亚马逊 SageMaker API 权限:操作、权限和资源参考 - Amazon SageMaker
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 Amazon Web Services 服务入门

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

亚马逊 SageMaker API 权限:操作、权限和资源参考

在设置访问控制和编写您可附加到 IAM 身份的权限策略 (基于身份的策略) 时,可以使用下作为参考。这些区域有:列出表每个亚马逊 SageMaker API 操作、您可授予执行该操作的权限的对应操作以及Amazon您可以授予权限的资源。您可以在策略的 Action 字段中指定这些操作,并在策略的 Resource 字段中指定资源值。

注意

ListTags API 外,资源级别限制在 List- 调用中不可用。任何调用 List- API 的用户都将看到账户中该类型的所有资源。

在亚马逊中表达状况 SageMaker 策略,您可以使用Amazon宽范围的条件键。有关 Amazon 范围内的键的完整列表,请参阅《IAM 用户指南》https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_elements.html#AvailableKeys中的可用键

使用滚动条查看表的其余部分。

亚马逊 SageMaker API 操作和必需的操作权限
亚马逊 SageMaker API 操作 所需权限(API 操作) 资源

AddTags

sagemaker:AddTags

arn:aws:sagemaker:region:account-id:*

CreateApp

sagemaker:CreateApp

arn:aws:sagemaker:region:account-id:app/domain-id/user-profile-name/app-type/appName

CreateAppImageConfig

sagemaker:CreateAppImageConfig

arn:aws:sagemaker:region:account-id:app-image-config/appImageConfigName

CreateAutoMLJob

sagemaker:CreateAutoMLJob

iam:PassRole

仅需要关联的以下权限ResourceConfig有指定VolumeKmsKeyId 而且关联的角色没有允许此操作的策略:

kms:CreateGrant

arn:aws:sagemaker:region:account-id:automl-job/autoMLJobName

CreateDomain

sagemaker:CreateDomain

iam:CreateServiceLinkedRole

iam:PassRole

如果指定了 KMS 客户管理的密钥,则为必填项KmsKeyId

elasticfilesystem:CreateFileSystem

kms:CreateGrant

kms:Decrypt

kms:DescribeKey

kms:GenerateDataKeyWithoutPlainText

arn:aws:sagemaker:region:account-id:domain/domain-id

CreateEndpoint

sagemaker:CreateEndpoint

kms:CreateGrant (仅当关联的 EndPointConfig 指定了 KmsKeyId 时才需要)

arn:aws:sagemaker:region:account-id:endpoint/endpointName

arn:aws:sagemaker:region:account-id:endpoint-config/endpointConfigName

CreateEndpointConfig

sagemaker:CreateEndpointConfig

arn:aws:sagemaker:region:account-id:endpoint-config/endpointConfigName

CreateFlowDefinition

sagemaker:CreateFlowDefinition

iam:PassRole

arn:aws:sagemaker:region:account-id:flow-definition/flowDefinitionName

CreateHumanTaskUi

sagemaker:CreateHumanTaskUi

arn:aws:sagemaker:region:account-id:human-task-ui/humanTaskUiName

CreateInferenceRecommendationsJob

sagemaker:CreateInferenceRecommendationsJob

iam:PassRole

仅当您指定加密密钥时,才需要以下权限:

kms:CreateGrant

kms:Decrypt

kms:DescribeKey

kms:GenerateDataKey

arn:aws:sagemaker:region:account-id:inference-recommendations-job/inferenceRecommendationsJobName

CreateHyperParameterTuningJob

sagemaker:CreateHyperParameterTuningJob

iam:PassRole

仅当任何关联的ResourceConfig有指定VolumeKmsKeyId 而且关联的角色没有允许此操作的策略:

kms:CreateGrant

arn:aws:sagemaker:region:account-id:hyper-parameter-tuning-job/hyperParameterTuningJobName

CreateImage

sagemaker:CreateImage

iam:PassRole

arn:aws:sagemaker:region:account-id:image/*

CreateImageVersion

sagemaker:CreateImageVersion

arn:aws:sagemaker:region:account-id:image-version/imageName/*

CreateLabelingJob

sagemaker:CreateLabelingJob

iam:PassRole

arn:aws:sagemaker:region:account-id:labeling-job/labelingJobName

CreateModel

sagemaker:CreateModel

iam:PassRole

arn:aws:sagemaker:region:account-id:model/modelName

CreateModelPackage

sagemaker:CreateModelPackage

arn:aws:sagemaker:region:account-id:model-package/modelPackageName

CreateModelPackageGroup

sagemaker:CreateModelPackageGroup

arn:aws:sagemaker:region:account-id:model-package-group/modelPackageGroupName

CreateNotebookInstance

sagemaker:CreateNotebookInstance

iam:PassRole

仅当您为您的笔记本实例指定 VPC 时,才需要以下权限:

ec2:CreateNetworkInterface

ec2:DescribeSecurityGroups

ec2:DescribeSubnets

ec2:DescribeVpcs

仅当您为您的笔记本实例指定 VPC 和弹性推理加速器时,才需要以下权限:

ec2:DescribeVpcEndpoints

仅当您指定加密密钥时,才需要以下权限:

kms:DescribeKey

kms:CreateGrant

仅当您指定 Amazon Secrets Manager 密钥以访问私有 Git 存储库时,才需要以下权限:

secretsmanager:GetSecretValue

arn:aws:sagemaker:region:account-id:notebook-instance/notebookInstanceName

CreatePipeline

sagemaker:CreatePipeline

iam:PassRole

arn:aws-partition:sagemaker:region:account-id:pipeline/pipeline-name

arn:aws-partition:iam::account-id:role/role-name

CreatePresignedDomainUrl

sagemaker:CreatePresignedDomainUrl

arn:aws:sagemaker:region:account-id:app/domain-id/userProfileName/*

CreatePresignedNotebookInstanceUrl

sagemaker:CreatePresignedNotebookInstanceUrl

arn:aws:sagemaker:region:account-id:notebook-instance/notebookInstanceName

CreateProcessingJob

sagemaker:CreateProcessingJob

iam:PassRole

kms:CreateGrant(仅当关联的 ProcessingResources 具有一个指定的 VolumeKmsKeyId 且关联角色没有允许此操作的策略时才必需)

arn:aws:sagemaker:region:account-id:processing-job/processingJobName

CreateStudioLifecycleConfig

sagemaker:CreateStudioLifecycleConfig

arn:aws:sagemaker:region:account-id:studio-lifecycle-config/.*

CreateTrainingJob

sagemaker:CreateTrainingJob

iam:PassRole

kms:CreateGrant(仅当关联的 ResourceConfig 具有一个指定的 VolumeKmsKeyId 且关联角色没有允许此操作的策略时才必需)

arn:aws:sagemaker:region:account-id:training-job/trainingJobName

CreateTransformJob

sagemaker:CreateTransformJob

kms:CreateGrant(仅当关联的 TransformResources 具有一个指定的 VolumeKmsKeyId 且关联角色没有允许此操作的策略时才必需)

arn:aws:sagemaker:region:account-id:transform-job/transformJobName

CreateUserProfile

sagemaker:CreateUserProfile

iam:PassRole

arn:aws:sagemaker:region:account-id:user-profile/domain-id/userProfileName

CreateWorkforce

sagemaker:CreateWorkforce

cognito-idp:DescribeUserPoolClient

cognito-idp:UpdateUserPool

cognito-idp:DescribeUserPool

cognito-idp:UpdateUserPoolClient

arn:aws:sagemaker:region:account-id:workforce/*

CreateWorkteam

sagemaker:CreateWorkteam

cognito-idp:DescribeUserPoolClient

cognito-idp:UpdateUserPool

cognito-idp:DescribeUserPool

cognito-idp:UpdateUserPoolClient

arn:aws:sagemaker:region:account-id:workteam/private-crowd/work team name

DeleteApp

sagemaker:DeleteApp

arn:aws:sagemaker:region:account-id:app/domain-id/user-profile-name/app-type/appName

