本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
關於 AmazonBraketFullAccess 政策
此AmazonBraketFullAccess政策會授予 Amazon Braket 操作的許可,包括這些任務的許可:
-
從 Amazon Elastic Container Registry 下載容器 – 讀取和下載用於 的容器映像 Amazon Braket Hybrid 任務功能。容器必須符合「arn:aws:ecr:::repository/amazon-braket」格式。
-
保留 AWS CloudTrail 日誌 – 針對所有描述,除了開始和停止查詢、測試指標篩選條件和篩選日誌事件之外,還請取得 並列出動作。 AWS CloudTrail 日誌檔案包含所有 Amazon Braket 的記錄 API 帳戶中發生的活動。
-
使用角色來控制資源 – 在帳戶中建立服務連結角色。服務連結角色可以代表您存取 AWS 資源。它只能由 Amazon Braket 服務使用。此外,將IAM角色傳遞至 Amazon Braket
CreateJobAPI 和 建立角色,並將範圍為 AmazonBraketFullAccess 的政策連接至角色。 -
建立日誌群組、日誌事件和查詢日誌群組,以維護帳戶的使用日誌檔案 – 建立、儲存和檢視帳戶中 Amazon Braket 使用量的記錄資訊。查詢混合任務日誌群組上的指標。包含適當的 Braket 路徑,並允許放置日誌資料。在 中放置指標資料 CloudWatch。
-
在 Amazon S3 儲存貯體中建立和存放資料,並列出所有儲存貯體 – 若要建立 S3 儲存貯體,請在帳戶中列出 S3 儲存貯體,並將物件放入名稱開頭為 amazon-braket- 的任何儲存貯體,並從中取得物件。Braket 需要這些許可,才能將包含已處理量子任務結果的檔案放入儲存貯體,並從儲存貯體中擷取這些結果。
-
傳遞IAM角色 – 將IAM角色傳遞至
CreateJobAPI. -
Amazon SageMaker Notebook – 建立和管理 SageMaker 範圍涵蓋在資源的筆記本執行個體,來自「arn:aws:sagemaker::notebook-instance/amazon-braket-」。
-
驗證服務配額 – 若要建立 SageMaker筆記本和 Amazon Braket Hybrid 任務,您的資源計數不得超過您帳戶的配額。
政策內容
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:ListBucket", "s3:CreateBucket", "s3:PutBucketPublicAccessBlock", "s3:PutBucketPolicy" ], "Resource": "arn:aws:s3:::amazon-braket-*" }, { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "servicequotas:GetServiceQuota", "cloudwatch:GetMetricData" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "ecr:BatchCheckLayerAvailability" ], "Resource": "arn:aws:ecr:*:*:repository/amazon-braket*" }, { "Effect": "Allow", "Action": [ "ecr:GetAuthorizationToken" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "logs:Describe*", "logs:Get*", "logs:List*", "logs:StartQuery", "logs:StopQuery", "logs:TestMetricFilter", "logs:FilterLogEvents" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/braket*" }, { "Effect": "Allow", "Action": [ "iam:ListRoles", "iam:ListRolePolicies", "iam:GetRole", "iam:GetRolePolicy", "iam:ListAttachedRolePolicies" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "sagemaker:ListNotebookInstances" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "sagemaker:CreatePresignedNotebookInstanceUrl", "sagemaker:CreateNotebookInstance", "sagemaker:DeleteNotebookInstance", "sagemaker:DescribeNotebookInstance", "sagemaker:StartNotebookInstance", "sagemaker:StopNotebookInstance", "sagemaker:UpdateNotebookInstance", "sagemaker:ListTags", "sagemaker:AddTags", "sagemaker:DeleteTags" ], "Resource": "arn:aws:sagemaker:*:*:notebook-instance/amazon-braket-*" }, { "Effect": "Allow", "Action": [ "sagemaker:DescribeNotebookInstanceLifecycleConfig", "sagemaker:CreateNotebookInstanceLifecycleConfig", "sagemaker:DeleteNotebookInstanceLifecycleConfig", "sagemaker:ListNotebookInstanceLifecycleConfigs", "sagemaker:UpdateNotebookInstanceLifecycleConfig" ], "Resource": "arn:aws:sagemaker:*:*:notebook-instance-lifecycle-config/amazon-braket-*" }, { "Effect": "Allow", "Action": "braket:*", "Resource": "*" }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/braket.amazonaws.com/AWSServiceRoleForAmazonBraket*", "Condition": { "StringEquals": { "iam:AWSServiceName": "braket.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::*:role/service-role/AmazonBraketServiceSageMakerNotebookRole*", "Condition": { "StringLike": { "iam:PassedToService": [ "sagemaker.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::*:role/service-role/AmazonBraketJobsExecutionRole*", "Condition": { "StringLike": { "iam:PassedToService": [ "braket.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "logs:GetQueryResults" ], "Resource": [ "arn:aws:logs:*:*:log-group:*" ] }, { "Effect": "Allow", "Action": [ "logs:PutLogEvents", "logs:CreateLogStream", "logs:CreateLogGroup" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/braket*" }, { "Effect": "Allow", "Action": "cloudwatch:PutMetricData", "Resource": "*", "Condition": { "StringEquals": { "cloudwatch:namespace": "/aws/braket" } } } ] }
