Set up SDK permissions

To use Amazon Rekognition Custom Labels SDK operations, you need access permissions to the Amazon Rekognition Custom Labels API and the Amazon S3 bucket used for model training.

Granting SDK operation permissions

We recommend that you grant only the permissions required to perform a task (least-privilege permissions). For example, to call DetectCustomLabels, you need permission to perform rekognition:DetectCustomLabels. To find the permissions for an operation, check the API reference.

When you are just starting out with an application, you might not know the specific permissions you need, so you can start with broader permissions. AWS managed policies provide permissions to help you get started. You can use the AmazonRekognitionCustomLabelsFullAccess AWS managed policy to get complete access to the Amazon Rekognition Custom Labels API. For more information, see AWS managed policy: AmazonRekognitionCustomLabelsFullAccess. When you know the permissions that your application needs, reduce permissions further by defining customer managed policies specific to your use cases. For more information, see Customer managed policies.

To assign permissions, see Assigning permissions.

Policy updates for using the AWS SDK

To use the AWS SDK with the latest release of Amazon Rekognition Custom Labels, you no longer need to give Amazon Rekognition Custom Labels permissions to access the Amazon S3 bucket that contains your training and testing images. If you have previously added permissions, You don't need to remove them. If you choose to, remove any policy from the bucket where the service for the principal is rekognition.amazonaws.com. For example:

"Principal": {
    "Service": "rekognition.amazonaws.com"
}

For more information, see Using bucket policies.

Assigning permissions

To provide access, add permissions to your users, groups, or roles: