# Permissions for SOCI indexing
Create SOCI indexes for your container images and store them in Amazon ECR before using SOCI indexing with [Amazon SageMaker Studio](studio-updated.md) or [Amazon SageMaker Unified Studio](https://docs.amazonaws.cn/sagemaker-unified-studio/latest/userguide/what-is-sagemaker-unified-studio.html).
**Topics**
+ [Prerequisites](#soci-indexing-setup-prerequisites)
+ [Required IAM permissions](#soci-indexing-setup-iam-permissions)
## Prerequisites
+ Amazon Web Services account with an [Amazon Identity and Access Management](https://docs.amazonaws.cn/IAM/latest/UserGuide/getting-started.html) (IAM) role with permissions to manage
+ [Amazon ECR](https://docs.amazonaws.cn/AmazonECR/latest/userguide/what-is-ecr.html)
+ [Amazon SageMaker AI](https://docs.amazonaws.cn/sagemaker/latest/dg/gs.html)
+ [Amazon ECR private repositories](https://docs.amazonaws.cn/AmazonECR/latest/userguide/Repositories.html) for storing your container images
+ [Amazon CLI v2.0\$1](https://docs.amazonaws.cn/cli/latest/userguide/getting-started-install.html) configured with appropriate credentials
+ The following container tools:
+ Required: [soci-snapshotter](https://github.com/awslabs/soci-snapshotter)
+ Options:
+ [nerdctl](https://github.com/containerd/nerdctl)
+ [finch](https://github.com/runfinch/finch)
## Required IAM permissions
Your IAM role needs permissions to:
+ Create and manage SageMaker AI resources (domains, images, app configs).
+ You may use the [SageMakerFullAccess](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AmazonSageMakerFullAccess.html) Amazon managed policy. For more permission details, see [Amazon managed policy: AmazonSageMakerFullAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AmazonSageMakerFullAccess).
+ [IAM permissions for pushing an image to an Amazon ECR private repository](https://docs.amazonaws.cn/AmazonECR/latest/userguide/image-push-iam.html).