Step 6: Create an IAM policy for SageMaker notebooks
If you plan to use SageMaker notebooks with development endpoints, you must specify permissions when you create the notebook. You provide those permissions by using Amazon Identity and Access Management (IAM).
To create an IAM policy for SageMaker notebooks
Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/
. -
In the left navigation pane, choose Policies.
-
Choose Create Policy.
-
On the Create Policy page, navigate to a tab to edit the JSON. Create a policy document with the following JSON statements. Edit
bucket-name
,region-code
, andaccount-id
for your environment.{ "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:ListBucket" ], "Effect": "Allow", "Resource": [ "arn:aws-cn:s3:::
bucket-name
" ] }, { "Action": [ "s3:GetObject" ], "Effect": "Allow", "Resource": [ "arn:aws-cn:s3:::bucket-name
*" ] }, { "Action": [ "logs:CreateLogStream", "logs:DescribeLogStreams", "logs:PutLogEvents", "logs:CreateLogGroup" ], "Effect": "Allow", "Resource": [ "arn:aws-cn:logs:region-code
:account-id
:log-group:/aws/sagemaker/*", "arn:aws-cn:logs:region-code
:account-id
:log-group:/aws/sagemaker/*:log-stream:aws-glue-*" ] }, { "Action": [ "glue:UpdateDevEndpoint", "glue:GetDevEndpoint", "glue:GetDevEndpoints" ], "Effect": "Allow", "Resource": [ "arn:aws-cn:glue:region-code
:account-id
:devEndpoint/*" ] }, { "Action": [ "sagemaker:ListTags" ], "Effect": "Allow", "Resource": [ "arn:aws-cn:sagemaker:region-code
:account-id
:notebook-instance/*" ] } ] }Then choose Review policy.
The following table describes the permissions granted by this policy.
Action Resource Description "s3:ListBucket*"
"arn:aws-cn:s3:::
bucket-name
"Grants permission to list Amazon S3 buckets.
"s3:GetObject"
"arn:aws-cn:s3:::
bucket-name
*"Grants permission to get Amazon S3 objects that are used by SageMaker notebooks.
"logs:CreateLogStream", "logs:DescribeLogStreams", "logs:PutLogEvents", "logs:CreateLogGroup"
"arn:aws-cn:logs:
region-code
:account-id
:log-group:/aws/sagemaker/*", "arn:aws-cn:logs:region-code
:account-id
:log-group:/aws/sagemaker/*:log-stream:aws-glue-*"Grants permission to write logs to Amazon CloudWatch Logs from notebooks.
Naming convention: Writes to log groups whose names begin with aws-glue.
"glue:UpdateDevEndpoint", "glue:GetDevEndpoint", "glue:GetDevEndpoints"
"arn:aws-cn:glue:
region-code
:account-id
:devEndpoint/*"Grants permission to use a development endpoint from SageMaker notebooks.
"sagemaker:ListTags"
"arn:aws-cn:sagemaker:
region-code
:account-id
:notebook-instance/*"Grants permission to return tags for an SageMaker resource. The
aws-glue-dev-endpoint
tag is required on the SageMaker notebook for connecting the notebook to a development endpoint. -
On the Review Policy screen, enter your Policy Name, for example
AWSGlueSageMakerNotebook
. Enter an optional description, and when you're satisfied with the policy, choose Create policy.