Set up SDK permissions - Amazon Lookout for Vision
Granting SDK operation permissionsGranting Amazon S3 Bucket permissionsAssigning permissions

End of support notice: On October 31, 2025, AWS will discontinue support for Amazon Lookout for Vision. After October 31, 2025, you will no longer be able to access the Lookout for Vision console or Lookout for Vision resources. For more information, visit this blog post.

Set up SDK permissions

To use Amazon Lookout for Vision SDK operations, you need access permissions to the Lookout for Vision API and the Amazon S3 bucket used for model training.

Granting SDK operation permissions

We recommend that you grant only the permissions required to perform a task (least-privilege permissions). For example, to call DetectAnomalies, you need permission to perform lookoutvision:DetectAnomalies. To find the permissions for an operation, check the API reference.

When you are just starting out with an application, you might not know the specific permissions you need, so you can start with broader permissions. AWS managed policies provide permissions to help you get started.

The managed policies for the console also provide access permissions for SDK operations. For more information, see Step 2: Set up permissions.

For information about AWS managed policies, see AWS managed policies.

When you know the permissions that your application needs, reduce permissions further by defining customer managed policies specific to your use cases. For more information, see Customer managed policies.

Note

The getting started instructions require s3:PutObject permissions. For more information, see Step 1: Create the manifest file and upload images.

To assign permissions, see Assigning permissions.

Granting Amazon S3 Bucket permissions

To train a model, you need an Amazon S3 bucket with appropriate permissions to store the images, manifest files and training output. The bucket must be owned by your AWS account and must be located in the AWS Region in which you are using Amazon Lookout for Vision.

The SDK-only managed policies (AmazonLookoutVisionFullAccess and AmazonLookoutVisionReadOnlyAccess) don't include Amazon S3 bucket permissions and you need to apply the following permission policy to access the buckets you use, including existing console buckets.

The console managed policies (AmazonLookoutVisionConsoleFullAccess and AmazonLookoutVisionConsoleReadOnlyAccess) include access permissions to the console bucket. If you are accessing the console bucket with SDK operations and have console managed policy permissions, you don't need to use the following policy. For more information, see Step 2: Set up permissions.

Deciding task permissions

Use the following information to decide which permissions are needed for the tasks you want to do.

Creating a dataset

To create a dataset with CreateDataset, you need the following permissions.

  • s3:GetBucketLocation — allows Lookout for Vision to validate that your bucket is in the same region in which you are using Lookout for Vision.

  • s3:GetObject — Allows access to the manifest file specifed in the DatasetSource input parameter. If you want to specify an exact S3 object version of the manifest file, you also need s3:GetObjectVersion on the manifest file. For more information, see Using versioning in S3 buckets.

Creating a model

To create a model with CreateModel, you need the following permissions.

  • s3:GetBucketLocation — allows Lookout for Vision to validate that your bucket is in the same region in which you are using Lookout for Vision.

  • s3:GetObject — allows access to the images specified in the project’s training and test datasets.

  • s3:PutObject — allows permission to store training output in the specified bucket. You specify the output bucket location in the OutputConfig parameter. Optionally, you can scope permissions down to only object keys specified in the Prefix field of the S3Location input field. For more information, see OutputConfig.

Accessing images, manifest files, and training output

Amazon S3 bucket permissions aren't required to view Amazon Lookout for Vision operation responses. You do need s3:GetObject permission if you want to access images, manifests files, and training output referenced in operation responses. If you are accessing a versioned Amazon S3 object, you need s3:GetObjectVersion permission.

Setting Amazon S3 bucket policy

You can use the following policy to specify the Amazon S3 bucket permissions needed to create a dataset (CreateDataset), create a model (CreateModel), and access images, manifest files, and training output. Change the value of my-bucket to the name of the bucket that you want use.

You can adjust the policy to your needs. For more information, see Deciding task permissions. Add the policy to the desired user. For more information, see Creating IAM Policies.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "LookoutVisionS3BucketAccess",
            "Effect": "Allow",
            "Action": "s3:GetBucketLocation",
            "Resource": [
                "arn:aws:s3:::my-bucket"
            ],
            "Condition": {
                "Bool": {
                    "aws:ViaAWSService": "true"
                }
            }
        },
        {
            "Sid": "LookoutVisionS3ObjectAccess",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:GetObjectVersion",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::my-bucket/*"
            ],
            "Condition": {
                "Bool": {
                    "aws:ViaAWSService": "true"
                }
            }
        }
    ]
}

To assign permissions, see Assigning permissions.

Assigning permissions

To provide access, add permissions to your users, groups, or roles: