Grant permissions for cross-account Amazon S3 storage - Amazon SageMaker
RequirementsPermissions for cross-account Amazon S3 bucketsPermissions for cross-account Amazon S3 buckets encrypted with Amazon KMS
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Grant permissions for cross-account Amazon S3 storage

When setting up your SageMaker domain or user profile for users to access SageMaker Canvas, you specify an Amazon S3 storage location for Canvas artifacts. These artifacts include saved copies of your input datasets, model artifacts, predictions, and other application data. You can either use the default SageMaker created Amazon S3 bucket, or you can customize the storage location and specify your own bucket for storing Canvas application data.

You can specify an Amazon S3 bucket in another Amazon account for storing your Canvas data, but first you must grant cross-account permissions so that Canvas can access the bucket.

The following sections describe how to grant permissions to Canvas for uploading and downloading objects to and from an Amazon S3 bucket in another account. There are additional permissions for when your bucket is encrypted with Amazon KMS.

Requirements

Before you begin, review the following requirements:

  • Cross-account Amazon S3 buckets (and any associated Amazon KMS keys) must be in the same Amazon Region as the Canvas user domain or user profile.

  • The final Amazon S3 URI for the training folder in your Canvas storage location must be 128 characters or less. The final S3 URI consists of your bucket path s3://<your-bucket-name>/<folder-name>/ plus the path that Canvas adds to your bucket: Canvas/<user-profile-name>/Training. For example, an acceptable path that is less than 128 characters is s3://<my-bucket>/<machine-learning>/Canvas/<user-1>/Training.

Permissions for cross-account Amazon S3 buckets

The following section outlines the basic steps for granting the necessary permissions so that Canvas can access your Amazon S3 bucket in another account. For more detailed instructions, see Example 2: Bucket owner granting cross-account bucket permissions in the Amazon S3 User Guide.

  1. Create an Amazon S3 bucket, bucketA, in Account A.

  2. The Canvas user exists in another account called Account B. In the following steps, we refer to the Canvas user's IAM role as roleB in Account B.

    Give the IAM role roleB in Account B permission to download (GetObject) and upload (PutObject) objects to and from bucketA in Account A by attaching an IAM policy.

    To limit access to a specific bucket folder, define the folder name in the resource element, such as arn:aws:s3:::<bucketA>/FolderName/*. For more information, see How can I use IAM policies to grant user-specific access to specific folders?

    Note

    Bucket-level actions, such as GetBucketCors and GetBucketLocation, should be added on bucket-level resources, not folders.

    The following example IAM policy grants the required permissions for roleB to access objects in bucketA:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::bucketA/FolderName/*",
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketCors",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::bucketA",
            ]
        }
    ]
}

  3. Configure the bucket policy for bucketA in Account A to grant permissions to the IAM role roleB in Account B.

    Note

    Admins must also turn off Block all public access under the bucket Permissions section.

    The following is an example bucket policy for bucketA to grant the necessary permissions to roleB:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::accountB:role/roleB"
            },
            "Action": [
                "s3:DeleteObject",
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::bucketA/FolderName/*"
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::accountB:role/roleB"
            },
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketCors",
                "s3:GetBucketLocation"
            ],
            "Resource": "arn:aws:s3:::bucketA"
        }
    ]
}

After configuring the preceding permissions, your Canvas user profile in Account B can now use the Amazon S3 bucket in Account A as the storage location for Canvas artifacts.

Permissions for cross-account Amazon S3 buckets encrypted with Amazon KMS

The following procedure shows you how to grant the necessary permissions so that Canvas can access your Amazon S3 bucket in another account that is encrypted with Amazon KMS. The steps are similar to the procedure above, but with additional permissions. For more information about granting cross-account KMS key access, see Allowing users in other accounts to use a KMS key in the Amazon KMS Developer Guide.

  1. Create an Amazon S3 bucket, bucketA, and an Amazon S3 KMS key s3KmsInAccountA in Account A.

  2. The Canvas user exists in another account called Account B. In the following steps, we refer to the Canvas user's IAM role as roleB in Account B.

    Give the IAM role roleB in Account B permission to do the following:

    • Download (GetObject) and upload (PutObject) objects to and from bucketA in Account A.

    • Access the Amazon KMS key s3KmsInAccountA in Account A.

    The following example IAM policy grants the required permissions for roleB to access objects in bucketA and use the KMS key s3KmsInAccountA:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::bucketA/FolderName/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketCors",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::bucketA"
            ]
        },
        {
            "Action": [
                "kms:DescribeKey",
                "kms:CreateGrant",
                "kms:RetireGrant",
                "kms:GenerateDataKey",
                "kms:GenerateDataKeyWithoutPlainText",
                "kms:Decrypt"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:kms:{region}:accountA:key/s3KmsInAccountA"
        }
    ]
}

  3. Configure the bucket policy for bucketA and the key policy for s3KmsInAccountA in Account A to grant permissions to the IAM role roleB in Account B.

    The following is an example bucket policy for bucketA to grant the necessary permissions to roleB:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::accountB:role/roleB"
            },
            "Action": [
                "s3:DeleteObject",
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::bucketA/FolderName/*"
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::accountB:role/roleB"
            },
            "Action": [
                "s3:GetBucketCors",
                "s3:GetBucketLocation"
            ],
            "Resource": "arn:aws:s3:::bucketA"
        }
    ]
}

    The following example is a key policy that you attach to the KMS key s3KmsInAccountA in Account A to grant roleB access. For more information about how to create and attach a key policy statement, see Creating a key policy in the Amazon KMS Developer Guide.

    {
  "Sid": "Allow use of the key",
  "Effect": "Allow",
  "Principal": {
    "AWS": [
      "arn:aws:iam::accountB:role/roleB"
    ]
  },
  "Action": [
        "kms:DescribeKey",
        "kms:CreateGrant",
        "kms:RetireGrant",
        "kms:GenerateDataKey",
        "kms:GenerateDataKeyWithoutPlainText",
        "kms:Decrypt"
  ],
  "Resource": "*"
}

After configuring the preceding permissions, your Canvas user profile in Account B can now use the encrypted Amazon S3 bucket in Account A as the storage location for Canvas artifacts.