Le traduzioni sono generate tramite traduzione automatica. In caso di conflitto tra il contenuto di una traduzione e la versione originale in Inglese, quest'ultima prevarrà.
# AmazonSageMakerCanvasFullAccess
**Descrizione**: fornisce l'accesso completo alle risorse e alle operazioni di Amazon SageMaker Canvas. La policy fornisce anche un accesso selezionato ai servizi correlati (ad esempio, S3, IAM, VPC, ECR, CloudWatch Logs, Redshift, Secrets Manager e Forecast). Questa policy deve essere allegata al ruolo di esecuzione Amazon SageMaker Domain/User Profile.
`AmazonSageMakerCanvasFullAccess`[è una politica gestita AWS .](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies)
## Utilizzo di questa politica
È possibile associare la policy `AmazonSageMakerCanvasFullAccess` a utenti, gruppi e ruoli.
## Dettagli della policy
+ **Tipo**: politica AWS gestita
+ **Tempo di creazione**: 09 settembre 2022, 00:44 UTC
+ **Ora modificata:** 16 agosto 2024, 04:35 UTC
+ **ARN**: `arn:aws:iam::aws:policy/AmazonSageMakerCanvasFullAccess`
## Versione della politica
**Versione della politica:** v11 (predefinita)
La versione predefinita della politica è la versione che definisce le autorizzazioni per la politica. Quando un utente o un ruolo con la politica effettua una richiesta di accesso a una AWS risorsa, AWS controlla la versione predefinita della politica per determinare se consentire la richiesta.
## Documento di policy JSON
```
{
"Version" : "2012-10-17",
"Statement" : [
{
"Sid" : "SageMakerUserDetailsAndPackageOperations",
"Effect" : "Allow",
"Action" : [
"sagemaker:DescribeDomain",
"sagemaker:DescribeUserProfile",
"sagemaker:ListTags",
"sagemaker:ListModelPackages",
"sagemaker:ListModelPackageGroups",
"sagemaker:ListEndpoints"
],
"Resource" : "*"
},
{
"Sid" : "SageMakerPackageGroupOperations",
"Effect" : "Allow",
"Action" : [
"sagemaker:CreateModelPackageGroup",
"sagemaker:CreateModelPackage",
"sagemaker:DescribeModelPackageGroup",
"sagemaker:DescribeModelPackage"
],
"Resource" : [
"arn:aws:sagemaker:*:*:model-package/*",
"arn:aws:sagemaker:*:*:model-package-group/*"
]
},
{
"Sid" : "SageMakerTrainingOperations",
"Effect" : "Allow",
"Action" : [
"sagemaker:CreateCompilationJob",
"sagemaker:CreateEndpoint",
"sagemaker:CreateEndpointConfig",
"sagemaker:CreateModel",
"sagemaker:CreateProcessingJob",
"sagemaker:CreateAutoMLJob",
"sagemaker:CreateAutoMLJobV2",
"sagemaker:CreateTrainingJob",
"sagemaker:CreateTransformJob",
"sagemaker:DeleteEndpoint",
"sagemaker:DescribeCompilationJob",
"sagemaker:DescribeEndpoint",
"sagemaker:DescribeEndpointConfig",
"sagemaker:DescribeModel",
"sagemaker:DescribeProcessingJob",
"sagemaker:DescribeAutoMLJob",
"sagemaker:DescribeAutoMLJobV2",
"sagemaker:DescribeTrainingJob",
"sagemaker:DescribeTransformJob",
"sagemaker:ListCandidatesForAutoMLJob",
"sagemaker:StopAutoMLJob",
"sagemaker:StopTrainingJob",
"sagemaker:StopTransformJob",
"sagemaker:AddTags",
"sagemaker:DeleteApp"
],
"Resource" : [
"arn:aws:sagemaker:*:*:*Canvas*",
"arn:aws:sagemaker:*:*:*canvas*",
"arn:aws:sagemaker:*:*:*model-compilation-*"
]
},
{
"Sid" : "SageMakerHostingOperations",
"Effect" : "Allow",
"Action" : [
"sagemaker:DeleteEndpointConfig",
"sagemaker:DeleteModel",
"sagemaker:InvokeEndpoint",
"sagemaker:UpdateEndpointWeightsAndCapacities",
"sagemaker:InvokeEndpointAsync"
],
"Resource" : [
"arn:aws:sagemaker:*:*:*Canvas*",
