本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
这些 AWS 托管策略增加了使用内置 Amazon A SageMaker I 项目模板和 JumpStart 解决方案的权限。这些策略可在您的 AWS 账户中使用,并由从 SageMaker AI 控制台创建的执行角色使用。
SageMaker 项目并 JumpStart 使用 S AWS ervice Catalog 在客户账户中配置 AWS 资源。一些创建的资源需要代入执行角色。例如,如果 S AWS ervice Catalog 代表客户为 SageMaker 人工智能机器学习 CI/CD 项目创建 CodePipeline 管道,则该管道需要一个 IAM 角色。
该AmazonSageMakerServiceCatalogProductsLaunchRoleAmazonSageMakerServiceCatalogProductsLaunchRole角色将角色传递给预AmazonSageMakerServiceCatalogProductsUseRole配置的 S AWS ervice Catalog 产品资源。
主题
AWS 托管策略: AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy
AWS 托管策略: AmazonSageMakerPartnerServiceCatalogProductsApiGatewayServiceRolePolicy
AWS 托管策略: AmazonSageMakerPartnerServiceCatalogProductsCloudFormationServiceRolePolicy
AWS 托管策略: AmazonSageMakerPartnerServiceCatalogProductsLambdaServiceRolePolicy
AWS 托管策略: AmazonSageMakerServiceCatalogProductsApiGatewayServiceRolePolicy
AWS 托管策略: AmazonSageMakerServiceCatalogProductsCloudformationServiceRole策略
AWS 托管策略: AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy
AWS 托管策略: AmazonSageMakerServiceCatalogProductsCodePipelineServiceRolePolicy
AWS 托管策略: AmazonSageMakerServiceCatalogProductsEventsServiceRole策略
AWS 托管策略: AmazonSageMakerServiceCatalogProductsFirehoseServiceRole策略
AWS 托管策略: AmazonSageMakerServiceCatalogProductsGlueServiceRole策略
AWS 托管策略: AmazonSageMakerServiceCatalogProductsLambdaServiceRole策略
AWS
托管策略: AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy
该服务使用此服务角色策略来配置 Amazon A SageMaker I 产品组合中的产品。 AWS Service Catalog 该策略向一组相关 AWS 服务授予权限 AWS CodePipeline,包括、 AWS CodeBuild、 AWS CodeCommit AWS CloudFormation、 AWS Glue 等。
该AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy策略旨在由从 SageMaker AI 控制台创建的AmazonSageMakerServiceCatalogProductsLaunchRole角色使用。该策略为客户账户添加了为 SageMaker 项目配置 AWS 资源和 JumpStart 使用 Service Catalog 的权限。
权限详细信息
该策略包含以下权限。
-
apigateway- 允许角色调用标有sagemaker:launch-source的 API Gateway 端点。 -
cloudformation— AWS Service Catalog 允许创建、更新和删除 CloudFormation 堆栈。还允许服务目录标记和取消标记资源。 -
codebuild— 允许由担任 AWS Service Catalog 并传递 CloudFormation 给的角色创建、更新和删除 CodeBuild 项目。 -
codecommit— 允许由担任 AWS Service Catalog 并传递 CloudFormation 给的角色创建、更新和删除 CodeCommit 存储库。 -
codepipeline— 允许由担任 AWS Service Catalog 并传递 CloudFormation 给的角色创建、更新和删除 CodePipelines。 -
codestarconnections,codestar-connections— 还允许角色传递 AWS CodeConnections 和 AWS CodeStar 连接。 -
cognito-idp- 允许角色创建、更新和删除组和用户池。也允许标记资源。 -
ecr— 允许由担任 AWS Service Catalog 并传递 CloudFormation 给的角色创建和删除 Amazon ECR 存储库。也允许标记资源。 -
events— 允许由担任 AWS Service Catalog 并传递 CloudFormation 给的角色创建和删除 EventBridge 规则。用于连接 CICD 管道的各个组件。 -
firehose:允许角色与 Firehose 流交互。 -
glue— 允许角色与之交互 AWS Glue。 -
iam- 允许角色传递前缀为AmazonSageMakerServiceCatalog的角色。当 Projects 预置 AWS Service Catalog 产品时,需要该权限,因为需要将角色传递给 AWS Service Catalog。 -
lambda- 允许角色与 AWS Lambda交互。也允许标记资源。 -
logs- 允许角色创建、删除和访问日志流。 -
s3— 允许由担任 AWS Service Catalog 并传递 CloudFormation 给的角色访问存储项目模板代码的 Amazon S3 存储桶。 -
sagemaker— 允许角色与各种 SageMaker AI 服务进行交互。这既可以在模板配置 CloudFormation 期间完成,也可以在CICD管道执行 CodeBuild 期间完成。也允许标记以下资源:端点、端点配置、模型、管道、项目和模型包。 -
states- 允许角色创建、删除和更新前缀为sagemaker的 Step Functions。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AmazonSageMakerServiceCatalogAPIGatewayPermission",
"Effect": "Allow",
"Action": [
"apigateway:GET",
"apigateway:POST",
"apigateway:PUT",
"apigateway:PATCH",
"apigateway:DELETE"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aws:ResourceTag/sagemaker:launch-source": "*"
}
}
},
{
"Sid": "AmazonSageMakerServiceCatalogAPIGatewayPostPermission",
"Effect": "Allow",
"Action": [
"apigateway:POST"
],
"Resource": "*",
"Condition": {
"ForAnyValue:StringLike": {
"aws:TagKeys": [
"sagemaker:launch-source"
]
}
}
},
{
"Sid": "AmazonSageMakerServiceCatalogAPIGatewayPatchPermission",
"Effect": "Allow",
"Action": [
"apigateway:PATCH"
],
"Resource": [
"arn:aws:apigateway:*::/account"
]
},
{
"Sid": "AmazonSageMakerServiceCatalogCFnMutatePermission",
"Effect": "Allow",
"Action": [
"cloudformation:CreateStack",
"cloudformation:UpdateStack",
"cloudformation:DeleteStack"
],
"Resource": "arn:aws:cloudformation:*:*:stack/SC-*",
"Condition": {
"ArnLikeIfExists": {
"cloudformation:RoleArn": [
"arn:aws:sts::*:assumed-role/AmazonSageMakerServiceCatalog*"
]
}
}
},
{
"Sid": "AmazonSageMakerServiceCatalogCFnTagPermission",
"Effect": "Allow",
"Action": [
"cloudformation:TagResource",
"cloudformation:UntagResource"
],
"Resource": "arn:aws:cloudformation:*:*:stack/SC-*",
"Condition" : {
"Null": {
"aws:ResourceTag/sagemaker:project-name": "false"
}
}
},
{
"Sid": "AmazonSageMakerServiceCatalogCFnReadPermission",
"Effect": "Allow",
"Action": [
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStacks"
],
"Resource": "arn:aws:cloudformation:*:*:stack/SC-*"
},
{
"Sid": "AmazonSageMakerServiceCatalogCFnTemplatePermission",
"Effect": "Allow",
"Action": [
"cloudformation:GetTemplateSummary",
"cloudformation:ValidateTemplate"
],
"Resource": "*"
},
{
"Sid": "AmazonSageMakerServiceCatalogCodeBuildPermission",
"Effect": "Allow",
"Action": [
"codebuild:CreateProject",
"codebuild:DeleteProject",
"codebuild:UpdateProject"
],
"Resource": [
"arn:aws:codebuild:*:*:project/sagemaker-*"
]
},
{
"Sid": "AmazonSageMakerServiceCatalogCodeCommitPermission",
"Effect": "Allow",
"Action": [
"codecommit:CreateCommit",
"codecommit:CreateRepository",
"codecommit:DeleteRepository",
"codecommit:GetRepository",
"codecommit:TagResource"
],
"Resource": [
"arn:aws:codecommit:*:*:sagemaker-*"
]
},
{
"Sid": "AmazonSageMakerServiceCatalogCodeCommitListPermission",
"Effect": "Allow",
"Action": [
"codecommit:ListRepositories"
],
"Resource": "*"
},
{
"Sid": "AmazonSageMakerServiceCatalogCodePipelinePermission",
"Effect": "Allow",
"Action": [
"codepipeline:CreatePipeline",
"codepipeline:DeletePipeline",
"codepipeline:GetPipeline",
"codepipeline:GetPipelineState",
"codepipeline:StartPipelineExecution",
"codepipeline:TagResource",
"codepipeline:UpdatePipeline"
],
"Resource": [
"arn:aws:codepipeline:*:*:sagemaker-*"
]
},
{
"Sid": "AmazonSageMakerServiceCatalogCIAMUserPermission",
"Effect": "Allow",
"Action": [
"cognito-idp:CreateUserPool",
"cognito-idp:TagResource"
],
"Resource": "*",
"Condition": {
"ForAnyValue:StringLike": {
"aws:TagKeys": [
"sagemaker:launch-source"
]
}
}
},
{
"Sid": "AmazonSageMakerServiceCatalogCIAMPermission",
"Effect": "Allow",
"Action": [
"cognito-idp:CreateGroup",
"cognito-idp:CreateUserPoolDomain",
"cognito-idp:CreateUserPoolClient",
"cognito-idp:DeleteGroup",
"cognito-idp:DeleteUserPool",
"cognito-idp:DeleteUserPoolClient",
"cognito-idp:DeleteUserPoolDomain",
"cognito-idp:DescribeUserPool",
"cognito-idp:DescribeUserPoolClient",
"cognito-idp:UpdateUserPool",
"cognito-idp:UpdateUserPoolClient"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aws:ResourceTag/sagemaker:launch-source": "*"
}
}
},
{
"Sid": "AmazonSageMakerServiceCatalogECRPermission",
"Effect": "Allow",
"Action": [
"ecr:CreateRepository",
"ecr:DeleteRepository",
"ecr:TagResource"
],
"Resource": [
"arn:aws:ecr:*:*:repository/sagemaker-*"
]
},
{
"Sid": "AmazonSageMakerServiceCatalogEventBridgePermission",
"Effect": "Allow",
"Action": [
"events:DescribeRule",
"events:DeleteRule",
"events:DisableRule",
"events:EnableRule",
"events:PutRule",
"events:PutTargets",
"events:RemoveTargets"
],
"Resource": [
"arn:aws:events:*:*:rule/sagemaker-*"
]
},
{
"Sid": "AmazonSageMakerServiceCatalogFirehosePermission",
"Effect": "Allow",
"Action": [
"firehose:CreateDeliveryStream",
"firehose:DeleteDeliveryStream",
"firehose:DescribeDeliveryStream",
"firehose:StartDeliveryStreamEncryption",
"firehose:StopDeliveryStreamEncryption",
"firehose:UpdateDestination"
],
"Resource": "arn:aws:firehose:*:*:deliverystream/sagemaker-*"
},
{
"Sid": "AmazonSageMakerServiceCatalogGluePermission",
"Effect": "Allow",
"Action": [
"glue:CreateDatabase",
"glue:DeleteDatabase"
],
"Resource": [
"arn:aws:glue:*:*:catalog",
"arn:aws:glue:*:*:database/sagemaker-*",
"arn:aws:glue:*:*:table/sagemaker-*",
