AWS Managed Policies for SageMaker Pipelines
These AWS managed policies add permissions required to use SageMaker Pipelines. The policies are available in your AWS account and are used by execution roles created from the SageMaker console.
Topics
AWS managed policy: AmazonSageMakerPipelinesIntegrations
This AWS managed policy grants permissions commonly needed to use Callback steps
and Lambda steps in SageMaker Pipelines. The policy is added to the
AmazonSageMaker-ExecutionRole that is created when you onboard to
Amazon SageMaker Studio Classic. The policy can be attached to any role used for authoring or executing a pipeline.
This policy grants appropriate AWS Lambda, Amazon Simple Queue Service (Amazon SQS), Amazon EventBridge, and IAM permissions needed when building pipelines that invoke Lambda functions or include callback steps, which can be used for manual approval steps or running custom workloads.
The Amazon SQS permissions allow you to create the Amazon SQS queue needed for receiving callback messages, and also to send messages to that queue.
The Lambda permissions allow you to create, read, update, and delete the Lambda functions used in the pipeline steps, and also to invoke those Lambda functions.
This policy grants the Amazon EMR permissions needed to run a pipelines Amazon EMR step.
Permissions details
This policy includes the following permissions.
-
elasticmapreduce– Read, add, and cancel steps in a running Amazon EMR cluster. Read, create, and terminate a new Amazon EMR cluster. -
events– Read, create, update, and add targets to an EventBridge rule namedSageMakerPipelineExecutionEMRStepStatusUpdateRuleandSageMakerPipelineExecutionEMRClusterStatusUpdateRule. -
iam– Pass an IAM role to the AWS Lambda service, Amazon EMR and Amazon EC2. -
lambda– Create, read, update, delete, and invoke Lambda functions. These permissions are limited to functions whose name includes "sagemaker". -
sqs– Create an Amazon SQS queue; send an Amazon SQS message. These permissions are limited to queues whose name includes "sagemaker".
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "lambda:CreateFunction", "lambda:DeleteFunction", "lambda:GetFunction", "lambda:InvokeFunction", "lambda:UpdateFunctionCode" ], "Resource": [ "arn:aws:lambda:*:*:function:*sagemaker*", "arn:aws:lambda:*:*:function:*sageMaker*", "arn:aws:lambda:*:*:function:*SageMaker*" ] }, { "Effect": "Allow", "Action": [ "sqs:CreateQueue", "sqs:SendMessage" ], "Resource": [ "arn:aws:sqs:*:*:*sagemaker*", "arn:aws:sqs:*:*:*sageMaker*", "arn:aws:sqs:*:*:*SageMaker*" ] }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::*:role/*", "Condition": { "StringEquals": { "iam:PassedToService": [ "lambda.amazonaws.com", "elasticmapreduce.amazonaws.com", "ec2.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "events:DescribeRule", "events:PutRule", "events:PutTargets" ], "Resource": [ "arn:aws:events:*:*:rule/SageMakerPipelineExecutionEMRStepStatusUpdateRule", "arn:aws:events:*:*:rule/SageMakerPipelineExecutionEMRClusterStatusUpdateRule" ] }, { "Effect": "Allow", "Action": [ "elasticmapreduce:AddJobFlowSteps", "elasticmapreduce:CancelSteps", "elasticmapreduce:DescribeStep", "elasticmapreduce:RunJobFlow", "elasticmapreduce:DescribeCluster", "elasticmapreduce:TerminateJobFlows", "elasticmapreduce:ListSteps" ], "Resource": [ "arn:aws:elasticmapreduce:*:*:cluster/*" ] } ] }
Amazon SageMaker updates to SageMaker Pipelines managed policies
View details about updates to AWS managed policies for Amazon SageMaker since this service began tracking these changes.
| Policy | Version | Change | Date |
|---|---|---|---|
|
AmazonSageMakerPipelinesIntegrations - Update to an existing policy |
3 |
Added permissions for |
February 17, 2023 |
|
AmazonSageMakerPipelinesIntegrations - Update to an existing policy |
2 |
Added permissions for |
April 20, 2022 |
AmazonSageMakerPipelinesIntegrations - New policy |
1 |
Initial policy |
July 30, 2021 |
