"sagemaker:CreateTrial",
"sagemaker:CreateTrialComponent",
"sagemaker:CreateUserProfile",
"sagemaker:CreateWorkforce",
"sagemaker:CreateWorkteam",
"sagemaker:DeleteAction",
"sagemaker:DeleteAlgorithm",
"sagemaker:DeleteApp",
"sagemaker:DeleteAppImageConfig",
"sagemaker:DeleteArtifact",
"sagemaker:DeleteAssociation",
"sagemaker:DeleteCodeRepository",
"sagemaker:DeleteContext",
"sagemaker:DeleteDataQualityJobDefinition",
"sagemaker:DeleteDeviceFleet",
"sagemaker:DeleteDomain",
"sagemaker:DeleteEndpoint",
"sagemaker:DeleteEndpointConfig",
"sagemaker:DeleteExperiment",
"sagemaker:DeleteFeatureGroup",
"sagemaker:DeleteFlowDefinition",
"sagemaker:DeleteHumanLoop",
"sagemaker:DeleteHumanTaskUi",
"sagemaker:DeleteImage",
"sagemaker:DeleteImageVersion",
"sagemaker:DeleteLineageGroupPolicy",
"sagemaker:DeleteModel",
"sagemaker:DeleteModelBiasJobDefinition",
"sagemaker:DeleteModelExplainabilityJobDefinition",
"sagemaker:DeleteModelPackage",
"sagemaker:DeleteModelPackageGroup",
"sagemaker:DeleteModelPackageGroupPolicy",
"sagemaker:DeleteModelQualityJobDefinition",
"sagemaker:DeleteMonitoringSchedule",
"sagemaker:DeleteNotebookInstance",
"sagemaker:DeleteNotebookInstanceLifecycleConfig",
"sagemaker:DeletePipeline",
"sagemaker:DeleteProject",
"sagemaker:DeleteRecord",
"sagemaker:DeleteTags",
"sagemaker:DeleteTrial",
"sagemaker:DeleteTrialComponent",
"sagemaker:DeleteUserProfile",
"sagemaker:DeleteWorkforce",
"sagemaker:DeleteWorkteam",
"sagemaker:DeregisterDevices",
"sagemaker:DescribeAction",
"sagemaker:DescribeAlgorithm",
"sagemaker:DescribeApp",
"sagemaker:DescribeAppImageConfig",
"sagemaker:DescribeArtifact",
"sagemaker:DescribeAutoMLJob",
"sagemaker:DescribeCodeRepository",
"sagemaker:DescribeCompilationJob",
"sagemaker:DescribeContext",
"sagemaker:DescribeDataQualityJobDefinition",
"sagemaker:DescribeDevice",
"sagemaker:DescribeDeviceFleet",
"sagemaker:DescribeDomain",
"sagemaker:DescribeEdgePackagingJob",
"sagemaker:DescribeEndpoint",
"sagemaker:DescribeEndpointConfig",
"sagemaker:DescribeExperiment",
"sagemaker:DescribeFeatureGroup",
"sagemaker:DescribeFlowDefinition",
"sagemaker:DescribeHumanLoop",
"sagemaker:DescribeHumanTaskUi",
"sagemaker:DescribeHyperParameterTuningJob",
"sagemaker:DescribeImage",
"sagemaker:DescribeImageVersion",
"sagemaker:DescribeInferenceRecommendationsJob",
"sagemaker:DescribeLabelingJob",
"sagemaker:DescribeLineageGroup",
"sagemaker:DescribeModel",
"sagemaker:DescribeModelBiasJobDefinition",
"sagemaker:DescribeModelExplainabilityJobDefinition",
"sagemaker:DescribeModelPackage",
"sagemaker:DescribeModelPackageGroup",
"sagemaker:DescribeModelQualityJobDefinition",
"sagemaker:DescribeMonitoringSchedule",
"sagemaker:DescribeNotebookInstance",
"sagemaker:DescribeNotebookInstanceLifecycleConfig",
"sagemaker:DescribePipeline",
"sagemaker:DescribePipelineDefinitionForExecution",
"sagemaker:DescribePipelineExecution",
"sagemaker:DescribeProcessingJob",
"sagemaker:DescribeProject",
"sagemaker:DescribeSubscribedWorkteam",
"sagemaker:DescribeTrainingJob",
"sagemaker:DescribeTransformJob",
"sagemaker:DescribeTrial",
"sagemaker:DescribeTrialComponent",
"sagemaker:DescribeUserProfile",
"sagemaker:DescribeWorkforce",
"sagemaker:DescribeWorkteam",
"sagemaker:DisableSagemakerServicecatalogPortfolio",
"sagemaker:DisassociateTrialComponent",
"sagemaker:EnableSagemakerServicecatalogPortfolio",
"sagemaker:GetDeviceFleetReport",
"sagemaker:GetDeviceRegistration",
"sagemaker:GetLineageGroupPolicy",
"sagemaker:GetModelPackageGroupPolicy",