"arn:aws:glue:*:*:userDefinedFunction/sagemaker-*"
]
},
{
"Sid": "AmazonSageMakerServiceCatalogGlueClassiferPermission",
"Effect": "Allow",
"Action": [
"glue:CreateClassifier",
"glue:DeleteClassifier",
"glue:DeleteCrawler",
"glue:DeleteJob",
"glue:DeleteTrigger",
"glue:DeleteWorkflow",
"glue:StopCrawler"
],
"Resource": [
"*"
]
},
{
"Sid": "AmazonSageMakerServiceCatalogGlueWorkflowPermission",
"Effect": "Allow",
"Action": [
"glue:CreateWorkflow"
],
"Resource": [
"arn:aws:glue:*:*:workflow/sagemaker-*"
]
},
{
"Sid": "AmazonSageMakerServiceCatalogGlueJobPermission",
"Effect": "Allow",
"Action": [
"glue:CreateJob"
],
"Resource": [
"arn:aws:glue:*:*:job/sagemaker-*"
]
},
{
"Sid": "AmazonSageMakerServiceCatalogGlueCrawlerPermission",
"Effect": "Allow",
"Action": [
"glue:CreateCrawler",
"glue:GetCrawler"
],
"Resource": [
"arn:aws:glue:*:*:crawler/sagemaker-*"
]
},
{
"Sid": "AmazonSageMakerServiceCatalogGlueTriggerPermission",
"Effect": "Allow",
"Action": [
"glue:CreateTrigger",
"glue:GetTrigger"
],
"Resource": [
"arn:aws:glue:*:*:trigger/sagemaker-*"
]
},
{
"Sid": "AmazonSageMakerServiceCatalogPassRolePermission",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/service-role/AmazonSageMakerServiceCatalog*"
]
},
{
"Sid": "AmazonSageMakerServiceCatalogLambdaPermission",
"Effect": "Allow",
"Action": [
"lambda:AddPermission",
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:GetFunction",
"lambda:GetFunctionConfiguration",
"lambda:InvokeFunction",
"lambda:RemovePermission"
],
"Resource": [
"arn:aws:lambda:*:*:function:sagemaker-*"
]
},
{
"Sid": "AmazonSageMakerServiceCatalogLambdaTagPermission",
"Effect": "Allow",
"Action": "lambda:TagResource",
"Resource": [
"arn:aws:lambda:*:*:function:sagemaker-*"
],
"Condition": {
"ForAllValues:StringLike": {
"aws:TagKeys": [
"sagemaker:*"
]
}
}
},
{
"Sid": "AmazonSageMakerServiceCatalogLogGroupPermission",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DeleteLogGroup",
"logs:DeleteLogStream",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:PutRetentionPolicy"
],
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/apigateway/AccessLogs/*",
"arn:aws:logs:*:*:log-group::log-stream:*"
]
},
{
"Sid": "AmazonSageMakerServiceCatalogS3ReadPermission",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "*",
"Condition": {
"StringEquals": {
"s3:ExistingObjectTag/servicecatalog:provisioning": "true"
}
}
},
{
"Sid": "AmazonSageMakerServiceCatalogS3ReadSagemakerResourcePermission",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::sagemaker-*"
]
},
{
"Sid": "AmazonSageMakerServiceCatalogS3MutatePermission",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:DeleteBucketPolicy",
"s3:GetBucketPolicy",
"s3:PutBucketAcl",
"s3:PutBucketNotification",
"s3:PutBucketPolicy",
"s3:PutBucketPublicAccessBlock",
"s3:PutBucketLogging",
"s3:PutEncryptionConfiguration",
"s3:PutBucketCORS",
"s3:PutBucketTagging",
"s3:PutObjectTagging"
],
"Resource": "arn:aws:s3:::sagemaker-*"
},
{
"Sid": "AmazonSageMakerServiceCatalogSageMakerPermission",
"Effect": "Allow",
"Action": [
"sagemaker:CreateEndpoint",
"sagemaker:CreateEndpointConfig",
"sagemaker:CreateModel",
"sagemaker:CreateWorkteam",
"sagemaker:DeleteEndpoint",
"sagemaker:DeleteEndpointConfig",
"sagemaker:DeleteModel",
"sagemaker:DeleteWorkteam",
"sagemaker:DescribeModel",
"sagemaker:DescribeEndpointConfig",
"sagemaker:DescribeEndpoint",
"sagemaker:DescribeWorkteam",
"sagemaker:CreateCodeRepository",
"sagemaker:DescribeCodeRepository",
"sagemaker:UpdateCodeRepository",
"sagemaker:DeleteCodeRepository"
],
"Resource": [
"arn:aws:sagemaker:*:*:*"
]
},
{
"Sid": "AmazonSageMakerServiceCatalogSageMakerTagPermission",
"Effect": "Allow",
"Action": [
"sagemaker:AddTags"
],
"Resource": [
"arn:aws:sagemaker:*:*:endpoint/*",
"arn:aws:sagemaker:*:*:endpoint-config/*",
"arn:aws:sagemaker:*:*:model/*",
"arn:aws:sagemaker:*:*:pipeline/*",
"arn:aws:sagemaker:*:*:project/*",
"arn:aws:sagemaker:*:*:model-package/*"
],
"Condition": {
"ForAllValues:StringLike": {
"aws:TagKeys": [
"sagemaker:*"
]
}
}
},
{
"Sid": "AmazonSageMakerServiceCatalogSageMakerImagePermission",
"Effect": "Allow",
"Action": [
"sagemaker:CreateImage",
"sagemaker:DeleteImage",
"sagemaker:DescribeImage",
"sagemaker:UpdateImage",
"sagemaker:ListTags"
],
"Resource": [
"arn:aws:sagemaker:*:*:image/*"
]
},
{
"Sid": "AmazonSageMakerServiceCatalogStepFunctionPermission",
"Effect": "Allow",
"Action": [
"states:CreateStateMachine",
"states:DeleteStateMachine",
"states:UpdateStateMachine"
],
"Resource": [
"arn:aws:states:*:*:stateMachine:sagemaker-*"
]
},
{
"Sid": "AmazonSageMakerServiceCatalogCodeStarPermission",
"Effect": "Allow",
"Action": "codestar-connections:PassConnection",
"Resource": "arn:aws:codestar-connections:*:*:connection/*",
"Condition": {
"StringEquals": {
"codestar-connections:PassedToService": "codepipeline.amazonaws.com"
}
}
},
{
"Sid": "AmazonSageMakerServiceCatalogCodeConnectionPermission",
"Effect": "Allow",
"Action": "codeconnections:PassConnection",
"Resource": "arn:aws:codeconnections:*:*:connection/*",
"Condition": {
"StringEquals": {
"codeconnections:PassedToService": "codepipeline.amazonaws.com"
}
}
},
]
}AWS
托管策略: AmazonSageMakerPartnerServiceCatalogProductsApiGatewayServiceRolePolicy
亚马逊 API Gatew SageMaker ay 在亚马逊 AI 产品组合中的 AWS Service Catalog 预配置产品中使用此政策。该策略旨在附加到 IAM 角色,该角色将AmazonSageMakerServiceCatalogProductsLaunchRole
权限详细信息
该策略包含以下权限。
-
lambda- 调用由合作伙伴模板创建的函数。 -
sagemaker- 调用由合作伙伴模板创建的端点。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:*:*:function:sagemaker-*",
"Condition": {
"Null": {
"aws:ResourceTag/sagemaker:project-name": "false",
"aws:ResourceTag/sagemaker:partner": "false"
},
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Effect": "Allow",
"Action": "sagemaker:InvokeEndpoint",
"Resource": "arn:aws:sagemaker:*:*:endpoint/*",
"Condition": {
"Null": {
"aws:ResourceTag/sagemaker:project-name": "false",
"aws:ResourceTag/sagemaker:partner": "false"
},
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
}
]
}AWS
托管策略: AmazonSageMakerPartnerServiceCatalogProductsCloudFormationServiceRolePolicy
此政策由 Amazon A SageMaker I 产品组合 AWS CloudFormation 中的 AWS Service Catalog 预配置产品使用。该策略旨在附加到一个 IAM 角色,该角色AmazonSageMakerServiceCatalogProductsLaunchRole
权限详细信息
该策略包含以下权限。
-
iam- 传递AmazonSageMakerServiceCatalogProductsLambdaRole和AmazonSageMakerServiceCatalogProductsApiGatewayRole角色。 -
lambda— 创建、更新、删除和调用 AWS Lambda 函数;检索、发布和删除 Lambda 层的版本。 -
apigateway- 创建、更新和删除 Amazon API Gateway 资源。 -
s3- 从 Amazon Simple Storage Service (Amazon S3) 存储桶中检索lambda-auth-code/layer.zip文件。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/service-role/AmazonSageMakerServiceCatalogProductsLambdaRole"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": "lambda.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/service-role/AmazonSageMakerServiceCatalogProductsApiGatewayRole"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": "apigateway.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Action": [
"lambda:DeleteFunction",
"lambda:UpdateFunctionCode",
"lambda:ListTags",
"lambda:InvokeFunction"
],
"Resource": [
"arn:aws:lambda:*:*:function:sagemaker-*"
],
"Condition": {
"Null": {
"aws:ResourceTag/sagemaker:project-name": "false",
"aws:ResourceTag/sagemaker:partner": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"lambda:CreateFunction",
"lambda:TagResource"
],
"Resource": [
"arn:aws:lambda:*:*:function:sagemaker-*"
],
"Condition": {
"Null": {
"aws:ResourceTag/sagemaker:project-name": "false",
"aws:ResourceTag/sagemaker:partner": "false"
},
"ForAnyValue:StringEquals": {
"aws:TagKeys": [
"sagemaker:project-name",
"sagemaker:partner"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"lambda:PublishLayerVersion",
"lambda:GetLayerVersion",
"lambda:DeleteLayerVersion",
"lambda:GetFunction"
],
"Resource": [
"arn:aws:lambda:*:*:layer:sagemaker-*",
"arn:aws:lambda:*:*:function:sagemaker-*"
]
},
{
"Effect": "Allow",
"Action": [
"apigateway:GET",
