If you plan to use SageMaker AI notebooks with development endpoints, you must specify permissions when you create the notebook. You provide those permissions by using AWS Identity and Access Management (IAM).
To create an IAM policy for SageMaker AI notebooks
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
. -
In the left navigation pane, choose Policies.
-
Choose Create Policy.
-
On the Create Policy page, navigate to a tab to edit the JSON. Create a policy document with the following JSON statements. Edit
bucket-name,region-code, andaccount-idfor your environment.{ "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:ListBucket" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::bucket-name" ] }, { "Action": [ "s3:GetObject" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::bucket-name*" ] }, { "Action": [ "logs:CreateLogStream", "logs:DescribeLogStreams", "logs:PutLogEvents", "logs:CreateLogGroup" ], "Effect": "Allow", "Resource": [ "arn:aws:logs:region-code:account-id:log-group:/aws/sagemaker/*", "arn:aws:logs:region-code:account-id:log-group:/aws/sagemaker/*:log-stream:aws-glue-*" ] }, { "Action": [ "glue:UpdateDevEndpoint", "glue:GetDevEndpoint", "glue:GetDevEndpoints" ], "Effect": "Allow", "Resource": [ "arn:aws:glue:region-code:account-id:devEndpoint/*" ] }, { "Action": [ "sagemaker:ListTags" ], "Effect": "Allow", "Resource": [ "arn:aws:sagemaker:region-code:account-id:notebook-instance/*" ] } ] }Then choose Review policy.
The following table describes the permissions granted by this policy.
Action Resource Description "s3:ListBucket*""arn:aws:s3:::bucket-name"Grants permission to list Amazon S3 buckets.
"s3:GetObject""arn:aws:s3:::bucket-name*"Grants permission to get Amazon S3 objects that are used by SageMaker AI notebooks.
"logs:CreateLogStream", "logs:DescribeLogStreams", "logs:PutLogEvents", "logs:CreateLogGroup""arn:aws:logs:region-code:account-id:log-group:/aws/sagemaker/*", "arn:aws:logs:region-code:account-id:log-group:/aws/sagemaker/*:log-stream:aws-glue-*"Grants permission to write logs to Amazon CloudWatch Logs from notebooks.
Naming convention: Writes to log groups whose names begin with aws-glue.
"glue:UpdateDevEndpoint", "glue:GetDevEndpoint", "glue:GetDevEndpoints""arn:aws:glue:region-code:account-id:devEndpoint/*"Grants permission to use a development endpoint from SageMaker AI notebooks.
"sagemaker:ListTags""arn:aws:sagemaker:region-code:account-id:notebook-instance/*"Grants permission to return tags for an SageMaker AI resource. The
aws-glue-dev-endpointtag is required on the SageMaker AI notebook for connecting the notebook to a development endpoint. -
On the Review Policy screen, enter your Policy Name, for example
AWSGlueSageMakerNotebook. Enter an optional description, and when you're satisfied with the policy, choose Create policy.
