为 Neptune ML 设置 IAM 角色和策略 - Amazon Neptune
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 Amazon Web Services 服务入门

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

为 Neptune ML 设置 IAM 角色和策略

您需要创建以下 IAM 策略并将其附加到适当的 IAM 角色,以便 Neptune ML 可以与 SageMaker 和 Amazon S3 配合使用:

IAM 策略,授予 Neptune ML 访问 SageMaker 和 Amazon S3 的权限

以下策略授予 Neptune ML 访问 SageMaker 和 Amazon S3 资源所需的访问权限:

{ "Version":"2012-10-17", "Statement":[ { "Action":[ "iam:PassRole" ], "Resource":[ "arn:aws:iam::*:role/*" ], "Condition":{ "StringEquals":{ "iam:PassedToService":[ "sagemaker.amazonaws.com" ] } }, "Effect":"Allow" }, { "Action":[ "kms:CreateGrant", "kms:Decrypt", "kms:GenerateDataKey*" ], "Resource":"arn:aws:kms:*:*:key/*", "Effect":"Allow" }, { "Action":[ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:GetLogEvents" ], "Resource":[ "arn:aws:logs:*:*:log-group:/aws/sagemaker/*" ], "Effect":"Allow" }, { "Action":[ "sagemaker:CreateEndpoint", "sagemaker:CreateEndpointConfig", "sagemaker:CreateHyperParameterTuningJob", "sagemaker:CreateModel", "sagemaker:CreateProcessingJob", "sagemaker:CreateTrainingJob", "sagemaker:CreateTransformJob", "sagemaker:DeleteEndpoint", "sagemaker:DeleteEndpointConfig", "sagemaker:StopHyperParameterTuningJob", "sagemaker:DeleteModel", "sagemaker:StopProcessingJob", "sagemaker:StopTrainingJob", "sagemaker:StopTransformJob", "sagemaker:DescribeEndpoint", "sagemaker:DescribeEndpointConfig", "sagemaker:DescribeHyperParameterTuningJob", "sagemaker:DescribeModel", "sagemaker:DescribeProcessingJob", "sagemaker:DescribeTrainingJob", "sagemaker:DescribeTransformJob", "sagemaker:InvokeEndpoint", "sagemaker:ListTags", "sagemaker:ListTrainingJobsForHyperParameterTuningJob", "sagemaker:UpdateEndpoint" ], "Resource":[ "arn:aws:sagemaker:*:*:*" ], "Effect":"Allow" }, { "Action":[ "sagemaker:ListEndpointConfigs", "sagemaker:ListEndpoints", "sagemaker:ListHyperParameterTuningJobs", "sagemaker:ListModels", "sagemaker:ListProcessingJobs", "sagemaker:ListTrainingJobs", "sagemaker:ListTransformJobs" ], "Resource":"*", "Effect":"Allow" }, { "Action":[ "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:AbortMultipartUpload", "s3:ListBucket" ], "Resource":[ "arn:aws:s3:::*" ], "Effect":"Allow" } ] }

Amazon SageMaker 的 IAM 执行策略

以下策略授予 SageMaker 对 Neptune ML 和 Amazon S3 所需的访问权限:

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:CreateNetworkInterface", "ec2:CreateNetworkInterfacePermission", "ec2:CreateVpcEndpoint", "ec2:DeleteNetworkInterface", "ec2:DeleteNetworkInterfacePermission", "ec2:DescribeDhcpOptions", "ec2:DescribeNetworkInterfaces", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcs" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ecr:GetAuthorizationToken", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "ecr:BatchCheckLayerAvailability" ], "Resource": [ "*", "arn:aws:ecr:*:*:repository/*" ], "Effect": "Allow" }, { "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::*:role/*" ], "Condition": { "StringEquals": { "iam:PassedToService": [ "sagemaker.amazonaws.com" ] } }, "Effect": "Allow" }, { "Action": [ "kms:CreateGrant", "kms:Decrypt", "kms:GenerateDataKey*" ], "Resource": "arn:aws:kms:*:*:key/*", "Effect": "Allow" }, { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:GetLogEvents" ], "Resource": [ "arn:aws:logs:*:*:log-group:/aws/sagemaker/*" ], "Effect": "Allow" }, { "Action": [ "sagemaker:CreateHyperParameterTuningJob", "sagemaker:DescribeHyperParameterTuningJob", "sagemaker:ListTags", "sagemaker:CreateTransformJob", "sagemaker:DescribeTransformJob" ], "Resource": [ "arn:aws:sagemaker:*:*:*" ], "Effect": "Allow" }, { "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:AbortMultipartUpload", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::*" ], "Effect": "Allow" } ] }

Amazon Neptune 信任策略

以下政策仅为 Neptune ML 创建信任关系:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": [ "rds.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] }

Amazon SageMaker 的信任策略

以下政策仅为 SageMaker 创建信任关系:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "sagemaker.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }

Amazon Neptune 和 Amazon SageMaker 的综合信任政策

以下策略创建了可用于 Neptune ML 和 SageMaker 的组合信任关系:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": [ "rds.amazonaws.com", "sagemaker.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] }