"apigateway:DELETE",
"apigateway:PATCH",
"apigateway:POST",
"apigateway:PUT"
],
"Resource": [
"arn:aws:apigateway:*::/restapis/*",
"arn:aws:apigateway:*::/restapis"
],
"Condition": {
"Null": {
"aws:ResourceTag/sagemaker:project-name": "false",
"aws:ResourceTag/sagemaker:partner": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"apigateway:POST",
"apigateway:PUT"
],
"Resource": [
"arn:aws:apigateway:*::/restapis",
"arn:aws:apigateway:*::/tags/*"
],
"Condition": {
"Null": {
"aws:ResourceTag/sagemaker:project-name": "false",
"aws:ResourceTag/sagemaker:partner": "false"
},
"ForAnyValue:StringEquals": {
"aws:TagKeys": [
"sagemaker:project-name",
"sagemaker:partner"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::sagemaker-*/lambda-auth-code/layer.zip"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
}
]
}AWS
托管策略: AmazonSageMakerPartnerServiceCatalogProductsLambdaServiceRolePolicy
此政策由 Amazon A SageMaker I 产品组合 AWS Lambda 中的 AWS Service Catalog 预配置产品使用。该策略旨在附加到 IAM 角色,该角色将AmazonSageMakerServiceCatalogProductsLaunchRole
权限详细信息
该策略包含以下权限。
-
secretsmanager- 从合作伙伴为合作伙伴模板提供的密钥中检索数据。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "secretsmanager:GetSecretValue",
"Resource": "arn:aws:secretsmanager:*:*:secret:*",
"Condition": {
"Null": {
"aws:ResourceTag/sagemaker:partner": false
},
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
}
]
}AWS
托管策略: AmazonSageMakerServiceCatalogProductsApiGatewayServiceRolePolicy
亚马逊 API Gatew SageMaker ay 在亚马逊 AI 产品组合中的 AWS Service Catalog 预配置产品中使用此政策。该策略旨在附加到 IAM 角色,该角色将AmazonSageMakerServiceCatalogProductsLaunchRole
权限详细信息
该策略包含以下权限。
-
logs— 创建和读取 CloudWatch 日志组、直播和事件;更新事件;描述各种资源。这些权限仅限于日志组前缀以“aws/apigateway/”开头的资源。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogDelivery",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DeleteLogDelivery",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:DescribeResourcePolicies",
"logs:DescribeDestinations",
"logs:DescribeExportTasks",
"logs:DescribeMetricFilters",
"logs:DescribeQueries",
"logs:DescribeQueryDefinitions",
"logs:DescribeSubscriptionFilters",
"logs:GetLogDelivery",
"logs:GetLogEvents",
"logs:PutLogEvents",
"logs:PutResourcePolicy",
"logs:UpdateLogDelivery"
],
"Resource": "arn:aws:logs:*:*:log-group:/aws/apigateway/*"
}
]
}AWS
托管策略: AmazonSageMakerServiceCatalogProductsCloudformationServiceRole策略
此政策由 Amazon A SageMaker I 产品组合 AWS CloudFormation 中的 AWS Service Catalog 预配置产品使用。该策略旨在附加到一个 IAM 角色,该角色AmazonSageMakerServiceCatalogProductsLaunchRole
权限详细信息
该策略包含以下权限。
-
sagemaker— 允许访问各种 SageMaker AI 资源,但域名、用户配置文件、应用程序和流程定义除外。 -
iam- 传递AmazonSageMakerServiceCatalogProductsCodeBuildRole和AmazonSageMakerServiceCatalogProductsExecutionRole角色。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sagemaker:AddAssociation",
"sagemaker:AddTags",
"sagemaker:AssociateTrialComponent",
"sagemaker:BatchDescribeModelPackage",
"sagemaker:BatchGetMetrics",
"sagemaker:BatchGetRecord",
"sagemaker:BatchPutMetrics",
"sagemaker:CreateAction",
"sagemaker:CreateAlgorithm",
"sagemaker:CreateApp",
"sagemaker:CreateAppImageConfig",
"sagemaker:CreateArtifact",
"sagemaker:CreateAutoMLJob",
"sagemaker:CreateCodeRepository",
"sagemaker:CreateCompilationJob",
"sagemaker:CreateContext",
"sagemaker:CreateDataQualityJobDefinition",
"sagemaker:CreateDeviceFleet",
"sagemaker:CreateDomain",
"sagemaker:CreateEdgePackagingJob",
"sagemaker:CreateEndpoint",
"sagemaker:CreateEndpointConfig",
"sagemaker:CreateExperiment",
"sagemaker:CreateFeatureGroup",
"sagemaker:CreateFlowDefinition",
"sagemaker:CreateHumanTaskUi",
"sagemaker:CreateHyperParameterTuningJob",
"sagemaker:CreateImage",
"sagemaker:CreateImageVersion",
"sagemaker:CreateInferenceRecommendationsJob",
"sagemaker:CreateLabelingJob",
"sagemaker:CreateLineageGroupPolicy",
"sagemaker:CreateModel",
"sagemaker:CreateModelBiasJobDefinition",
"sagemaker:CreateModelExplainabilityJobDefinition",
"sagemaker:CreateModelPackage",
"sagemaker:CreateModelPackageGroup",
"sagemaker:CreateModelQualityJobDefinition",
"sagemaker:CreateMonitoringSchedule",
"sagemaker:CreateNotebookInstance",
"sagemaker:CreateNotebookInstanceLifecycleConfig",
"sagemaker:CreatePipeline",
"sagemaker:CreatePresignedDomainUrl",
"sagemaker:CreatePresignedNotebookInstanceUrl",
"sagemaker:CreateProcessingJob",
"sagemaker:CreateProject",
"sagemaker:CreateTrainingJob",
"sagemaker:CreateTransformJob",
"sagemaker:CreateTrial",
"sagemaker:CreateTrialComponent",
"sagemaker:CreateUserProfile",
"sagemaker:CreateWorkforce",
"sagemaker:CreateWorkteam",
"sagemaker:DeleteAction",
"sagemaker:DeleteAlgorithm",
"sagemaker:DeleteApp",
"sagemaker:DeleteAppImageConfig",
"sagemaker:DeleteArtifact",
"sagemaker:DeleteAssociation",
"sagemaker:DeleteCodeRepository",
"sagemaker:DeleteContext",
"sagemaker:DeleteDataQualityJobDefinition",
"sagemaker:DeleteDeviceFleet",
"sagemaker:DeleteDomain",
"sagemaker:DeleteEndpoint",
"sagemaker:DeleteEndpointConfig",
"sagemaker:DeleteExperiment",
"sagemaker:DeleteFeatureGroup",
"sagemaker:DeleteFlowDefinition",
"sagemaker:DeleteHumanLoop",
"sagemaker:DeleteHumanTaskUi",
"sagemaker:DeleteImage",
"sagemaker:DeleteImageVersion",
"sagemaker:DeleteLineageGroupPolicy",
"sagemaker:DeleteModel",
"sagemaker:DeleteModelBiasJobDefinition",
"sagemaker:DeleteModelExplainabilityJobDefinition",
"sagemaker:DeleteModelPackage",
"sagemaker:DeleteModelPackageGroup",
"sagemaker:DeleteModelPackageGroupPolicy",
"sagemaker:DeleteModelQualityJobDefinition",
"sagemaker:DeleteMonitoringSchedule",
"sagemaker:DeleteNotebookInstance",
"sagemaker:DeleteNotebookInstanceLifecycleConfig",
"sagemaker:DeletePipeline",
"sagemaker:DeleteProject",
"sagemaker:DeleteRecord",
"sagemaker:DeleteTags",
"sagemaker:DeleteTrial",
"sagemaker:DeleteTrialComponent",
"sagemaker:DeleteUserProfile",
"sagemaker:DeleteWorkforce",
"sagemaker:DeleteWorkteam",
"sagemaker:DeregisterDevices",
"sagemaker:DescribeAction",
"sagemaker:DescribeAlgorithm",
"sagemaker:DescribeApp",
"sagemaker:DescribeAppImageConfig",
"sagemaker:DescribeArtifact",
"sagemaker:DescribeAutoMLJob",
"sagemaker:DescribeCodeRepository",
"sagemaker:DescribeCompilationJob",
"sagemaker:DescribeContext",
"sagemaker:DescribeDataQualityJobDefinition",
"sagemaker:DescribeDevice",
"sagemaker:DescribeDeviceFleet",
"sagemaker:DescribeDomain",
"sagemaker:DescribeEdgePackagingJob",
"sagemaker:DescribeEndpoint",
"sagemaker:DescribeEndpointConfig",
"sagemaker:DescribeExperiment",
"sagemaker:DescribeFeatureGroup",
"sagemaker:DescribeFlowDefinition",
"sagemaker:DescribeHumanLoop",
"sagemaker:DescribeHumanTaskUi",
"sagemaker:DescribeHyperParameterTuningJob",
"sagemaker:DescribeImage",
"sagemaker:DescribeImageVersion",
"sagemaker:DescribeInferenceRecommendationsJob",
"sagemaker:DescribeLabelingJob",
"sagemaker:DescribeLineageGroup",
"sagemaker:DescribeModel",
"sagemaker:DescribeModelBiasJobDefinition",
"sagemaker:DescribeModelExplainabilityJobDefinition",
"sagemaker:DescribeModelPackage",
"sagemaker:DescribeModelPackageGroup",
"sagemaker:DescribeModelQualityJobDefinition",
"sagemaker:DescribeMonitoringSchedule",
"sagemaker:DescribeNotebookInstance",
"sagemaker:DescribeNotebookInstanceLifecycleConfig",
"sagemaker:DescribePipeline",
"sagemaker:DescribePipelineDefinitionForExecution",
"sagemaker:DescribePipelineExecution",
"sagemaker:DescribeProcessingJob",
"sagemaker:DescribeProject",
"sagemaker:DescribeSubscribedWorkteam",
"sagemaker:DescribeTrainingJob",
"sagemaker:DescribeTransformJob",
"sagemaker:DescribeTrial",
"sagemaker:DescribeTrialComponent",
"sagemaker:DescribeUserProfile",
"sagemaker:DescribeWorkforce",
"sagemaker:DescribeWorkteam",
"sagemaker:DisableSagemakerServicecatalogPortfolio",
"sagemaker:DisassociateTrialComponent",
"sagemaker:EnableSagemakerServicecatalogPortfolio",
"sagemaker:GetDeviceFleetReport",
"sagemaker:GetDeviceRegistration",
"sagemaker:GetLineageGroupPolicy",
"sagemaker:GetModelPackageGroupPolicy",
"sagemaker:GetRecord",
"sagemaker:GetSagemakerServicecatalogPortfolioStatus",
