Giving Amazon Personalize permission to access your resources
To give Amazon Personalize permission to access your resources, you create an IAM policy that provides Amazon Personalize full access to
your Amazon Personalize resources. Or you can use the Amazon managed AmazonPersonalizeFullAccess
policy.
AmazonPersonalizeFullAccess
provides more permissions than are necessary. We recommend creating a new IAM
policy that only grants the necessary permissions. For more information about managed policies, see Amazon managed policies.
After you create a policy, you create an IAM role for Amazon Personalize and attach the new policy to it.
Creating a new IAM policy for Amazon Personalize
Create an IAM policy that provides Amazon Personalize full access to your Amazon Personalize resources.
To use the JSON policy editor to create a policy
Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/
. -
In the navigation pane on the left, choose Policies.
If this is your first time choosing Policies, the Welcome to Managed Policies page appears. Choose Get Started.
-
At the top of the page, choose Create policy.
-
In the Policy editor section, choose the JSON option.
-
Enter the following JSON policy document:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "personalize:*" ], "Resource": "*" } ] }
-
Choose Next.
Note
You can switch between the Visual and JSON editor options anytime. However, if you make changes or choose Next in the Visual editor, IAM might restructure your policy to optimize it for the visual editor. For more information, see Policy restructuring in the IAM User Guide.
-
On the Review and create page, enter a Policy name and a Description (optional) for the policy that you are creating. Review Permissions defined in this policy to see the permissions that are granted by your policy.
-
Choose Create policy to save your new policy.
Creating an IAM role for Amazon Personalize
To use Amazon Personalize, you must create an Amazon Identity and Access Management service role for Amazon Personalize. A service role is an IAM role that a service assumes to perform actions on your behalf. An IAM administrator can create, modify, and delete a service role from within IAM. For more information, see Create a role to delegate permissions to an Amazon Web Services service in the IAM User Guide. After you create a service role for Amazon Personalize, grant the role additional permissions listed in Additional service role permissions as necessary.
To create the service role for Amazon Personalize (IAM console)
Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/
. -
In the navigation pane of the IAM console, choose Roles, and then choose Create role.
-
For Trusted entity type, choose Amazon Web Services service.
-
For Service or use case, choose Amazon Personalize, and then choose the Personalize use case.
-
Choose Next.
-
Chose the policy that you created in the previous procedure.
-
(Optional) Set a permissions boundary. This is an advanced feature that is available for service roles, but not service-linked roles.
-
Open the Set permissions boundary section, and then choose Use a permissions boundary to control the maximum role permissions.
IAM includes a list of the Amazon managed and customer-managed policies in your account.
Select the policy to use for the permissions boundary.
-
-
Choose Next.
-
Enter a role name or a role name suffix to help you identify the purpose of the role.
Important
When you name a role, note the following:
-
Role names must be unique within your Amazon Web Services account, and can't be made unique by case.
For example, don't create roles named both
PRODROLE
andprodrole
. When a role name is used in a policy or as part of an ARN, the role name is case sensitive, however when a role name appears to customers in the console, such as during the sign-in process, the role name is case insensitive. -
You can't edit the name of the role after it's created because other entities might reference the role.
-
-
(Optional) For Description, enter a description for the role.
-
(Optional) To edit the use cases and permissions for the role, in the Step 1: Select trusted entities or Step 2: Add permissions sections, choose Edit.
-
(Optional) To help identify, organize, or search for the role, add tags as key-value pairs. For more information about using tags in IAM, see Tags for Amazon Identity and Access Management resources in the IAM User Guide.
-
Review the role, and then choose Create role.
After you create a role for Amazon Personalize, you are ready to grant it access to your Amazon S3 bucket and any Amazon KMS keys.
Additional service role permissions
After you create the role and grant it permissions to access your resources in Amazon Personalize, do the following:
-
Modify your Amazon Personalize service role's trust policy so it prevents the confused deputy problem. For a trust relationship policy example, see Cross-service confused deputy prevention. For information modifying a role's trust policy, see Modifying a role.
-
If you use Amazon Key Management Service (Amazon KMS) for encryption, you must grant Amazon Personalize and your Amazon Personalize IAM service role permission to use your key. For more information, see Giving Amazon Personalize permission to use your Amazon KMS key.