本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
权限
您必须创建两个 角色。一个角色授予启动权限 SageMaker 实例,以便对笔记本进行容器化。执行容器需要使用另一个角色。
您可以自动或手动创建第一个角色。如果你创建了新的 SageMaker使用实例Amazon IoT Analytics控制台,你可以选择自动创建一个新角色,该角色授予执行所需的所有权限 SageMaker 实例和容器化笔记本。或者,您也可以手动创建具有这些权限的角色。为此,请使用以下命令创建一个角色AmazonSageMakerFullAccess附加策略并添加以下策略。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecr:BatchDeleteImage", "ecr:BatchGetImage", "ecr:CompleteLayerUpload", "ecr:CreateRepository", "ecr:DescribeRepositories", "ecr:GetAuthorizationToken", "ecr:InitiateLayerUpload", "ecr:PutImage", "ecr:UploadLayerPart" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": "arn:aws:s3:::iotanalytics-notebook-containers/*" } ] }
您必须手动创建第二个角色,该角色将授予执行容器所需的权限。即使你使用了Amazon IoT Analytics控制台自动创建第一个角色。创建附加以下策略和信任策略的角色。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:PutObject", "s3:GetObject", "s3:PutObjectAcl" ], "Resource": "arn:aws:s3:::aws-*-dataset-*/*" }, { "Effect": "Allow", "Action": [ "iotanalytics:*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ecr:GetAuthorizationToken", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "ecr:BatchCheckLayerAvailability", "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DescribeLogStreams", "logs:GetLogEvents", "logs:PutLogEvents" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:ListBucket", "s3:ListAllMyBuckets" ], "Resource": "*" } ] }
以下是信任策略的示例。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": ["sagemaker.amazonaws.com", "iotanalytics.amazonaws.com"] }, "Action": "sts:AssumeRole" } ] }