"sagemaker:GetSearchSuggestions",
"sagemaker:InvokeEndpoint",
"sagemaker:InvokeEndpointAsync",
"sagemaker:ListActions",
"sagemaker:ListAlgorithms",
"sagemaker:ListAppImageConfigs",
"sagemaker:ListApps",
"sagemaker:ListArtifacts",
"sagemaker:ListAssociations",
"sagemaker:ListAutoMLJobs",
"sagemaker:ListCandidatesForAutoMLJob",
"sagemaker:ListCodeRepositories",
"sagemaker:ListCompilationJobs",
"sagemaker:ListContexts",
"sagemaker:ListDataQualityJobDefinitions",
"sagemaker:ListDeviceFleets",
"sagemaker:ListDevices",
"sagemaker:ListDomains",
"sagemaker:ListEdgePackagingJobs",
"sagemaker:ListEndpointConfigs",
"sagemaker:ListEndpoints",
"sagemaker:ListExperiments",
"sagemaker:ListFeatureGroups",
"sagemaker:ListFlowDefinitions",
"sagemaker:ListHumanLoops",
"sagemaker:ListHumanTaskUis",
"sagemaker:ListHyperParameterTuningJobs",
"sagemaker:ListImageVersions",
"sagemaker:ListImages",
"sagemaker:ListInferenceRecommendationsJobs",
"sagemaker:ListLabelingJobs",
"sagemaker:ListLabelingJobsForWorkteam",
"sagemaker:ListLineageGroups",
"sagemaker:ListModelBiasJobDefinitions",
"sagemaker:ListModelExplainabilityJobDefinitions",
"sagemaker:ListModelMetadata",
"sagemaker:ListModelPackageGroups",
"sagemaker:ListModelPackages",
"sagemaker:ListModelQualityJobDefinitions",
"sagemaker:ListModels",
"sagemaker:ListMonitoringExecutions",
"sagemaker:ListMonitoringSchedules",
"sagemaker:ListNotebookInstanceLifecycleConfigs",
"sagemaker:ListNotebookInstances",
"sagemaker:ListPipelineExecutionSteps",
"sagemaker:ListPipelineExecutions",
"sagemaker:ListPipelineParametersForExecution",
"sagemaker:ListPipelines",
"sagemaker:ListProcessingJobs",
"sagemaker:ListProjects",
"sagemaker:ListSubscribedWorkteams",
"sagemaker:ListTags",
"sagemaker:ListTrainingJobs",
"sagemaker:ListTrainingJobsForHyperParameterTuningJob",
"sagemaker:ListTransformJobs",
"sagemaker:ListTrialComponents",
"sagemaker:ListTrials",
"sagemaker:ListUserProfiles",
"sagemaker:ListWorkforces",
"sagemaker:ListWorkteams",
"sagemaker:PutLineageGroupPolicy",
"sagemaker:PutModelPackageGroupPolicy",
"sagemaker:PutRecord",
"sagemaker:QueryLineage",
"sagemaker:RegisterDevices",
"sagemaker:RenderUiTemplate",
"sagemaker:Search",
"sagemaker:SendHeartbeat",
"sagemaker:SendPipelineExecutionStepFailure",
"sagemaker:SendPipelineExecutionStepSuccess",
"sagemaker:StartHumanLoop",
"sagemaker:StartMonitoringSchedule",
"sagemaker:StartNotebookInstance",
"sagemaker:StartPipelineExecution",
"sagemaker:StopAutoMLJob",
"sagemaker:StopCompilationJob",
"sagemaker:StopEdgePackagingJob",
"sagemaker:StopHumanLoop",
"sagemaker:StopHyperParameterTuningJob",
"sagemaker:StopInferenceRecommendationsJob",
"sagemaker:StopLabelingJob",
"sagemaker:StopMonitoringSchedule",
"sagemaker:StopNotebookInstance",
"sagemaker:StopPipelineExecution",
"sagemaker:StopProcessingJob",
"sagemaker:StopTrainingJob",
"sagemaker:StopTransformJob",
"sagemaker:UpdateAction",
"sagemaker:UpdateAppImageConfig",
"sagemaker:UpdateArtifact",
"sagemaker:UpdateCodeRepository",
"sagemaker:UpdateContext",
"sagemaker:UpdateDeviceFleet",
"sagemaker:UpdateDevices",
"sagemaker:UpdateDomain",
"sagemaker:UpdateEndpoint",
"sagemaker:UpdateEndpointWeightsAndCapacities",
"sagemaker:UpdateExperiment",
"sagemaker:UpdateImage",
"sagemaker:UpdateModelPackage",
"sagemaker:UpdateMonitoringSchedule",
"sagemaker:UpdateNotebookInstance",
"sagemaker:UpdateNotebookInstanceLifecycleConfig",
"sagemaker:UpdatePipeline",
"sagemaker:UpdatePipelineExecution",
"sagemaker:UpdateProject",
"sagemaker:UpdateTrainingJob",
"sagemaker:UpdateTrial",
"sagemaker:UpdateTrialComponent",
"sagemaker:UpdateUserProfile",
"sagemaker:UpdateWorkforce",
"sagemaker:UpdateWorkteam"
],
"NotResource": [
"arn:aws:sagemaker:*:*:domain/*",
"arn:aws:sagemaker:*:*:user-profile/*",
"arn:aws:sagemaker:*:*:app/*",
"arn:aws:sagemaker:*:*:flow-definition/*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/service-role/AmazonSageMakerServiceCatalogProductsCodeBuildRole",
"arn:aws:iam::*:role/service-role/AmazonSageMakerServiceCatalogProductsExecutionRole"
]
}
]
}AWS
托管策略: AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy
此政策由 Amazon A SageMaker I 产品组合 AWS CodeBuild 中的 AWS Service Catalog 预配置产品使用。该策略旨在附加到一个 IAM 角色,该角色AmazonSageMakerServiceCatalogProductsLaunchRole
权限详细信息
该策略包含以下权限。
-
sagemaker— 允许访问各种 SageMaker AI 资源。 -
codecommit— 将 CodeCommit 档案上传到 CodeBuild 管道,获取上传状态并取消上传;获取分支和提交信息。这些权限仅限于名称以“sagemaker-”开头的资源。 -
ecr- 创建 Amazon ECR 存储库和容器映像;上传映像层。这些权限仅限于名称以“sagemaker-”开头的存储库。ecr- 阅读所有资源。 -
iam- 传递以下角色:-
AmazonSageMakerServiceCatalogProductsCloudformationRole到 AWS CloudFormation。 -
AmazonSageMakerServiceCatalogProductsCodeBuildRole到 AWS CodeBuild。 -
AmazonSageMakerServiceCatalogProductsCodePipelineRole到 AWS CodePipeline。 -
AmazonSageMakerServiceCatalogProductsEventsRole到亚马逊 EventBridge。 -
AmazonSageMakerServiceCatalogProductsExecutionRole到 Amazon SageMaker AI。
-
-
logs— 创建和读取 CloudWatch 日志组、直播和事件;更新事件;描述各种资源。这些权限仅限于名称前缀以“aws/codebuild/”开头的资源。
-
s3- 创建、读取和列出 Amazon S3 存储桶。这些权限仅限于名称以“sagemaker-”开头的存储桶。 -
codestarconnections,codestar-connections— 使用 AWS CodeConnections 和 AWS CodeStar 连接。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AmazonSageMakerCodeBuildCodeCommitPermission",
"Effect": "Allow",
"Action": [
"codecommit:CancelUploadArchive",
"codecommit:GetBranch",
"codecommit:GetCommit",
"codecommit:GetUploadArchiveStatus",
"codecommit:UploadArchive"
],
"Resource": "arn:aws:codecommit:*:*:sagemaker-*"
},
{
"Sid": "AmazonSageMakerCodeBuildECRReadPermission",
"Effect": "Allow",
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:DescribeImageScanFindings",
"ecr:DescribeRegistry",
"ecr:DescribeImageReplicationStatus",
"ecr:DescribeRepositories",
"ecr:DescribeImageReplicationStatus",
"ecr:GetAuthorizationToken",
"ecr:GetDownloadUrlForLayer"
],
"Resource": [
"*"
]
},
{
"Sid": "AmazonSageMakerCodeBuildECRWritePermission",
"Effect": "Allow",
"Action": [
"ecr:CompleteLayerUpload",
"ecr:CreateRepository",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart"
],
"Resource": [
"arn:aws:ecr:*:*:repository/sagemaker-*"
]
},
{
"Sid": "AmazonSageMakerCodeBuildPassRoletPermission",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/service-role/AmazonSageMakerServiceCatalogProductsEventsRole",
"arn:aws:iam::*:role/service-role/AmazonSageMakerServiceCatalogProductsCodePipelineRole",
"arn:aws:iam::*:role/service-role/AmazonSageMakerServiceCatalogProductsCloudformationRole",
"arn:aws:iam::*:role/service-role/AmazonSageMakerServiceCatalogProductsCodeBuildRole",
"arn:aws:iam::*:role/service-role/AmazonSageMakerServiceCatalogProductsExecutionRole"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"events.amazonaws.com",
"codepipeline.amazonaws.com",
"cloudformation.amazonaws.com",
"codebuild.amazonaws.com",
"sagemaker.amazonaws.com"
]
}
}
},
{
"Sid": "AmazonSageMakerCodeBuildLogPermission",
"Effect": "Allow",
"Action": [
"logs:CreateLogDelivery",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DeleteLogDelivery",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:DescribeResourcePolicies",
"logs:DescribeDestinations",
"logs:DescribeExportTasks",
"logs:DescribeMetricFilters",
"logs:DescribeQueries",
"logs:DescribeQueryDefinitions",
"logs:DescribeSubscriptionFilters",
"logs:GetLogDelivery",
"logs:GetLogEvents",
"logs:ListLogDeliveries",
"logs:PutLogEvents",
"logs:PutResourcePolicy",
"logs:UpdateLogDelivery"
],
"Resource": "arn:aws:logs:*:*:log-group:/aws/codebuild/*"
},
{
"Sid": "AmazonSageMakerCodeBuildS3Permission",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:GetBucketAcl",
"s3:GetBucketCors",
"s3:GetBucketLocation",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:PutBucketCors",
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::aws-glue-*",
"arn:aws:s3:::sagemaker-*"
]
},
{
"Sid": "AmazonSageMakerCodeBuildSageMakerPermission",
"Effect": "Allow",
"Action": [
"sagemaker:AddAssociation",
"sagemaker:AddTags",
"sagemaker:AssociateTrialComponent",