"arn:aws:sagemaker:*:*:*canvas*"
]
},
{
"Sid" : "EC2VPCOperation",
"Effect" : "Allow",
"Action" : [
"ec2:CreateVpcEndpoint",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeVpcEndpointServices"
],
"Resource" : "*"
},
{
"Sid" : "ECROperations",
"Effect" : "Allow",
"Action" : [
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer",
"ecr:GetAuthorizationToken"
],
"Resource" : "*"
},
{
"Sid" : "IAMGetOperations",
"Effect" : "Allow",
"Action" : [
"iam:GetRole"
],
"Resource" : "arn:aws:iam::*:role/*"
},
{
"Sid" : "IAMPassOperation",
"Effect" : "Allow",
"Action" : [
"iam:PassRole"
],
"Resource" : "arn:aws:iam::*:role/*",
"Condition" : {
"StringEquals" : {
"iam:PassedToService" : "sagemaker.amazonaws.com"
}
}
},
{
"Sid" : "LoggingOperation",
"Effect" : "Allow",
"Action" : [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource" : "arn:aws:logs:*:*:log-group:/aws/sagemaker/*"
},
{
"Sid" : "S3Operations",
"Effect" : "Allow",
"Action" : [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:CreateBucket",
"s3:GetBucketCors",
"s3:GetBucketLocation"
],
"Resource" : [
"arn:aws:s3:::*SageMaker*",
"arn:aws:s3:::*Sagemaker*",
"arn:aws:s3:::*sagemaker*"
]
},
{
"Sid" : "ReadSageMakerJumpstartArtifacts",
"Effect" : "Allow",
"Action" : "s3:GetObject",
"Resource" : [
"arn:aws:s3:::jumpstart-cache-prod-us-west-2/*",
"arn:aws:s3:::jumpstart-cache-prod-us-east-1/*",
"arn:aws:s3:::jumpstart-cache-prod-us-east-2/*",
"arn:aws:s3:::jumpstart-cache-prod-eu-west-1/*",
"arn:aws:s3:::jumpstart-cache-prod-eu-central-1/*",
"arn:aws:s3:::jumpstart-cache-prod-ap-south-1/*",
"arn:aws:s3:::jumpstart-cache-prod-ap-northeast-2/*",
"arn:aws:s3:::jumpstart-cache-prod-ap-northeast-1/*",
"arn:aws:s3:::jumpstart-cache-prod-ap-southeast-1/*",
"arn:aws:s3:::jumpstart-cache-prod-ap-southeast-2/*"
]
},
{
"Sid" : "S3ListOperations",
"Effect" : "Allow",
"Action" : [
"s3:ListBucket",
"s3:ListAllMyBuckets"
],
"Resource" : "*"
},
{
"Sid" : "GlueOperations",
"Effect" : "Allow",
"Action" : "glue:SearchTables",
"Resource" : [
"arn:aws:glue:*:*:table/*/*",
"arn:aws:glue:*:*:database/*",
"arn:aws:glue:*:*:catalog"
]
},
{
"Sid" : "SecretsManagerARNBasedOperation",
"Effect" : "Allow",
"Action" : [
"secretsmanager:DescribeSecret",
"secretsmanager:GetSecretValue",
"secretsmanager:CreateSecret",
"secretsmanager:PutResourcePolicy"
],
"Resource" : [
"arn:aws:secretsmanager:*:*:secret:AmazonSageMaker-*"
]
},
{
"Sid" : "SecretManagerTagBasedOperation",
"Effect" : "Allow",
"Action" : [
"secretsmanager:DescribeSecret",
"secretsmanager:GetSecretValue"
],
"Resource" : "*",
"Condition" : {
"StringEquals" : {
"secretsmanager:ResourceTag/SageMaker" : "true"
}
}
},
{
"Sid" : "RedshiftOperations",
"Effect" : "Allow",
"Action" : [
"redshift-data:ExecuteStatement",
"redshift-data:DescribeStatement",
"redshift-data:CancelStatement",
"redshift-data:GetStatementResult",
"redshift-data:ListSchemas",
"redshift-data:ListTables",
"redshift-data:DescribeTable"
],
"Resource" : "*"
},
{
"Sid" : "RedshiftGetCredentialsOperation",
"Effect" : "Allow",
"Action" : [
"redshift:GetClusterCredentials"
],
"Resource" : [
"arn:aws:redshift:*:*:dbuser:*/sagemaker_access*",
"arn:aws:redshift:*:*:dbname:*"
]
},
{
"Sid" : "ForecastOperations",
"Effect" : "Allow",
"Action" : [
"forecast:CreateExplainabilityExport",
"forecast:CreateExplainability",
"forecast:CreateForecastEndpoint",
"forecast:CreateAutoPredictor",