"sagemaker:GetRecord",
"sagemaker:GetSagemakerServicecatalogPortfolioStatus",
"sagemaker:GetSearchSuggestions",
"sagemaker:InvokeEndpoint",
"sagemaker:InvokeEndpointAsync",
"sagemaker:ListActions",
"sagemaker:ListAlgorithms",
"sagemaker:ListAppImageConfigs",
"sagemaker:ListApps",
"sagemaker:ListArtifacts",
"sagemaker:ListAssociations",
"sagemaker:ListAutoMLJobs",
"sagemaker:ListCandidatesForAutoMLJob",
"sagemaker:ListCodeRepositories",
"sagemaker:ListCompilationJobs",
"sagemaker:ListContexts",
"sagemaker:ListDataQualityJobDefinitions",
"sagemaker:ListDeviceFleets",
"sagemaker:ListDevices",
"sagemaker:ListDomains",
"sagemaker:ListEdgePackagingJobs",
"sagemaker:ListEndpointConfigs",
"sagemaker:ListEndpoints",
"sagemaker:ListExperiments",
"sagemaker:ListFeatureGroups",
"sagemaker:ListFlowDefinitions",
"sagemaker:ListHumanLoops",
"sagemaker:ListHumanTaskUis",
"sagemaker:ListHyperParameterTuningJobs",
"sagemaker:ListImageVersions",
"sagemaker:ListImages",
"sagemaker:ListInferenceRecommendationsJobs",
"sagemaker:ListLabelingJobs",
"sagemaker:ListLabelingJobsForWorkteam",
"sagemaker:ListLineageGroups",
"sagemaker:ListModelBiasJobDefinitions",
"sagemaker:ListModelExplainabilityJobDefinitions",
"sagemaker:ListModelMetadata",
"sagemaker:ListModelPackageGroups",
"sagemaker:ListModelPackages",
"sagemaker:ListModelQualityJobDefinitions",
"sagemaker:ListModels",
"sagemaker:ListMonitoringExecutions",
"sagemaker:ListMonitoringSchedules",
"sagemaker:ListNotebookInstanceLifecycleConfigs",
"sagemaker:ListNotebookInstances",
"sagemaker:ListPipelineExecutionSteps",
"sagemaker:ListPipelineExecutions",
"sagemaker:ListPipelineParametersForExecution",
"sagemaker:ListPipelines",
"sagemaker:ListProcessingJobs",
"sagemaker:ListProjects",
"sagemaker:ListSubscribedWorkteams",
"sagemaker:ListTags",
"sagemaker:ListTrainingJobs",
"sagemaker:ListTrainingJobsForHyperParameterTuningJob",
"sagemaker:ListTransformJobs",
"sagemaker:ListTrialComponents",
"sagemaker:ListTrials",
"sagemaker:ListUserProfiles",
"sagemaker:ListWorkforces",
"sagemaker:ListWorkteams",
"sagemaker:PutLineageGroupPolicy",
"sagemaker:PutModelPackageGroupPolicy",
"sagemaker:PutRecord",
"sagemaker:QueryLineage",
"sagemaker:RegisterDevices",
"sagemaker:RenderUiTemplate",
"sagemaker:Search",
"sagemaker:SendHeartbeat",
"sagemaker:SendPipelineExecutionStepFailure",
"sagemaker:SendPipelineExecutionStepSuccess",
"sagemaker:StartHumanLoop",
"sagemaker:StartMonitoringSchedule",
"sagemaker:StartNotebookInstance",
"sagemaker:StartPipelineExecution",
"sagemaker:StopAutoMLJob",
"sagemaker:StopCompilationJob",
"sagemaker:StopEdgePackagingJob",
"sagemaker:StopHumanLoop",
"sagemaker:StopHyperParameterTuningJob",
"sagemaker:StopInferenceRecommendationsJob",
"sagemaker:StopLabelingJob",
"sagemaker:StopMonitoringSchedule",
"sagemaker:StopNotebookInstance",
"sagemaker:StopPipelineExecution",
"sagemaker:StopProcessingJob",
"sagemaker:StopTrainingJob",
"sagemaker:StopTransformJob",
"sagemaker:UpdateAction",
"sagemaker:UpdateAppImageConfig",
"sagemaker:UpdateArtifact",
"sagemaker:UpdateCodeRepository",
"sagemaker:UpdateContext",
"sagemaker:UpdateDeviceFleet",
"sagemaker:UpdateDevices",
"sagemaker:UpdateDomain",
"sagemaker:UpdateEndpoint",
"sagemaker:UpdateEndpointWeightsAndCapacities",
"sagemaker:UpdateExperiment",
"sagemaker:UpdateImage",
"sagemaker:UpdateModelPackage",
"sagemaker:UpdateMonitoringSchedule",
"sagemaker:UpdateNotebookInstance",
"sagemaker:UpdateNotebookInstanceLifecycleConfig",