"sagemaker:BatchDescribeModelPackage",
"sagemaker:BatchGetMetrics",
"sagemaker:BatchGetRecord",
"sagemaker:BatchPutMetrics",
"sagemaker:CreateAction",
"sagemaker:CreateAlgorithm",
"sagemaker:CreateApp",
"sagemaker:CreateAppImageConfig",
"sagemaker:CreateArtifact",
"sagemaker:CreateAutoMLJob",
"sagemaker:CreateCodeRepository",
"sagemaker:CreateCompilationJob",
"sagemaker:CreateContext",
"sagemaker:CreateDataQualityJobDefinition",
"sagemaker:CreateDeviceFleet",
"sagemaker:CreateDomain",
"sagemaker:CreateEdgePackagingJob",
"sagemaker:CreateEndpoint",
"sagemaker:CreateEndpointConfig",
"sagemaker:CreateExperiment",
"sagemaker:CreateFeatureGroup",
"sagemaker:CreateFlowDefinition",
"sagemaker:CreateHumanTaskUi",
"sagemaker:CreateHyperParameterTuningJob",
"sagemaker:CreateImage",
"sagemaker:CreateImageVersion",
"sagemaker:CreateInferenceRecommendationsJob",
"sagemaker:CreateLabelingJob",
"sagemaker:CreateLineageGroupPolicy",
"sagemaker:CreateModel",
"sagemaker:CreateModelBiasJobDefinition",
"sagemaker:CreateModelExplainabilityJobDefinition",
"sagemaker:CreateModelPackage",
"sagemaker:CreateModelPackageGroup",
"sagemaker:CreateModelQualityJobDefinition",
"sagemaker:CreateMonitoringSchedule",
"sagemaker:CreateNotebookInstance",
"sagemaker:CreateNotebookInstanceLifecycleConfig",
"sagemaker:CreatePipeline",
"sagemaker:CreatePresignedDomainUrl",
"sagemaker:CreatePresignedNotebookInstanceUrl",
"sagemaker:CreateProcessingJob",
"sagemaker:CreateProject",
"sagemaker:CreateTrainingJob",
"sagemaker:CreateTransformJob",
"sagemaker:CreateTrial",
"sagemaker:CreateTrialComponent",
"sagemaker:CreateUserProfile",
"sagemaker:CreateWorkforce",
"sagemaker:CreateWorkteam",
"sagemaker:DeleteAction",
"sagemaker:DeleteAlgorithm",
"sagemaker:DeleteApp",
"sagemaker:DeleteAppImageConfig",
"sagemaker:DeleteArtifact",
"sagemaker:DeleteAssociation",
"sagemaker:DeleteCodeRepository",
"sagemaker:DeleteContext",
"sagemaker:DeleteDataQualityJobDefinition",
"sagemaker:DeleteDeviceFleet",
"sagemaker:DeleteDomain",
"sagemaker:DeleteEndpoint",
"sagemaker:DeleteEndpointConfig",
"sagemaker:DeleteExperiment",
"sagemaker:DeleteFeatureGroup",
"sagemaker:DeleteFlowDefinition",
"sagemaker:DeleteHumanLoop",
"sagemaker:DeleteHumanTaskUi",
"sagemaker:DeleteImage",
"sagemaker:DeleteImageVersion",
"sagemaker:DeleteLineageGroupPolicy",
"sagemaker:DeleteModel",
"sagemaker:DeleteModelBiasJobDefinition",
"sagemaker:DeleteModelExplainabilityJobDefinition",
"sagemaker:DeleteModelPackage",
"sagemaker:DeleteModelPackageGroup",
"sagemaker:DeleteModelPackageGroupPolicy",
"sagemaker:DeleteModelQualityJobDefinition",
"sagemaker:DeleteMonitoringSchedule",
"sagemaker:DeleteNotebookInstance",
"sagemaker:DeleteNotebookInstanceLifecycleConfig",
"sagemaker:DeletePipeline",
"sagemaker:DeleteProject",
"sagemaker:DeleteRecord",
"sagemaker:DeleteTags",
"sagemaker:DeleteTrial",
"sagemaker:DeleteTrialComponent",
"sagemaker:DeleteUserProfile",
"sagemaker:DeleteWorkforce",
"sagemaker:DeleteWorkteam",
"sagemaker:DeregisterDevices",
"sagemaker:DescribeAction",
"sagemaker:DescribeAlgorithm",
"sagemaker:DescribeApp",
"sagemaker:DescribeAppImageConfig",
"sagemaker:DescribeArtifact",
"sagemaker:DescribeAutoMLJob",
"sagemaker:DescribeCodeRepository",
"sagemaker:DescribeCompilationJob",
"sagemaker:DescribeContext",
"sagemaker:DescribeDataQualityJobDefinition",
"sagemaker:DescribeDevice",
"sagemaker:DescribeDeviceFleet",
"sagemaker:DescribeDomain",
"sagemaker:DescribeEdgePackagingJob",
"sagemaker:DescribeEndpoint",
"sagemaker:DescribeEndpointConfig",
"sagemaker:DescribeExperiment",
"sagemaker:DescribeFeatureGroup",
"sagemaker:DescribeFlowDefinition",
"sagemaker:DescribeHumanLoop",
"sagemaker:DescribeHumanTaskUi",
"sagemaker:DescribeHyperParameterTuningJob",
"sagemaker:DescribeImage",
"sagemaker:DescribeImageVersion",
"sagemaker:DescribeInferenceRecommendationsJob",
"sagemaker:DescribeLabelingJob",
"sagemaker:DescribeLineageGroup",
"sagemaker:DescribeModel",
"sagemaker:DescribeModelBiasJobDefinition",
"sagemaker:DescribeModelExplainabilityJobDefinition",
"sagemaker:DescribeModelPackage",
"sagemaker:DescribeModelPackageGroup",
"sagemaker:DescribeModelQualityJobDefinition",
"sagemaker:DescribeMonitoringSchedule",
"sagemaker:DescribeNotebookInstance",
"sagemaker:DescribeNotebookInstanceLifecycleConfig",
"sagemaker:DescribePipeline",
"sagemaker:DescribePipelineDefinitionForExecution",
"sagemaker:DescribePipelineExecution",
"sagemaker:DescribeProcessingJob",
"sagemaker:DescribeProject",
"sagemaker:DescribeSubscribedWorkteam",
"sagemaker:DescribeTrainingJob",
"sagemaker:DescribeTransformJob",
"sagemaker:DescribeTrial",
"sagemaker:DescribeTrialComponent",
"sagemaker:DescribeUserProfile",
"sagemaker:DescribeWorkforce",
"sagemaker:DescribeWorkteam",
"sagemaker:DisableSagemakerServicecatalogPortfolio",
"sagemaker:DisassociateTrialComponent",
"sagemaker:EnableSagemakerServicecatalogPortfolio",
"sagemaker:GetDeviceFleetReport",
"sagemaker:GetDeviceRegistration",
"sagemaker:GetLineageGroupPolicy",
"sagemaker:GetModelPackageGroupPolicy",
"sagemaker:GetRecord",
"sagemaker:GetSagemakerServicecatalogPortfolioStatus",
"sagemaker:GetSearchSuggestions",
"sagemaker:InvokeEndpoint",
"sagemaker:InvokeEndpointAsync",
"sagemaker:ListActions",
"sagemaker:ListAlgorithms",
"sagemaker:ListAppImageConfigs",
"sagemaker:ListApps",
"sagemaker:ListArtifacts",
"sagemaker:ListAssociations",
"sagemaker:ListAutoMLJobs",
"sagemaker:ListCandidatesForAutoMLJob",
"sagemaker:ListCodeRepositories",
"sagemaker:ListCompilationJobs",
"sagemaker:ListContexts",
"sagemaker:ListDataQualityJobDefinitions",
"sagemaker:ListDeviceFleets",
"sagemaker:ListDevices",
"sagemaker:ListDomains",
"sagemaker:ListEdgePackagingJobs",
"sagemaker:ListEndpointConfigs",
"sagemaker:ListEndpoints",
"sagemaker:ListExperiments",
"sagemaker:ListFeatureGroups",
"sagemaker:ListFlowDefinitions",
"sagemaker:ListHumanLoops",
"sagemaker:ListHumanTaskUis",
"sagemaker:ListHyperParameterTuningJobs",
"sagemaker:ListImageVersions",
"sagemaker:ListImages",
"sagemaker:ListInferenceRecommendationsJobs",
"sagemaker:ListLabelingJobs",
"sagemaker:ListLabelingJobsForWorkteam",
"sagemaker:ListLineageGroups",
"sagemaker:ListModelBiasJobDefinitions",
"sagemaker:ListModelExplainabilityJobDefinitions",
"sagemaker:ListModelMetadata",
"sagemaker:ListModelPackageGroups",
"sagemaker:ListModelPackages",
"sagemaker:ListModelQualityJobDefinitions",
"sagemaker:ListModels",
"sagemaker:ListMonitoringExecutions",
"sagemaker:ListMonitoringSchedules",
"sagemaker:ListNotebookInstanceLifecycleConfigs",
"sagemaker:ListNotebookInstances",
"sagemaker:ListPipelineExecutionSteps",
"sagemaker:ListPipelineExecutions",
"sagemaker:ListPipelineParametersForExecution",
"sagemaker:ListPipelines",
"sagemaker:ListProcessingJobs",
"sagemaker:ListProjects",
"sagemaker:ListSubscribedWorkteams",
"sagemaker:ListTags",
"sagemaker:ListTrainingJobs",
"sagemaker:ListTrainingJobsForHyperParameterTuningJob",
"sagemaker:ListTransformJobs",
"sagemaker:ListTrialComponents",
"sagemaker:ListTrials",
"sagemaker:ListUserProfiles",
"sagemaker:ListWorkforces",
"sagemaker:ListWorkteams",
"sagemaker:PutLineageGroupPolicy",
"sagemaker:PutModelPackageGroupPolicy",
"sagemaker:PutRecord",
"sagemaker:QueryLineage",
"sagemaker:RegisterDevices",
"sagemaker:RenderUiTemplate",
"sagemaker:Search",
"sagemaker:SendHeartbeat",
"sagemaker:SendPipelineExecutionStepFailure",
"sagemaker:SendPipelineExecutionStepSuccess",
"sagemaker:StartHumanLoop",
"sagemaker:StartMonitoringSchedule",
"sagemaker:StartNotebookInstance",
"sagemaker:StartPipelineExecution",
"sagemaker:StopAutoMLJob",
"sagemaker:StopCompilationJob",
"sagemaker:StopEdgePackagingJob",
"sagemaker:StopHumanLoop",
"sagemaker:StopHyperParameterTuningJob",
"sagemaker:StopInferenceRecommendationsJob",
"sagemaker:StopLabelingJob",
"sagemaker:StopMonitoringSchedule",
"sagemaker:StopNotebookInstance",
"sagemaker:StopPipelineExecution",
"sagemaker:StopProcessingJob",