"forecast:CreateDatasetImportJob",
"forecast:CreateDatasetGroup",
"forecast:CreateDataset",
"forecast:CreateForecast",
"forecast:CreateForecastExportJob",
"forecast:CreatePredictorBacktestExportJob",
"forecast:CreatePredictor",
"forecast:DescribeExplainabilityExport",
"forecast:DescribeExplainability",
"forecast:DescribeAutoPredictor",
"forecast:DescribeForecastEndpoint",
"forecast:DescribeDatasetImportJob",
"forecast:DescribeDataset",
"forecast:DescribeForecast",
"forecast:DescribeForecastExportJob",
"forecast:DescribePredictorBacktestExportJob",
"forecast:GetAccuracyMetrics",
"forecast:InvokeForecastEndpoint",
"forecast:GetRecentForecastContext",
"forecast:DescribePredictor",
"forecast:TagResource",
"forecast:DeleteResourceTree"
],
"Resource" : [
"arn:aws:forecast:*:*:*Canvas*"
]
},
{
"Sid" : "RDSOperation",
"Effect" : "Allow",
"Action" : "rds:DescribeDBInstances",
"Resource" : "*"
},
{
"Sid" : "IAMPassOperationForForecast",
"Effect" : "Allow",
"Action" : [
"iam:PassRole"
],
"Resource" : "arn:aws:iam::*:role/*",
"Condition" : {
"StringEquals" : {
"iam:PassedToService" : "forecast.amazonaws.com"
}
}
},
{
"Sid" : "AutoscalingOperations",
"Effect" : "Allow",
"Action" : [
"application-autoscaling:PutScalingPolicy",
"application-autoscaling:RegisterScalableTarget"
],
"Resource" : "arn:aws:application-autoscaling:*:*:scalable-target/*",
"Condition" : {
"StringEquals" : {
"application-autoscaling:service-namespace" : "sagemaker",
"application-autoscaling:scalable-dimension" : "sagemaker:variant:DesiredInstanceCount"
}
}
},
{
"Sid" : "AsyncEndpointOperations",
"Effect" : "Allow",
"Action" : [
"cloudwatch:DescribeAlarms",
"sagemaker:DescribeEndpointConfig"
],
"Resource" : "*"
},
{
"Sid" : "DescribeScalingOperations",
"Effect" : "Allow",
"Action" : [
"application-autoscaling:DescribeScalingActivities"
],
"Resource" : "*",
"Condition" : {
"StringEquals" : {
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "SageMakerCloudWatchUpdate",
"Effect" : "Allow",
"Action" : [
"cloudwatch:PutMetricAlarm",
"cloudwatch:DeleteAlarms"
],
"Resource" : [
"arn:aws:cloudwatch:*:*:alarm:TargetTracking*"
],
"Condition" : {
"StringEquals" : {
"aws:CalledViaLast" : "application-autoscaling.amazonaws.com"
}
}
},
{
"Sid" : "AutoscalingSageMakerEndpointOperation",
"Action" : "iam:CreateServiceLinkedRole",
"Effect" : "Allow",
"Resource" : "arn:aws:iam::*:role/aws-service-role/sagemaker.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_SageMakerEndpoint",
"Condition" : {
"StringLike" : {
"iam:AWSServiceName" : "sagemaker.application-autoscaling.amazonaws.com"
}
}
},
{
"Sid" : "AthenaOperation",
"Action" : [
"athena:ListTableMetadata",
"athena:ListDataCatalogs",
"athena:ListDatabases"
],
"Effect" : "Allow",
"Resource" : "*",
"Condition" : {
"StringEquals" : {
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "GlueOperation",
"Action" : [
"glue:GetDatabases",
"glue:GetPartitions",
"glue:GetTables"
],
"Effect" : "Allow",
"Resource" : [
"arn:aws:glue:*:*:table/*",
"arn:aws:glue:*:*:catalog",
"arn:aws:glue:*:*:database/*"
],
"Condition" : {
"StringEquals" : {
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "QuicksightOperation",
"Action" : [
"quicksight:ListNamespaces"
],
"Effect" : "Allow",
"Resource" : "*",
"Condition" : {
"StringEquals" : {
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "AllowUseOfKeyInAccount",
"Effect" : "Allow",
"Action" : [
