SageMaker geospatial capabilities roles - Amazon SageMaker
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

SageMaker geospatial capabilities roles

As a managed service, Amazon SageMaker geospatial capabilities performs operations on your behalf on the Amazon hardware that is managed by SageMaker. Use Amazon Identity and Access Management to grant users, groups, and roles access to SageMaker geospatial.

An IAM Administrator can grant these permissions to user, group, or role using the Amazon Web Services Management Console, Amazon CLI, or one of the Amazon SDKs.

To use SageMaker geospatial you need the following IAM permissions.

  1. An SageMaker execution role.

    To use the SageMaker geospatial specific API operations your SageMaker execution role must include the SageMaker geospatial service principal, sagemaker-geospatial.amazonaws.com in the execution role's trust policy. This allows the SageMaker execution role to perform actions in your Amazon Web Services account on your behalf.

  2. A user, group, or role that has access Amazon SageMaker Studio Classic and SageMaker geospatial

    To get started with SageMaker geospatial you can use the Amazon managed policy: AmazonSageMakerGeospatialFullAccess. This grants will grant a user, group, or role full access to SageMaker geospatial. To see the policy and learn more about which actions, resources, and conditions are available, see Amazon managed policy: AmazonSageMakerFullAccess.

    To get started with Studio Classic and creating a Amazon SageMaker domain, see Amazon SageMaker domain overview.

Use the following topics to create a new SageMaker execution role, update an existing SageMaker execution role, and learn how to manage permissions using SageMaker geospatial specific IAM actions, resources, and conditions.

Topics