"sagemaker:StopTrainingJob",
"sagemaker:StopTransformJob",
"sagemaker:UpdateAction",
"sagemaker:UpdateAppImageConfig",
"sagemaker:UpdateArtifact",
"sagemaker:UpdateCodeRepository",
"sagemaker:UpdateContext",
"sagemaker:UpdateDeviceFleet",
"sagemaker:UpdateDevices",
"sagemaker:UpdateDomain",
"sagemaker:UpdateEndpoint",
"sagemaker:UpdateEndpointWeightsAndCapacities",
"sagemaker:UpdateExperiment",
"sagemaker:UpdateImage",
"sagemaker:UpdateModelPackage",
"sagemaker:UpdateMonitoringSchedule",
"sagemaker:UpdateNotebookInstance",
"sagemaker:UpdateNotebookInstanceLifecycleConfig",
"sagemaker:UpdatePipeline",
"sagemaker:UpdatePipelineExecution",
"sagemaker:UpdateProject",
"sagemaker:UpdateTrainingJob",
"sagemaker:UpdateTrial",
"sagemaker:UpdateTrialComponent",
"sagemaker:UpdateUserProfile",
"sagemaker:UpdateWorkforce",
"sagemaker:UpdateWorkteam"
],
"Resource": [
"arn:aws:sagemaker:*:*:endpoint/*",
"arn:aws:sagemaker:*:*:endpoint-config/*",
"arn:aws:sagemaker:*:*:model/*",
"arn:aws:sagemaker:*:*:pipeline/*",
"arn:aws:sagemaker:*:*:project/*",
"arn:aws:sagemaker:*:*:model-package/*"
]
},
{
"Sid" : "AmazonSageMakerCodeBuildCodeStarConnectionPermission",
"Effect": "Allow",
"Action": [
"codestar-connections:UseConnection"
],
"Resource": [
"arn:aws:codestar-connections:*:*:connection/*"
],
"Condition": {
"StringEqualsIgnoreCase": {
"aws:ResourceTag/sagemaker": "true"
}
}
},
{
"Sid" : "AmazonSageMakerCodeBuildCodeConnectionPermission",
"Effect": "Allow",
"Action": [
"codeconnections:UseConnection"
],
"Resource": [
"arn:aws:codeconnections:*:*:connection/*"
],
"Condition": {
"StringEqualsIgnoreCase": {
"aws:ResourceTag/sagemaker": "true"
}
}
}
]
}AWS
托管策略: AmazonSageMakerServiceCatalogProductsCodePipelineServiceRolePolicy
此政策由 Amazon A SageMaker I 产品组合 AWS CodePipeline 中的 AWS Service Catalog 预配置产品使用。该策略旨在附加到一个 IAM 角色,该角色AmazonSageMakerServiceCatalogProductsLaunchRole
权限详细信息
该策略包含以下权限。
-
cloudformation— 创建、读取、删除和更新 CloudFormation堆栈;创建、读取、删除和执行更改集;设置堆栈策略;标记和取消标记资源。这些权限仅限于名称以“sagemaker-”开头的资源。 -
s3- 创建、读取、列出和删除 Amazon S3 存储桶;在存储桶中添加、读取和删除对象;读取和设置 CORS 配置;读取访问控制列表 (ACL);以及读取存储桶所在的 AWS 区域。这些权限仅限于名称以“sagemaker-”或“aws-glue-”开头的存储桶。
-
iam- 传递AmazonSageMakerServiceCatalogProductsCloudformationRole角色。 -
codebuild— 获取 CodeBuild 构建信息并开始构建。这些权限仅限于名称以“sagemaker-”开头的项目和构建资源。 -
codecommit— 将 CodeCommit 档案上传到 CodeBuild 管道,获取上传状态并取消上传;获取分支和提交信息。 -
codestarconnections,codestar-connections— 使用 AWS CodeConnections 和 AWS CodeStar 连接。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid" : "AmazonSageMakerCodePipelineCFnPermission",
"Effect": "Allow",
"Action": [
"cloudformation:CreateChangeSet",
"cloudformation:CreateStack",
"cloudformation:DescribeChangeSet",
"cloudformation:DeleteChangeSet",
"cloudformation:DeleteStack",
"cloudformation:DescribeStacks",
"cloudformation:ExecuteChangeSet",
"cloudformation:SetStackPolicy",
"cloudformation:UpdateStack"
],
"Resource": "arn:aws:cloudformation:*:*:stack/sagemaker-*"
},
{
"Sid" : "AmazonSageMakerCodePipelineCFnTagPermission",
"Effect": "Allow",
"Action": [
"cloudformation:TagResource",
"cloudformation:UntagResource"
],
"Resource": "arn:aws:cloudformation:*:*:stack/sagemaker-*"
"Condition" : {
"ForAnyValue:StringEquals": {
"aws:TagKeys": [
"sagemaker:project-name"
]
}
},
{
"Sid" : "AmazonSageMakerCodePipelineS3Permission",
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::sagemaker-*"
]
},
{
"Sid" : "AmazonSageMakerCodePipelinePassRolePermission",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/service-role/AmazonSageMakerServiceCatalogProductsCloudformationRole"
]
},
{
"Sid" : "AmazonSageMakerCodePipelineCodeBuildPermission",
"Effect": "Allow",
"Action": [
"codebuild:BatchGetBuilds",
"codebuild:StartBuild"
],
"Resource": [
"arn:aws:codebuild:*:*:project/sagemaker-*",
"arn:aws:codebuild:*:*:build/sagemaker-*"
]
},
{
"Sid" : "AmazonSageMakerCodePipelineCodeCommitPermission",
"Effect": "Allow",
"Action": [
"codecommit:CancelUploadArchive",
"codecommit:GetBranch",
"codecommit:GetCommit",
"codecommit:GetUploadArchiveStatus",
"codecommit:UploadArchive"
],
"Resource": "arn:aws:codecommit:*:*:sagemaker-*"
},
{
"Sid" : "AmazonSageMakerCodePipelineCodeStarConnectionPermission",
"Effect": "Allow",
"Action": [
"codestar-connections:UseConnection"
],
"Resource": [
"arn:aws:codestar-connections:*:*:connection/*"
],
"Condition": {
"StringEqualsIgnoreCase": {
"aws:ResourceTag/sagemaker": "true"
}
}
},
{
"Sid" : "AmazonSageMakerCodePipelineCodeConnectionPermission",
"Effect": "Allow",
"Action": [
"codeconnections:UseConnection"
],
"Resource": [
"arn:aws:codeconnections:*:*:connection/*"
],
"Condition": {
"StringEqualsIgnoreCase": {
"aws:ResourceTag/sagemaker": "true"
}
}
}
]
}AWS
托管策略: AmazonSageMakerServiceCatalogProductsEventsServiceRole策略
亚马逊 EventBridge 在 Amazon A SageMaker I 产品组合中的 AWS Service Catalog 预配置产品中使用此政策。该策略旨在附加到一个 IAM 角色,该角色AmazonSageMakerServiceCatalogProductsLaunchRole
权限详细信息
该策略包含以下权限。
-
codepipeline— 开始 CodeBuild 执行。这些权限仅限于名称以“sagemaker-”开头的管道。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "codepipeline:StartPipelineExecution",
"Resource": "arn:aws:codepipeline:*:*:sagemaker-*"
}
]
}AWS
托管策略: AmazonSageMakerServiceCatalogProductsFirehoseServiceRole策略
亚马逊 Data Firehose 在亚马逊 AI 产品组合中的 AWS Service Catalog 预配置产品中使用此政策。 SageMaker 该策略旨在附加到 IAM 角色,该角色将AmazonSageMakerServiceCatalogProductsLaunchRole
权限详细信息
该策略包含以下权限。
-
firehose:发送 Firehose 记录。这些权限仅限于传输流名称以“sagemaker-”开头的资源。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"firehose:PutRecord",
"firehose:PutRecordBatch"
],
"Resource": "arn:aws:firehose:*:*:deliverystream/sagemaker-*"
}
]
}AWS
托管策略: AmazonSageMakerServiceCatalogProductsGlueServiceRole策略
AWS Glue 在 S AWS ervice Catalog 配置的亚马逊 SageMaker 人工智能产品组合中使用此政策。该策略旨在附加到 IAM 角色,该角色将AmazonSageMakerServiceCatalogProductsLaunchRole
权限详细信息
该策略包含以下权限。
-
glue— 创建、读取和删除 AWS Glue 分区、表和表版本。这些权限仅限于名称以“sagemaker-”开头的资源。创建和读取 AWS Glue 数据库。这些权限仅限于名称为“default”、“global_temp”或以“sagemaker-”开头的数据库。获取用户定义的函数。 -
s3- 创建、读取、列出和删除 Amazon S3 存储桶;在存储桶中添加、读取和删除对象;读取和设置 CORS 配置;读取访问控制列表 (ACL);以及读取存储桶所在的 AWS 区域。这些权限仅限于名称以“sagemaker-”或“aws-glue-”开头的存储桶。
-
logs— 创建、读取和删除 CloudWatch 日志组、流和传输;并创建资源策略。这些权限仅限于名称前缀以“aws/glue/”开头的资源。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"glue:BatchCreatePartition",
"glue:BatchDeletePartition",
"glue:BatchDeleteTable",
"glue:BatchDeleteTableVersion",
"glue:BatchGetPartition",
"glue:CreateDatabase",
"glue:CreatePartition",
"glue:CreateTable",
"glue:DeletePartition",
"glue:DeleteTable",
"glue:DeleteTableVersion",
"glue:GetDatabase",
"glue:GetPartition",
"glue:GetPartitions",
"glue:GetTable",
"glue:GetTables",
"glue:GetTableVersion",
"glue:GetTableVersions",
"glue:SearchTables",
"glue:UpdatePartition",
"glue:UpdateTable",
"glue:GetUserDefinedFunctions"
],
"Resource": [
"arn:aws:glue:*:*:catalog",
"arn:aws:glue:*:*:database/default",
"arn:aws:glue:*:*:database/global_temp",
"arn:aws:glue:*:*:database/sagemaker-*",
"arn:aws:glue:*:*:table/sagemaker-*",
"arn:aws:glue:*:*:tableVersion/sagemaker-*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:GetBucketAcl",
"s3:GetBucketCors",
"s3:GetBucketLocation",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:PutBucketCors"
],
"Resource": [
"arn:aws:s3:::aws-glue-*",
"arn:aws:s3:::sagemaker-*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::aws-glue-*",
"arn:aws:s3:::sagemaker-*"
]
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogDelivery",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DeleteLogDelivery",
"logs:Describe*",
"logs:GetLogDelivery",
"logs:GetLogEvents",
"logs:ListLogDeliveries",
"logs:PutLogEvents",
"logs:PutResourcePolicy",
"logs:UpdateLogDelivery"
],
"Resource": "arn:aws:logs:*:*:log-group:/aws/glue/*"
}
]
}AWS
托管策略: AmazonSageMakerServiceCatalogProductsLambdaServiceRole策略
此政策由 Amazon A SageMaker I 产品组合 AWS Lambda 中的 AWS Service Catalog 预配置产品使用。该策略旨在附加到 IAM 角色,该角色将AmazonSageMakerServiceCatalogProductsLaunchRole
权限详细信息
该策略包含以下权限。
-
sagemaker— 允许访问各种 SageMaker AI 资源。 -