"kms:DescribeKey"
],
"Resource" : "*",
"Condition" : {
"StringEquals" : {
"aws:ResourceTag/Source" : "SageMakerCanvas",
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "EMRServerlessCreateApplicationOperation",
"Effect" : "Allow",
"Action" : "emr-serverless:CreateApplication",
"Resource" : "arn:aws:emr-serverless:*:*:/*",
"Condition" : {
"StringEquals" : {
"aws:RequestTag/sagemaker:is-canvas-resource" : "True",
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "EMRServerlessListApplicationOperation",
"Effect" : "Allow",
"Action" : "emr-serverless:ListApplications",
"Resource" : "arn:aws:emr-serverless:*:*:/*",
"Condition" : {
"StringEquals" : {
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "EMRServerlessApplicationOperations",
"Effect" : "Allow",
"Action" : [
"emr-serverless:UpdateApplication",
"emr-serverless:StopApplication",
"emr-serverless:GetApplication",
"emr-serverless:StartApplication"
],
"Resource" : "arn:aws:emr-serverless:*:*:/applications/*",
"Condition" : {
"StringEquals" : {
"aws:ResourceTag/sagemaker:is-canvas-resource" : "True",
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "EMRServerlessStartJobRunOperation",
"Effect" : "Allow",
"Action" : "emr-serverless:StartJobRun",
"Resource" : "arn:aws:emr-serverless:*:*:/applications/*",
"Condition" : {
"StringEquals" : {
"aws:RequestTag/sagemaker:is-canvas-resource" : "True",
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "EMRServerlessListJobRunOperation",
"Effect" : "Allow",
"Action" : "emr-serverless:ListJobRuns",
"Resource" : "arn:aws:emr-serverless:*:*:/applications/*",
"Condition" : {
"StringEquals" : {
"aws:ResourceTag/sagemaker:is-canvas-resource" : "True",
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "EMRServerlessJobRunOperations",
"Effect" : "Allow",
"Action" : [
"emr-serverless:GetJobRun",
"emr-serverless:CancelJobRun"
],
"Resource" : "arn:aws:emr-serverless:*:*:/applications/*/jobruns/*",
"Condition" : {
"StringEquals" : {
"aws:ResourceTag/sagemaker:is-canvas-resource" : "True",
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "EMRServerlessTagResourceOperation",
"Effect" : "Allow",
"Action" : "emr-serverless:TagResource",
"Resource" : "arn:aws:emr-serverless:*:*:/*",
"Condition" : {
"StringEquals" : {
"aws:RequestTag/sagemaker:is-canvas-resource" : "True",
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "IAMPassOperationForEMRServerless",
"Effect" : "Allow",
"Action" : "iam:PassRole",
"Resource" : [
"arn:aws:iam::*:role/service-role/AmazonSageMakerCanvasEMRSExecutionAccess-*",
"arn:aws:iam::*:role/AmazonSageMakerCanvasEMRSExecutionAccess-*"
],
"Condition" : {
"StringEquals" : {
"iam:PassedToService" : "emr-serverless.amazonaws.com",
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
}
]
}
```
## Ulteriori informazioni
+ [Crea un set di autorizzazioni utilizzando le policy AWS gestite in IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/howtocreatepermissionset.html)
+ [Aggiungere e rimuovere i permessi di identità IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html)
+ [Comprendi il controllo delle versioni per le politiche IAM](https://docs.aws.amazon.com//IAM/latest/UserGuide/access_policies_managed-versioning.html)
+ [Inizia con le policy AWS gestite e passa alle autorizzazioni con privilegi minimi](https://docs.aws.amazon.com//IAM/latest/UserGuide/best-practices.html#bp-use-aws-defined-policies)