Amazon IoT Analytics 不再向新客户提供。的现有客户 Amazon IoT Analytics 可以继续照常使用该服务。了解更多
本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
权限
您必须创建两个 角色。一个角色用于授予启动 SageMaker 实例以实现笔记本容器化的权限。执行容器需要使用另一个角色。
您可以自动或手动创建第一个角色。如果您使用 Amazon IoT Analytics 控制台创建新的 SageMaker 实例,那么您可以选择自动创建新角色,该角色将授予执行 SageMaker 实例和容器化笔记本所需的全部权限。或者,您也可以手动创建具有这些权限的角色。要手动创建,请创建一个已附加 AmazonSageMakerFullAccess
策略的角色并添加以下策略。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecr:BatchDeleteImage", "ecr:BatchGetImage", "ecr:CompleteLayerUpload", "ecr:CreateRepository", "ecr:DescribeRepositories", "ecr:GetAuthorizationToken", "ecr:InitiateLayerUpload", "ecr:PutImage", "ecr:UploadLayerPart" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": "arn:aws:s3:::iotanalytics-notebook-containers/*" } ] }
您必须手动创建第二个角色,该角色将授予执行容器所需的权限。即使您使用 Amazon IoT Analytics 控制台来自动创建第一个角色,也必须执行此操作。创建一个附加以下策略和信任策略的角色。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:PutObject", "s3:GetObject", "s3:PutObjectAcl" ], "Resource": "arn:aws:s3:::aws-*-dataset-*/*" }, { "Effect": "Allow", "Action": [ "iotanalytics:*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ecr:GetAuthorizationToken", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "ecr:BatchCheckLayerAvailability", "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DescribeLogStreams", "logs:GetLogEvents", "logs:PutLogEvents" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:ListBucket", "s3:ListAllMyBuckets" ], "Resource": "*" } ] }
以下是信任策略的示例。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": ["sagemaker.amazonaws.com", "iotanalytics.amazonaws.com"] }, "Action": "sts:AssumeRole" } ] }