ecr- 创建和删除 Amazon ECR 存储库;创建、读取和删除容器映像;上传映像层。这些权限仅限于名称以“sagemaker-”开头的存储库。 -
events— 创建、读取和删除 Amazon EventBridge 规则;以及创建和删除目标。这些权限仅限于名称以“sagemaker-”开头的规则。 -
s3- 创建、读取、列出和删除 Amazon S3 存储桶;在存储桶中添加、读取和删除对象;读取和设置 CORS 配置;读取访问控制列表 (ACL);以及读取存储桶所在的 AWS 区域。这些权限仅限于名称以“sagemaker-”或“aws-glue-”开头的存储桶。
-
iam- 传递AmazonSageMakerServiceCatalogProductsExecutionRole角色。 -
logs— 创建、读取和删除 CloudWatch 日志组、流和传输;并创建资源策略。这些权限仅限于名称前缀以“aws/lambda/”开头的资源。
-
codebuild— 开始并获取有关 AWS CodeBuild 版本的信息。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid" : "AmazonSageMakerLambdaECRPermission",
"Effect": "Allow",
"Action": [
"ecr:DescribeImages",
"ecr:BatchDeleteImage",
"ecr:CompleteLayerUpload",
"ecr:CreateRepository",
"ecr:DeleteRepository",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart"
],
"Resource": [
"arn:aws:ecr:*:*:repository/sagemaker-*"
]
},
{
"Sid" : "AmazonSageMakerLambdaEventBridgePermission",
"Effect": "Allow",
"Action": [
"events:DeleteRule",
"events:DescribeRule",
"events:PutRule",
"events:PutTargets",
"events:RemoveTargets"
],
"Resource": [
"arn:aws:events:*:*:rule/sagemaker-*"
]
},
{
"Sid" : "AmazonSageMakerLambdaS3BucketPermission",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:GetBucketAcl",
"s3:GetBucketCors",
"s3:GetBucketLocation",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:PutBucketCors"
],
"Resource": [
"arn:aws:s3:::aws-glue-*",
"arn:aws:s3:::sagemaker-*"
]
},
{
"Sid" : "AmazonSageMakerLambdaS3ObjectPermission",
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::aws-glue-*",
"arn:aws:s3:::sagemaker-*"
]
},
{
"Sid" : "AmazonSageMakerLambdaSageMakerPermission",
"Effect": "Allow",
"Action": [
"sagemaker:AddAssociation",
"sagemaker:AddTags",
"sagemaker:AssociateTrialComponent",
"sagemaker:BatchDescribeModelPackage",
"sagemaker:BatchGetMetrics",
"sagemaker:BatchGetRecord",
"sagemaker:BatchPutMetrics",
"sagemaker:CreateAction",
"sagemaker:CreateAlgorithm",
"sagemaker:CreateApp",
"sagemaker:CreateAppImageConfig",
"sagemaker:CreateArtifact",
"sagemaker:CreateAutoMLJob",
"sagemaker:CreateCodeRepository",
"sagemaker:CreateCompilationJob",
"sagemaker:CreateContext",
"sagemaker:CreateDataQualityJobDefinition",
"sagemaker:CreateDeviceFleet",
"sagemaker:CreateDomain",
"sagemaker:CreateEdgePackagingJob",
"sagemaker:CreateEndpoint",
"sagemaker:CreateEndpointConfig",
"sagemaker:CreateExperiment",
"sagemaker:CreateFeatureGroup",
"sagemaker:CreateFlowDefinition",
"sagemaker:CreateHumanTaskUi",
"sagemaker:CreateHyperParameterTuningJob",
"sagemaker:CreateImage",
"sagemaker:CreateImageVersion",
"sagemaker:CreateInferenceRecommendationsJob",
"sagemaker:CreateLabelingJob",
"sagemaker:CreateLineageGroupPolicy",
"sagemaker:CreateModel",
"sagemaker:CreateModelBiasJobDefinition",
"sagemaker:CreateModelExplainabilityJobDefinition",
"sagemaker:CreateModelPackage",
"sagemaker:CreateModelPackageGroup",
"sagemaker:CreateModelQualityJobDefinition",
"sagemaker:CreateMonitoringSchedule",
"sagemaker:CreateNotebookInstance",
"sagemaker:CreateNotebookInstanceLifecycleConfig",
"sagemaker:CreatePipeline",
"sagemaker:CreatePresignedDomainUrl",
"sagemaker:CreatePresignedNotebookInstanceUrl",
"sagemaker:CreateProcessingJob",
"sagemaker:CreateProject",
"sagemaker:CreateTrainingJob",
"sagemaker:CreateTransformJob",
"sagemaker:CreateTrial",
"sagemaker:CreateTrialComponent",
"sagemaker:CreateUserProfile",
"sagemaker:CreateWorkforce",
"sagemaker:CreateWorkteam",
"sagemaker:DeleteAction",
"sagemaker:DeleteAlgorithm",
"sagemaker:DeleteApp",
"sagemaker:DeleteAppImageConfig",
"sagemaker:DeleteArtifact",
"sagemaker:DeleteAssociation",
"sagemaker:DeleteCodeRepository",
"sagemaker:DeleteContext",
"sagemaker:DeleteDataQualityJobDefinition",
"sagemaker:DeleteDeviceFleet",
"sagemaker:DeleteDomain",
"sagemaker:DeleteEndpoint",
"sagemaker:DeleteEndpointConfig",
"sagemaker:DeleteExperiment",
"sagemaker:DeleteFeatureGroup",
"sagemaker:DeleteFlowDefinition",
"sagemaker:DeleteHumanLoop",
"sagemaker:DeleteHumanTaskUi",
"sagemaker:DeleteImage",
"sagemaker:DeleteImageVersion",
"sagemaker:DeleteLineageGroupPolicy",
"sagemaker:DeleteModel",
"sagemaker:DeleteModelBiasJobDefinition",
"sagemaker:DeleteModelExplainabilityJobDefinition",
"sagemaker:DeleteModelPackage",
"sagemaker:DeleteModelPackageGroup",
"sagemaker:DeleteModelPackageGroupPolicy",
"sagemaker:DeleteModelQualityJobDefinition",
"sagemaker:DeleteMonitoringSchedule",
"sagemaker:DeleteNotebookInstance",
"sagemaker:DeleteNotebookInstanceLifecycleConfig",
"sagemaker:DeletePipeline",
"sagemaker:DeleteProject",
"sagemaker:DeleteRecord",
"sagemaker:DeleteTags",
"sagemaker:DeleteTrial",
"sagemaker:DeleteTrialComponent",
"sagemaker:DeleteUserProfile",
"sagemaker:DeleteWorkforce",
"sagemaker:DeleteWorkteam",
"sagemaker:DeregisterDevices",
"sagemaker:DescribeAction",
"sagemaker:DescribeAlgorithm",
"sagemaker:DescribeApp",
"sagemaker:DescribeAppImageConfig",
"sagemaker:DescribeArtifact",
"sagemaker:DescribeAutoMLJob",
"sagemaker:DescribeCodeRepository",
"sagemaker:DescribeCompilationJob",
"sagemaker:DescribeContext",
"sagemaker:DescribeDataQualityJobDefinition",
"sagemaker:DescribeDevice",
"sagemaker:DescribeDeviceFleet",
"sagemaker:DescribeDomain",
"sagemaker:DescribeEdgePackagingJob",
"sagemaker:DescribeEndpoint",
"sagemaker:DescribeEndpointConfig",
"sagemaker:DescribeExperiment",
"sagemaker:DescribeFeatureGroup",
"sagemaker:DescribeFlowDefinition",
"sagemaker:DescribeHumanLoop",
"sagemaker:DescribeHumanTaskUi",
"sagemaker:DescribeHyperParameterTuningJob",
"sagemaker:DescribeImage",
"sagemaker:DescribeImageVersion",
"sagemaker:DescribeInferenceRecommendationsJob",
"sagemaker:DescribeLabelingJob",
"sagemaker:DescribeLineageGroup",
"sagemaker:DescribeModel",
"sagemaker:DescribeModelBiasJobDefinition",
"sagemaker:DescribeModelExplainabilityJobDefinition",
"sagemaker:DescribeModelPackage",
"sagemaker:DescribeModelPackageGroup",
"sagemaker:DescribeModelQualityJobDefinition",
"sagemaker:DescribeMonitoringSchedule",
"sagemaker:DescribeNotebookInstance",
"sagemaker:DescribeNotebookInstanceLifecycleConfig",
"sagemaker:DescribePipeline",
"sagemaker:DescribePipelineDefinitionForExecution",
"sagemaker:DescribePipelineExecution",
"sagemaker:DescribeProcessingJob",
"sagemaker:DescribeProject",
"sagemaker:DescribeSubscribedWorkteam",
"sagemaker:DescribeTrainingJob",
"sagemaker:DescribeTransformJob",
"sagemaker:DescribeTrial",
"sagemaker:DescribeTrialComponent",
"sagemaker:DescribeUserProfile",
"sagemaker:DescribeWorkforce",
"sagemaker:DescribeWorkteam",
"sagemaker:DisableSagemakerServicecatalogPortfolio",
"sagemaker:DisassociateTrialComponent",
"sagemaker:EnableSagemakerServicecatalogPortfolio",
"sagemaker:GetDeviceFleetReport",
"sagemaker:GetDeviceRegistration",
"sagemaker:GetLineageGroupPolicy",
"sagemaker:GetModelPackageGroupPolicy",
"sagemaker:GetRecord",
"sagemaker:GetSagemakerServicecatalogPortfolioStatus",
"sagemaker:GetSearchSuggestions",
"sagemaker:InvokeEndpoint",
"sagemaker:InvokeEndpointAsync",
"sagemaker:ListActions",
"sagemaker:ListAlgorithms",
"sagemaker:ListAppImageConfigs",
"sagemaker:ListApps",
"sagemaker:ListArtifacts",
"sagemaker:ListAssociations",
"sagemaker:ListAutoMLJobs",
"sagemaker:ListCandidatesForAutoMLJob",
"sagemaker:ListCodeRepositories",
"sagemaker:ListCompilationJobs",
"sagemaker:ListContexts",
"sagemaker:ListDataQualityJobDefinitions",
"sagemaker:ListDeviceFleets",
"sagemaker:ListDevices",
"sagemaker:ListDomains",
"sagemaker:ListEdgePackagingJobs",
"sagemaker:ListEndpointConfigs",
"sagemaker:ListEndpoints",
"sagemaker:ListExperiments",
"sagemaker:ListFeatureGroups",
"sagemaker:ListFlowDefinitions",
"sagemaker:ListHumanLoops",
"sagemaker:ListHumanTaskUis",
"sagemaker:ListHyperParameterTuningJobs",
"sagemaker:ListImageVersions",
"sagemaker:ListImages",
"sagemaker:ListInferenceRecommendationsJobs",
"sagemaker:ListLabelingJobs",
"sagemaker:ListLabelingJobsForWorkteam",
"sagemaker:ListLineageGroups",
"sagemaker:ListModelBiasJobDefinitions",