DeleteAppImageConfig

sagemaker:DeleteAppImageConfig

arn:aws:sagemaker:region:account-id:app-image-config/appImageConfigName

DeleteDomain

sagemaker:DeleteDomain

arn:aws:sagemaker:region:account-id:domain/domainId

DeleteEndpoint

sagemaker:DeleteEndpoint

arn:aws:sagemaker:region:account-id:endpoint/endpointName

DeleteEndpointConfig

sagemaker:DeleteEndpointConfig

arn:aws:sagemaker:region:account-id:endpoint-config/endpointConfigName

DeleteFlowDefinition

sagemaker:DeleteFlowDefinition

arn:aws:sagemaker:region:account-id:flow-definition/flowDefinitionName

DeleteHumanLoop

sagemaker:DeleteHumanLoop

arn:aws:sagemaker:region:account-id:human-loop/humanLoopName

DeleteImage

sagemaker:DeleteImage

arn:aws:sagemaker:region:account-id:image/imageName

DeleteImageVersion

sagemaker:DeleteImageVersion

arn:aws:sagemaker:region:account-id:image-version/imageName/versionNumber

DeleteModel

sagemaker:DeleteModel

arn:aws:sagemaker:region:account-id:model/modelName

DeleteModelPackage

sagemaker:DeleteModelPackage

arn:aws:sagemaker:region:account-id:model-package/modelPackageName

DeleteModelPackageGroup

sagemaker:DeleteModelPackageGroup

arn:aws:sagemaker:region:account-id:model-package-group/modelPackageGroupName

DeleteModelPackageGroupPolicy

sagemaker:DeleteModelPackageGroupPolicy

arn:aws:sagemaker:region:account-id:model-package-group/modelPackageGroupName

DeleteNotebookInstance

sagemaker:DeleteNotebookInstance

仅当您为您的笔记本实例指定 VPC 时,才需要以下权限:

ec2:DeleteNetworkInterface

仅当您在创建笔记本实例时指定了加密密钥的情况下,才需要以下权限:

kms:DescribeKey

arn:aws:sagemaker:region:account-id:notebook-instance/notebookInstanceName

DeletePipeline

sagemaker:DeletePipeline

arn:aws-partition:sagemaker:region:account-id:pipeline/pipeline-name

DeleteTags

sagemaker:DeleteTags

arn:aws:sagemaker:region:account-id:*

DeleteUserProfile

sagemaker:DeleteUserProfile

arn:aws:sagemaker:region:account-id:user-profile/domain-id/userProfileName

DeleteWorkforce

sagemaker:DeleteWorkforce

arn:aws:sagemaker:region:account-id:workforce/*

DeleteWorkteam

sagemaker:DeleteWorkteam

arn:aws:sagemaker:region:account-id:workteam/private-crowd/*

DescribeApp

sagemaker:DescribeApp

arn:aws:sagemaker:region:account-id:app/domain-id/user-profile-name/app-type/appName

DescribeAppImageConfig

sagemaker:DescribeAppImageConfig

arn:aws:sagemaker:region:account-id:app-image-config/appImageConfigName

DescribeDomain

sagemaker:DescribeDomain

arn:aws:sagemaker:region:account-id:domain/domainId

DescribeEndpoint

sagemaker:DescribeEndpoint

arn:aws:sagemaker:region:account-id:endpoint/endpointName

DescribeEndpointConfig

sagemaker:DescribeEndpointConfig

arn:aws:sagemaker:region:account-id:endpoint-config/endpointConfigName

DescribeFlowDefinition

sagemaker:DescribeFlowDefinition

arn:aws:sagemaker:region:account-id:flow-definition/flowDefinitionName

DescribeHumanLoop

sagemaker:DescribeHumanLoop

arn:aws:sagemaker:region:account-id:human-loop/humanLoopName

DescribeHumanTaskUi

sagemaker:DescribeHumanTaskUi

arn:aws:sagemaker:region:account-id:human-task-ui/humanTaskUiName

DescribeHyperParameterTuningJob

sagemaker:DescribeHyperParameterTuningJob

arn:aws:sagemaker:region:account-id:hyper-parameter-tuning-job/hyperParameterTuningJob

DescribeImage

sagemaker:DescribeImage

arn:aws:sagemaker:region:account-id:image/imageName

DescribeImageVersion

sagemaker:DescribeImageVersion

arn:aws:sagemaker:region:account-id:image-version/imageName/versionNumber

DescribeLabelingJob

sagemaker:DescribeLabelingJob

arn:aws:sagemaker:region:account-id:labeling-job/labelingJobName

DescribeModel

sagemaker:DescribeModel

arn:aws:sagemaker:region:account-id:model/modelName

DescribeModelPackage

sagemaker:DescribeModelPackage

arn:aws:sagemaker:region:account-id:model-package/modelPackageName

DescribeModelPackageGroup

sagemaker:DescribeModelPackageGroup

arn:aws:sagemaker:region:account-id:model-package-group/modelPackageGroupName

DescribeNotebookInstance

sagemaker:DescribeNotebookInstance

arn:aws:sagemaker:region:account-id:notebook-instance/notebookInstanceName

DescribePipeline

sagemaker:DescribePipeline

arn:aws-partition:sagemaker:region:account-id:pipeline/pipeline-name

DescribePipelineDefinitionForExecution

sagemaker:DescribePipelineDefinitionForExecution

arn:aws-partition:sagemaker:region:account-id:pipeline/pipeline-name/execution/execution-id

DescribePipelineExecution

sagemaker:DescribePipelineExecution

arn:aws-partition:sagemaker:region:account-id:pipeline/pipeline-name/execution/execution-id