"sagemaker:UpdatePipeline",
"sagemaker:UpdatePipelineExecution",
"sagemaker:UpdateProject",
"sagemaker:UpdateTrainingJob",
"sagemaker:UpdateTrial",
"sagemaker:UpdateTrialComponent",
"sagemaker:UpdateUserProfile",
"sagemaker:UpdateWorkforce",
"sagemaker:UpdateWorkteam"
],
"Resource": [
"arn:aws:sagemaker:*:*:action/*",
"arn:aws:sagemaker:*:*:algorithm/*",
"arn:aws:sagemaker:*:*:app-image-config/*",
"arn:aws:sagemaker:*:*:artifact/*",
"arn:aws:sagemaker:*:*:automl-job/*",
"arn:aws:sagemaker:*:*:code-repository/*",
"arn:aws:sagemaker:*:*:compilation-job/*",
"arn:aws:sagemaker:*:*:context/*",
"arn:aws:sagemaker:*:*:data-quality-job-definition/*",
"arn:aws:sagemaker:*:*:device-fleet/*/device/*",
"arn:aws:sagemaker:*:*:device-fleet/*",
"arn:aws:sagemaker:*:*:edge-packaging-job/*",
"arn:aws:sagemaker:*:*:endpoint/*",
"arn:aws:sagemaker:*:*:endpoint-config/*",
"arn:aws:sagemaker:*:*:experiment/*",
"arn:aws:sagemaker:*:*:experiment-trial/*",
"arn:aws:sagemaker:*:*:experiment-trial-component/*",
"arn:aws:sagemaker:*:*:feature-group/*",
"arn:aws:sagemaker:*:*:human-loop/*",
"arn:aws:sagemaker:*:*:human-task-ui/*",
"arn:aws:sagemaker:*:*:hyper-parameter-tuning-job/*",
"arn:aws:sagemaker:*:*:image/*",
"arn:aws:sagemaker:*:*:image-version/*/*",
"arn:aws:sagemaker:*:*:inference-recommendations-job/*",
"arn:aws:sagemaker:*:*:labeling-job/*",
"arn:aws:sagemaker:*:*:model/*",
"arn:aws:sagemaker:*:*:model-bias-job-definition/*",
"arn:aws:sagemaker:*:*:model-explainability-job-definition/*",
"arn:aws:sagemaker:*:*:model-package/*",
"arn:aws:sagemaker:*:*:model-package-group/*",
"arn:aws:sagemaker:*:*:model-quality-job-definition/*",
"arn:aws:sagemaker:*:*:monitoring-schedule/*",
"arn:aws:sagemaker:*:*:notebook-instance/*",
"arn:aws:sagemaker:*:*:notebook-instance-lifecycle-config/*",
"arn:aws:sagemaker:*:*:pipeline/*",
"arn:aws:sagemaker:*:*:pipeline/*/execution/*",
"arn:aws:sagemaker:*:*:processing-job/*",
"arn:aws:sagemaker:*:*:project/*",
"arn:aws:sagemaker:*:*:training-job/*",
"arn:aws:sagemaker:*:*:transform-job/*",
"arn:aws:sagemaker:*:*:workforce/*",
"arn:aws:sagemaker:*:*:workteam/*"
]
},
{
"Sid" : "AmazonSageMakerLambdaPassRolePermission",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/service-role/AmazonSageMakerServiceCatalogProductsExecutionRole"
]
},
{
"Sid" : "AmazonSageMakerLambdaLogPermission",
"Effect": "Allow",
"Action": [
"logs:CreateLogDelivery",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DeleteLogDelivery",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:DescribeResourcePolicies",
"logs:DescribeDestinations",
"logs:DescribeExportTasks",
"logs:DescribeMetricFilters",
"logs:DescribeQueries",
"logs:DescribeQueryDefinitions",
"logs:DescribeSubscriptionFilters",
"logs:GetLogDelivery",
"logs:GetLogEvents",
"logs:ListLogDeliveries",
"logs:PutLogEvents",
"logs:PutResourcePolicy",
"logs:UpdateLogDelivery"
],
"Resource": "arn:aws:logs:*:*:log-group:/aws/lambda/*"
},
{
"Sid" : "AmazonSageMakerLambdaCodeBuildPermission",
"Effect": "Allow",
"Action": [
"codebuild:StartBuild",
"codebuild:BatchGetBuilds"
],
"Resource": "arn:aws:codebuild:*:*:project/sagemaker-*",
"Condition": {
"StringLike": {
"aws:ResourceTag/sagemaker:project-name": "*"
}
}
}
]
}
Amazon SageMaker AI actualiza las políticas AWS gestionadas de AWS Service Catalog
Consulta los detalles sobre las actualizaciones de las políticas AWS gestionadas de Amazon SageMaker AI desde que este servicio comenzó a realizar el seguimiento de estos cambios.