"sagemaker:ListModelExplainabilityJobDefinitions",
"sagemaker:ListModelMetadata",
"sagemaker:ListModelPackageGroups",
"sagemaker:ListModelPackages",
"sagemaker:ListModelQualityJobDefinitions",
"sagemaker:ListModels",
"sagemaker:ListMonitoringExecutions",
"sagemaker:ListMonitoringSchedules",
"sagemaker:ListNotebookInstanceLifecycleConfigs",
"sagemaker:ListNotebookInstances",
"sagemaker:ListPipelineExecutionSteps",
"sagemaker:ListPipelineExecutions",
"sagemaker:ListPipelineParametersForExecution",
"sagemaker:ListPipelines",
"sagemaker:ListProcessingJobs",
"sagemaker:ListProjects",
"sagemaker:ListSubscribedWorkteams",
"sagemaker:ListTags",
"sagemaker:ListTrainingJobs",
"sagemaker:ListTrainingJobsForHyperParameterTuningJob",
"sagemaker:ListTransformJobs",
"sagemaker:ListTrialComponents",
"sagemaker:ListTrials",
"sagemaker:ListUserProfiles",
"sagemaker:ListWorkforces",
"sagemaker:ListWorkteams",
"sagemaker:PutLineageGroupPolicy",
"sagemaker:PutModelPackageGroupPolicy",
"sagemaker:PutRecord",
"sagemaker:QueryLineage",
"sagemaker:RegisterDevices",
"sagemaker:RenderUiTemplate",
"sagemaker:Search",
"sagemaker:SendHeartbeat",
"sagemaker:SendPipelineExecutionStepFailure",
"sagemaker:SendPipelineExecutionStepSuccess",
"sagemaker:StartHumanLoop",
"sagemaker:StartMonitoringSchedule",
"sagemaker:StartNotebookInstance",
"sagemaker:StartPipelineExecution",
"sagemaker:StopAutoMLJob",
"sagemaker:StopCompilationJob",
"sagemaker:StopEdgePackagingJob",
"sagemaker:StopHumanLoop",
"sagemaker:StopHyperParameterTuningJob",
"sagemaker:StopInferenceRecommendationsJob",
"sagemaker:StopLabelingJob",
"sagemaker:StopMonitoringSchedule",
"sagemaker:StopNotebookInstance",
"sagemaker:StopPipelineExecution",
"sagemaker:StopProcessingJob",
"sagemaker:StopTrainingJob",
"sagemaker:StopTransformJob",
"sagemaker:UpdateAction",
"sagemaker:UpdateAppImageConfig",
"sagemaker:UpdateArtifact",
"sagemaker:UpdateCodeRepository",
"sagemaker:UpdateContext",
"sagemaker:UpdateDeviceFleet",
"sagemaker:UpdateDevices",
"sagemaker:UpdateDomain",
"sagemaker:UpdateEndpoint",
"sagemaker:UpdateEndpointWeightsAndCapacities",
"sagemaker:UpdateExperiment",
"sagemaker:UpdateImage",
"sagemaker:UpdateModelPackage",
"sagemaker:UpdateMonitoringSchedule",
"sagemaker:UpdateNotebookInstance",
"sagemaker:UpdateNotebookInstanceLifecycleConfig",
"sagemaker:UpdatePipeline",
"sagemaker:UpdatePipelineExecution",
"sagemaker:UpdateProject",
"sagemaker:UpdateTrainingJob",
"sagemaker:UpdateTrial",
"sagemaker:UpdateTrialComponent",
"sagemaker:UpdateUserProfile",
"sagemaker:UpdateWorkforce",
"sagemaker:UpdateWorkteam"
],
"Resource": [
"arn:aws:sagemaker:*:*:action/*",
"arn:aws:sagemaker:*:*:algorithm/*",
"arn:aws:sagemaker:*:*:app-image-config/*",
"arn:aws:sagemaker:*:*:artifact/*",
"arn:aws:sagemaker:*:*:automl-job/*",
"arn:aws:sagemaker:*:*:code-repository/*",
"arn:aws:sagemaker:*:*:compilation-job/*",
"arn:aws:sagemaker:*:*:context/*",
"arn:aws:sagemaker:*:*:data-quality-job-definition/*",
"arn:aws:sagemaker:*:*:device-fleet/*/device/*",
"arn:aws:sagemaker:*:*:device-fleet/*",
"arn:aws:sagemaker:*:*:edge-packaging-job/*",
"arn:aws:sagemaker:*:*:endpoint/*",
"arn:aws:sagemaker:*:*:endpoint-config/*",
"arn:aws:sagemaker:*:*:experiment/*",
"arn:aws:sagemaker:*:*:experiment-trial/*",
"arn:aws:sagemaker:*:*:experiment-trial-component/*",
"arn:aws:sagemaker:*:*:feature-group/*",
"arn:aws:sagemaker:*:*:human-loop/*",
"arn:aws:sagemaker:*:*:human-task-ui/*",
"arn:aws:sagemaker:*:*:hyper-parameter-tuning-job/*",
"arn:aws:sagemaker:*:*:image/*",
"arn:aws:sagemaker:*:*:image-version/*/*",
"arn:aws:sagemaker:*:*:inference-recommendations-job/*",
"arn:aws:sagemaker:*:*:labeling-job/*",
"arn:aws:sagemaker:*:*:model/*",
"arn:aws:sagemaker:*:*:model-bias-job-definition/*",
"arn:aws:sagemaker:*:*:model-explainability-job-definition/*",
"arn:aws:sagemaker:*:*:model-package/*",
"arn:aws:sagemaker:*:*:model-package-group/*",
"arn:aws:sagemaker:*:*:model-quality-job-definition/*",
"arn:aws:sagemaker:*:*:monitoring-schedule/*",
"arn:aws:sagemaker:*:*:notebook-instance/*",
"arn:aws:sagemaker:*:*:notebook-instance-lifecycle-config/*",
"arn:aws:sagemaker:*:*:pipeline/*",
"arn:aws:sagemaker:*:*:pipeline/*/execution/*",
"arn:aws:sagemaker:*:*:processing-job/*",
"arn:aws:sagemaker:*:*:project/*",
"arn:aws:sagemaker:*:*:training-job/*",
"arn:aws:sagemaker:*:*:transform-job/*",
"arn:aws:sagemaker:*:*:workforce/*",
"arn:aws:sagemaker:*:*:workteam/*"
]
},
{
"Sid" : "AmazonSageMakerLambdaPassRolePermission",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/service-role/AmazonSageMakerServiceCatalogProductsExecutionRole"
]
},
{
"Sid" : "AmazonSageMakerLambdaLogPermission",
"Effect": "Allow",
"Action": [
"logs:CreateLogDelivery",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DeleteLogDelivery",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:DescribeResourcePolicies",
"logs:DescribeDestinations",
"logs:DescribeExportTasks",
"logs:DescribeMetricFilters",
"logs:DescribeQueries",
"logs:DescribeQueryDefinitions",
"logs:DescribeSubscriptionFilters",
"logs:GetLogDelivery",
"logs:GetLogEvents",
"logs:ListLogDeliveries",
"logs:PutLogEvents",
"logs:PutResourcePolicy",
"logs:UpdateLogDelivery"
],
"Resource": "arn:aws:logs:*:*:log-group:/aws/lambda/*"
},
{
"Sid" : "AmazonSageMakerLambdaCodeBuildPermission",
"Effect": "Allow",
"Action": [
"codebuild:StartBuild",
"codebuild:BatchGetBuilds"
],
"Resource": "arn:aws:codebuild:*:*:project/sagemaker-*",
"Condition": {
"StringLike": {
"aws:ResourceTag/sagemaker:project-name": "*"
}
}
}
]
}Amazon SageMaker AI 更新了 S AWS ervice Catalog AWS 托管策略
查看自该服务开始跟踪这些更改以来,Amazon SageMaker AI AWS 托管策略更新的详细信息。
| 策略 | 版本 | 更改 | 日期 |
|---|---|---|---|
|
AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy - 更新的策略 |
9 |
添加 |
2024 年 7 月 1 日 |
AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy -更新政策 |
7 |
将策略回滚到版本 7 (v7)。删除 |
2024 年 6 月 12 日 |
AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy -更新政策 |
8 |
添加 |
2024 年 6 月 11 日 |
|
AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy:更新策略 |
2 |
添加 |
2024 年 6 月 11 日 |
|
AmazonSageMakerServiceCatalogProductsCodePipelineServiceRolePolicy:更新策略 |
2 |
添加 |
2024 年 6 月 11 日 |
|
AmazonSageMakerServiceCatalogProductsLambdaServiceRole政策:更新策略 |
2 |
添加 |
2024 年 6 月 11 日 |
|
AmazonSageMakerPartnerServiceCatalogProductsApiGatewayServiceRolePolicy |
1 | 初始策略 |
2023 年 8 月 1 日 |
|
AmazonSageMakerPartnerServiceCatalogProductsCloudFormationServiceRolePolicy |
1 | 初始策略 |
2023 年 8 月 1 日 |
|
AmazonSageMakerPartnerServiceCatalogProductsLambdaServiceRolePolicy |
1 | 初始策略 |
2023 年 8 月 1 日 |
| 2 |
为 |
2022 年 8 月 26 日 | |
AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy -更新政策 |
7 |
为 |
2022 年 8 月 2 日 |
| AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy -更新政策 | 6 |
为 |
2022 年 7 月 14 日 |
AmazonSageMakerServiceCatalogProductsLambdaServiceRole政策 |
1 |
初始策略 |
2022 年 4 月 22 日 |
|
AmazonSageMakerServiceCatalogProductsApiGatewayServiceRolePolicy |
1 |
初始策略 |
2022 年 3 月 24 日 |
|
AmazonSageMakerServiceCatalogProductsCloudformationServiceRole政策 |
1 |
初始策略 |
2022 年 3 月 24 日 |
AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy |
1 |
初始策略 |
2022 年 3 月 24 日 |
| AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy -更新政策 | 5 |
为 |
2022 年 3 月 21 日 |
AmazonSageMakerServiceCatalogProductsCodePipelineServiceRolePolicy |
1 |
初始策略 |
2022 年 2 月 22 日 |
| 1 |
初始策略 |
2022 年 2 月 22 日 | |
| 1 |
初始策略 |
2022 年 2 月 22 日 | |
| AmazonSageMakerServiceCatalogProductsGlueServiceRole政策 | 1 |
初始策略 |
2022 年 2 月 22 日 |
| AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy -更新政策 | 4 |
为 |
2022 年 2 月 16 日 |
| AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy -更新政策 | 3 |
为 创建、读取、更新和删除 SageMaker AI 镜像。 |
2021 年 9 月 15 日 |
| AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy -更新政策 | 2 |
为 创建、读取、更新和删除代码存储库。 将 AWS CodeStar 连接传递给 AWS CodePipeline。 |
2021 年 7 月 1 日 |
| AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy | 1 | 初始策略 |
2020 年 11 月 27 日 |