DescribeProcessingJob

sagemaker:DescribeProcessingJob

arn:aws:sagemaker:region:account-id:processing-job/processingjobname

DescribeSubscribedWorkteam

sagemaker:DescribeSubscribedWorkteam

aws-marketplace:ViewSubscriptions

arn:aws:sagemaker:region:account-id:workteam/vendor-crowd/*

DescribeTrainingJob

sagemaker:DescribeTrainingJob

arn:aws:sagemaker:region:account-id:training-job/trainingjobname

DescribeTransformJob

sagemaker:DescribeTransformJob

arn:aws:sagemaker:region:account-id:transform-job/transformjobname

DescribeUserProfile

sagemaker:DescribeUserProfile

arn:aws:sagemaker:region:account-id:user-profile/domain-id/userProfileName

DescribeWorkforce

sagemaker:DescribeWorkforce

arn:aws:sagemaker:region:account-id:workforce/*

DescribeWorkteam

sagemaker:DescribeWorkteam

arn:aws:sagemaker:region:account-id:workteam/private-crowd/*

GetModelPackageGroupPolicy

sagemaker:GetModelPackageGroupPolicy

arn:aws:sagemaker:region:account-id:model-package-group/modelPackageGroupName

InvokeEndpoint

sagemaker:InvokeEndpoint

arn:aws:sagemaker:region:account-id:endpoint/endpointName

ListAppImageConfigs

sagemaker:ListAppImageConfigs

arn:aws:sagemaker:region:account-id:app-image-config/*

ListApps

sagemaker:ListApps

arn:aws:sagemaker:region:account-id:app/domain-id/user-profile-name/*

ListDomains

sagemaker:ListDomains

arn:aws:sagemaker:region:account-id:domain/*

ListEndpointConfigs

sagemaker:ListEndpointConfigs

*

ListEndpoints

sagemaker:ListEndpoints

*

ListFlowDefinitions

sagemaker:ListFlowDefinitions

*

ListHumanLoops

sagemaker:ListHumanLoops

*

ListHumanTaskUis

sagemaker:ListHumanTaskUis

*

ListHyperParameterTuningJobs

sagemaker:ListHyperParameterTuningJobs

arn:aws:sagemaker:region:account-id:hyper-parameter-tuning-job/hyperParameterTuningJob

ListImages

sagemaker:ListImages

*

ListImageVersions

sagemaker:ListImageVersions

arn:aws:sagemaker:region:account-id:image/*

ListLabelingJobs

sagemaker:ListLabelingJobs

*

ListLabelingJobsForWorkteam

sagemaker:ListLabelingJobForWorkteam

*

ListModelPackageGroups

sagemaker:ListModelPackageGroups

arn:aws:sagemaker:region:account-id :model-package-group/ModelPackageGroupName

ListModelPackages

sagemaker:ListModelPackages

arn:aws:sagemaker:region:account-id :model-package/ModelPackageName

ListModels

sagemaker:ListModels

*

ListNotebookInstances

sagemaker:ListNotebookInstances

*

ListPipelineExecutions

sagemaker:ListPipelineExecutions

arn:aws-partition:sagemaker:region:account-id:pipeline/pipeline-name

ListPipelineExecutionSteps

sagemaker:ListPipelineExecutionSteps

arn:aws-partition:sagemaker:region:account-id:pipeline/pipeline-name/execution/execution-id

ListPipelineParametersForExecution

sagemaker:ListPipelineParametersForExecution

arn:aws-partition:sagemaker:region:account-id:pipeline/pipeline-name/execution/execution-id

ListPipelines

sagemaker:ListPipelines

*

ListProcessingJobs

sagemaker:ListProcessingJobs

*

ListSubscribedWorkteams

sagemaker:ListSubscribedWorkteams

aws-marketplace:ViewSubscriptions

*

ListTags

sagemaker:ListTags

arn:aws:sagemaker:region:account-id:*

ListTrainingJobs

sagemaker:ListTrainingJobs

*

ListTrainingJobsForHyperParameterTuningJob

sagemaker:ListTrainingJobsForHyperParameterTuningJob

arn:aws:sagemaker:region:account-id:hyper-parameter-tuning-job/hyperParameterTuningJob

ListTransformJobs

sagemaker:ListTransformJobs

*

ListUserProfiles

sagemaker:ListUserProfiles

arn:aws:sagemaker:region:account-id:user-profile/domain-id/*

ListWorkforces

sagemaker:ListWorkforces

*

ListWorkteams

sagemaker:ListWorkteams

*

PutModelPackageGroupPolicy

sagemaker:PutModelPackageGroupPolicy

arn:aws:sagemaker:region:account-id:model-package-group/modelPackageGroupName

RetryPipelineExecution

sagemaker:RetryPipelineExecution

arn:aws-partition:sagemaker:region:account-id:pipeline/pipeline-name/execution/execution-id