Política | Versión | Cambio | Date |
---|---|---|---|
AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy - Política actualizada |
9 |
Se agregaron los permisos |
1 de julio de 2024 |
AmazonSageMakerAdmin- ServiceCatalogProductsServiceRolePolicy - Política actualizada |
7 |
La política se ha revertido a la versión 7 (v7). Se han eliminado los permisos |
12 de junio de 2024 |
AmazonSageMakerAdmin- ServiceCatalogProductsServiceRolePolicy - Política actualizada |
8 |
Se agregaron los permisos |
11 de junio de 2024 |
AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy: política actualizada |
2 |
Se agregaron los permisos |
11 de junio de 2024 |
AmazonSageMakerServiceCatalogProductsCodePipelineServiceRolePolicy: política actualizada |
2 |
Se han añadido los permisos |
11 de junio de 2024 |
AmazonSageMakerServiceCatalogProductsLambdaServiceRolePolítica: política actualizada |
2 |
Se agregaron los permisos |
11 de junio de 2024 |
AmazonSageMakerPartnerServiceCatalogProductsApiGatewayServiceRolePolicy |
1 | Política inicial |
1 de agosto de 2023 |
AmazonSageMakerPartnerServiceCatalogProductsCloudFormationServiceRolePolicy |
1 | Política inicial |
1 de agosto de 2023 |
AmazonSageMakerPartnerServiceCatalogProductsLambdaServiceRolePolicy |
1 | Política inicial |
1 de agosto de 2023 |
AmazonSageMakerServiceCatalogProductsGlueServiceRolePolítica: política actualizada |
2 |
Se agregó el permiso para |
26 de agosto de 2022 |
AmazonSageMakerAdmin- ServiceCatalogProductsServiceRolePolicy - Política actualizada |
7 |
Se agregó el permiso para |
2 de agosto de 2022 |
AmazonSageMakerAdmin- ServiceCatalogProductsServiceRolePolicy - Política actualizada | 6 |
Se agregó el permiso para |
14 de julio de 2022 |
AmazonSageMakerServiceCatalogProductsLambdaServiceRolePolítica |
1 |
Política inicial |
4 de abril de 2022 |
AmazonSageMakerServiceCatalogProductsApiGatewayServiceRolePolicy |
1 |
Política inicial |
24 de marzo de 2022 |
AmazonSageMakerServiceCatalogProductsCloudformationServiceRolePolítica |
1 |
Política inicial |
24 de marzo de 2022 |
AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy |
1 |
Política inicial |
24 de marzo de 2022 |
AmazonSageMakerAdmin- ServiceCatalogProductsServiceRolePolicy - Política actualizada | 5 |
Se agregó el permiso para |
21 de marzo de 2022 |
AmazonSageMakerServiceCatalogProductsCodePipelineServiceRolePolicy |
1 |
Política inicial |
22 de febrero de 2022 |
AmazonSageMakerServiceCatalogProductsEventsServiceRolePolítica |
1 |
Política inicial |
22 de febrero de 2022 |
AmazonSageMakerServiceCatalogProductsFirehoseServiceRolePolítica |
1 |
Política inicial |
22 de febrero de 2022 |
AmazonSageMakerServiceCatalogProductsGlueServiceRolePolítica | 1 |
Política inicial |
22 de febrero de 2022 |
AmazonSageMakerAdmin- ServiceCatalogProductsServiceRolePolicy - Política actualizada | 4 |
Se agregaron permisos para |
16 de febrero de 2022 |
AmazonSageMakerAdmin- ServiceCatalogProductsServiceRolePolicy - Política actualizada | 3 |
Se agregaron nuevos permisos para Crea, lee, actualiza y elimina imágenes de SageMaker IA. |
15 de septiembre de 2021 |
AmazonSageMakerAdmin- ServiceCatalogProductsServiceRolePolicy - Política actualizada | 2 |
Se agregaron permisos para Crea, lee, actualiza y elimina repositorios de código. Pase AWS CodeStar las conexiones a AWS CodePipeline. |
1 de julio de 2021 |
AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy | 1 | Política inicial |
27 de noviembre de 2020 |