Setting up permissions - Amazon Personalize
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Setting up permissions

To use Amazon Personalize, you have to set up permissions that allow IAM users to access the Amazon Personalize console and API operations. You also have to set up permissions that allow Amazon Personalize to perform tasks on your behalf and to access resources that you own.

We recommend creating an Amazon Identity and Access Management (IAM) user with access restricted to Amazon Personalize operations. You can add other permissions as needed. For more information, see Amazon Personalize identity-based policies.

Note

We recommend creating a new IAM policy that grants only the permissions necessary to use Amazon Personalize.

To set up permissions

  1. Attach a policy to your Amazon Personalize IAM user or group that allows full access to Amazon Personalize.

  2. Optionally attach the CloudWatchFullAccess Amazon managed policy to your IAM user or group to grant permissions to monitor Amazon Personalize with CloudWatch. See Amazon managed policies.

  3. Create an IAM role for Amazon Personalize and attach the policy from step 1 to the new role. See Creating an IAM role for Amazon Personalize.

  4. If you use Amazon Key Management Service (Amazon KMS) for encryption, you must grant Amazon Personalize and your Amazon Personalize IAM service role decrypt permissions in your key policy. For more information, see Giving Amazon Personalize permission to use your Amazon KMS key.

  5. Complete the steps in Giving Amazon Personalize access to Amazon S3 resources to use IAM and Amazon S3 bucket policies to give Amazon Personalize access to your Amazon S3 resources.

Creating a new IAM policy

Create an IAM policy that provides users and Amazon Personalize full access to your Amazon Personalize resources. Then attach the policy to your IAM user or group.

To use the JSON policy editor to create a policy

  1. Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/.

  2. In the navigation column on the left, choose Policies.

    If this is your first time choosing Policies, the Welcome to Managed Policies page appears. Choose Get Started.

  3. At the top of the page, choose Create policy.

  4. Choose the JSON tab.

  5. Enter the following JSON policy document:

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "personalize:*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": "personalize.amazonaws.com" } } } ] }
  6. Choose Review policy.

    Note

    You can switch between the Visual editor and JSON tabs any time. However, if you make changes or choose Review policy in the Visual editor tab, IAM might restructure your policy to optimize it for the visual editor. For more information, see Policy restructuring in the IAM User Guide.

  7. On the Review policy page, enter a Name and an optional Description for the policy that you are creating. Review the policy Summary to see the permissions that are granted by your policy. Then choose Create policy to save your work.

Creating an IAM role for Amazon Personalize

To use Amazon Personalize, you must create an Amazon Identity and Access Management service role for Amazon Personalize. For information on how to create an IAM role, see Creating a role to delegate permissions to an Amazon service in the IAM User Guide. As you create your role, configure the following for Amazon Personalize:

Next, if you are completing the getting started exercise, you are ready create your training data and grant Amazon Personalize access to your Amazon S3 bucket. See Creating the training data (Custom dataset group).

If you are not completing the getting started exercise, you are ready to import your data. See Preparing and importing data.