Permissions - AWS IoT Analytics
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门

Permissions

您必须创建两个 角色。一个角色授予启动 SageMaker 实例,以便对笔记本进行容器化。执行容器需要使用另一个角色。

您可以自动或手动创建第一个角色。如果您创建了新的 SageMaker 实例 AWS IoT Analytics 控制台时,您可以选择自动创建新角色,授予执行 SageMaker 实例和容器化笔记本。或者,您也可以手动创建具有这些权限的角色。为此,请使用 AmazonSageMakerFullAccess 政策,并添加以下政策。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecr:BatchDeleteImage", "ecr:BatchGetImage", "ecr:CompleteLayerUpload", "ecr:CreateRepository", "ecr:DescribeRepositories", "ecr:GetAuthorizationToken", "ecr:InitiateLayerUpload", "ecr:PutImage", "ecr:UploadLayerPart" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": "arn:aws:s3:::iotanalytics-notebook-containers/*" } ] }

您必须手动创建第二个角色,该角色将授予执行容器所需的权限。即使您使用 AWS IoT Analytics 以自动创建第一个角色。创建具有以下政策和信托政策的角色。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:PutObject", "s3:GetObject", "s3:PutObjectAcl" ], "Resource": "arn:aws:s3:::aws-*-dataset-*/*" }, { "Effect": "Allow", "Action": [ "iotanalytics:*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ecr:GetAuthorizationToken", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "ecr:BatchCheckLayerAvailability", "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DescribeLogStreams", "logs:GetLogEvents", "logs:PutLogEvents" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:ListBucket", "s3:ListAllMyBuckets" ], "Resource": "*" } ] }

以下是信任策略的示例。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": ["sagemaker.amazonaws.com", "iotanalytics.amazonaws.com"] }, "Action": "sts:AssumeRole" } ] }