SendPipelineExecutionStepFailure

sagemaker:SendPipelineExecutionStepFailure

*

SendPipelineExecutionStepSuccess

sagemaker:SendPipelineExecutionStepSuccess

*

StartHumanLoop

sagemaker:StartHumanLoop

arn:aws:sagemaker:region:account-id:human-loop/humanLoopName

StartNotebookInstance

sagemaker:StartNotebookInstance

iam:PassRole

仅当您在创建笔记本实例时指定了 VPC 的情况下,才需要以下权限:

ec2:CreateNetworkInterface

ec2:DescribeNetworkInterfaces

ec2:DescribeSecurityGroups

ec2:DescribeSubnets

ec2:DescribeVpcs

仅当您为您的笔记本实例指定 VPC 和弹性推理加速器时,才需要以下权限:

ec2:DescribeVpcEndpoints

仅当您在创建笔记本实例时指定了加密密钥的情况下,才需要以下权限:

kms:DescribeKey

kms:CreateGrant

仅当您在创建笔记本实例时指定了 Amazon Secrets Manager 密钥以访问私有 Git 存储库时,才需要以下权限:

secretsmanager:GetSecretValue

arn:aws:sagemaker:region:account-id:notebook-instance/notebookInstanceName

StartPipelineExecution

sagemaker:StartPipelineExecution

arn:aws-partition:sagemaker:region:account-id:pipeline/pipeline-name

StopHumanLoop

sagemaker:StopHumanLoop

arn:aws:sagemaker:region:account-id:human-loop/humanLoopName

StopHyperParameterTuningJob

sagemaker:StopHyperParameterTuningJob

arn:aws:sagemaker:region:account-id:hyper-parameter-tuning-job/hyperParameterTuningJob

StopLabelingJob

sagemaker:StopLabelingJob

arn:aws:sagemaker:region:account-id:labeling-job/labelingJobName

StopNotebookInstance

sagemaker:StopNotebookInstance

arn:aws:sagemaker:region:account-id:notebook-instance/notebookInstanceName

StopPipelineExecution

sagemaker:StopPipelineExecution

arn:aws-partition:sagemaker:region:account-id:pipeline/pipeline-name/execution/execution-id

StopProcessingJob

sagemaker:StopProcessingJob

arn:aws:sagemaker:region:account-id:processing-job/processingJobName

StopTrainingJob

sagemaker:StopTrainingJob

arn:aws:sagemaker:region:account-id:training-job/trainingJobName

StopTransformJob

sagemaker:StopTransformJob

arn:aws:sagemaker:region:account-id:transform-job/transformJobName

UpdateAppImageConfig

sagemaker:UpdateAppImageConfig

arn:aws:sagemaker:region:account-id:app-image-config/appImageConfigName

UpdateDomain

sagemaker:UpdateDomain

arn:aws:sagemaker:region:account-id:domain/domainId

UpdateEndpoint

sagemaker:UpdateEndpoint

arn:aws:sagemaker:region:account-id:endpoint/endpointName

UpdateEndpointWeightsAndCapacities

sagemaker:UpdateEndpointWeightsAndCapacities

arn:aws:sagemaker:region:account-id:endpoint/endpointName

UpdateImage

sagemaker:UpdateImage

iam:PassRole

arn:aws:sagemaker:region:account-id:image/imageName

UpdateModelPackage

sagemaker:UpdateModelPackage

arn:aws:sagemaker:region:account-id:model-package/modelPackageName

UpdateNotebookInstance

sagemaker:UpdateNotebookInstance

iam:PassRole

arn:aws:sagemaker:region:account-id:notebook-instance/notebookInstanceName

UpdatePipeline

sagemaker:UpdatePipeline

iam:PassRole

arn:aws-partition:sagemaker:region:account-id:pipeline/pipeline-name

arn:aws-partition:iam::account-id:role/role-name

UpdatePipelineExecution

sagemaker:UpdatePipelineExecution

arn:aws-partition:sagemaker:region:account-id:pipeline/pipeline-name/execution/execution-id

UpdateUserProfile

sagemaker:UpdateUserProfile

arn:aws:sagemaker:region:account-id:user-profile/domain-id/userProfileName

UpdateWorkforce

sagemaker:UpdateWorkforce

arn:aws:sagemaker:region:account-id:workforce/*

UpdateWorkteam

sagemaker:UpdateWorkteam

arn:aws:sagemaker:region:account-id:workteam/private-crowd/*