Amazon SageMaker API 权限:操作、权限和资源参考 - Amazon SageMaker
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

Amazon SageMaker API 权限:操作、权限和资源参考

在设置访问控制和编写您可附加到 IAM 身份的权限策略 (基于身份的策略) 时,可以使用下作为参考。该列出了每个 Amazon SageMaker API 操作、您可为其授予执行该操作的权限的相应操作以及您可为其授予权限的 AWS 资源。您可以在策略的 Action 字段中指定这些操作,并在策略的 Resource 字段中指定资源值。

注意

ListTags API 外,资源级别限制在 List- 调用中不可用。任何调用 List- API 的用户都将看到账户中该类型的所有资源。

要在 Amazon SageMaker 策略中表达条件,您可以使用 AWS 范围的条件键。有关 AWS 范围内的键的完整列表,请参阅 https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_elements.html#AvailableKeys 中的IAM 用户指南可用键

使用滚动条查看表的其余部分。

Amazon SageMaker API 操作和所需的操作权限
Amazon SageMaker API 操作 所需权限(API 操作) 资源

AddTags

sagemaker:AddTags

arn:aws:sagemaker:region:account-id:*

CreateDomain

sagemaker:CreateDomain

iam:CreateServiceLinkedRole

iam:PassRole

如果为 指定了 KMS 客户托管 CMK,则是必需的KmsKeyId

elasticfilesystem:CreateFileSystem

kms:CreateGrant

kms:Decrypt

kms:DescribeKey

kms:GenerateDataKeyWithoutPlainText

arn:aws:sagemaker:region:account-id:domain/domain-id

CreateEndpoint

sagemaker:CreateEndpoint

kms:CreateGrant (仅当关联的 EndPointConfig 指定了 时才需要KmsKeyId

arn:aws:sagemaker:region:account-id:endpoint/endpointName

arn:aws:sagemaker:region:account-id:endpoint-config/endpointConfigName

CreateEndpointConfig

sagemaker:CreateEndpointConfig

arn:aws:sagemaker:region:account-id:endpoint-config/endpointConfigName

CreateFlowDefinition

sagemaker:CreateFlowDefinition

iam:PassRole

arn:aws:sagemaker:region:account-id:flow-definition/flowDefinitionName

CreateHumanTaskUi

sagemaker:CreateHumanTaskUi

arn:aws:sagemaker:region:account-id:human-task-ui/humanTaskUiName

CreateHyperParameterTuningJob

sagemaker:CreateHyperParameterTuningJob

iam:PassRole

arn:aws:sagemaker:region:account-id:hyper-parameter-tuning-job/hyperParameterTuningJobName

CreateImage

sagemaker:CreateImage

iam:PassRole

arn:aws:sagemaker:region:account-id:image/*

CreateImageVersion

sagemaker:CreateImageVersion

arn:aws:sagemaker:region:account-id:image-version/imageName/*

CreateLabelingJob

sagemaker:CreateLabelingJob

iam:PassRole

arn:aws:sagemaker:region:account-id:labeling-job/labelingJobName

CreateModel

sagemaker:CreateModel

iam:PassRole

arn:aws:sagemaker:region:account-id:model/modelName

CreateNotebookInstance

sagemaker:CreateNotebookInstance

iam:PassRole

仅当您为您的笔记本实例指定 VPC 时,才需要以下权限:

ec2:CreateNetworkInterface

ec2:DescribeSecurityGroups

ec2:DescribeSubnets

ec2:DescribeVpcs

仅当您为您的笔记本实例指定 VPC 和弹性推理加速器时,才需要以下权限:

ec2:DescribeVpcEndpoints

仅当您指定加密密钥时,才需要以下权限:

kms:DescribeKey

kms:CreateGrant

仅当您指定 AWS Secrets Manager 密钥以访问私有 Git 存储库时,才需要以下权限:

secretsmanager:GetSecretValue

arn:aws:sagemaker:region:account-id:notebook-instance/notebookInstanceName

CreatePresignedNotebookInstanceUrl

sagemaker:CreatePresignedNotebookInstanceUrl

arn:aws:sagemaker:region:account-id:notebook-instance/notebookInstanceName

CreateProcessingJob

sagemaker:CreateProcessingJob

iam:PassRole

kms:CreateGrant(仅当关联的 ProcessingResources 具有一个指定的 VolumeKmsKeyId 且关联角色没有允许此操作的策略时才必需)

arn:aws:sagemaker:region:account-id:processing-job/processingJobName

CreateTrainingJob

sagemaker:CreateTrainingJob

iam:PassRole

kms:CreateGrant(仅当关联的 ResourceConfig 具有一个指定的 VolumeKmsKeyId 且关联角色没有允许此操作的策略时才必需)

arn:aws:sagemaker:region:account-id:training-job/trainingJobName

CreateTransformJob

sagemaker:CreateTransformJob

kms:CreateGrant(仅当关联的 TransformResources 具有一个指定的 VolumeKmsKeyId 且关联角色没有允许此操作的策略时才必需)

arn:aws:sagemaker:region:account-id:transform-job/transformJobName

CreateWorkteam

sagemaker:CreateWorkteam

cognito-idp:DescribeUserPoolClient

cognito-idp:UpdateUserPool

cognito-idp:DescribeUserPool

cognito-idp:UpdateUserPoolClient

arn:aws:sagemaker:region:account-id:workteam/private-crowd/work team name

arn:aws:sagemaker:region:account-id:workteam/vendor-crowd/work team name

arn:aws:sagemaker:region:account-id:workteam/public-crowd/work team name

DeleteEndpoint

sagemaker:DeleteEndpoint

arn:aws:sagemaker:region:account-id:endpoint/endpointName

DeleteEndpointConfig

sagemaker:DeleteEndpointConfig

arn:aws:sagemaker:region:account-id:endpoint-config/endpointConfigName

DeleteFlowDefinition

sagemaker:DeleteFlowDefinition

arn:aws:sagemaker:region:account-id:flow-definition/flowDefinitionName

DeleteHumanLoop

sagemaker:DeleteHumanLoop

arn:aws:sagemaker:region:account-id:human-loop/humanLoopName

DeleteImage

sagemaker:DeleteImage

arn:aws:sagemaker:region:account-id:image/imageName

DeleteImageVersion

sagemaker:DeleteImageVersion

arn:aws:sagemaker:region:account-id:image-version/imageName/versionNumber

DeleteModel

sagemaker:DeleteModel

arn:aws:sagemaker:region:account-id:model/modelName

DeleteNotebookInstance

sagemaker:DeleteNotebookInstance

仅当您为您的笔记本实例指定 VPC 时,才需要以下权限:

ec2:DeleteNetworkInterface

仅当您在创建笔记本实例时指定了加密密钥的情况下,才需要以下权限:

kms:DescribeKey

arn:aws:sagemaker:region:account-id:notebook-instance/notebookInstanceName

DeleteTags

sagemaker:DeleteTags

arn:aws:sagemaker:region:account-id:*

DeleteWorkteam

sagemaker:DeleteWorkteam

arn:aws:sagemaker:region:account-id:workteam/*

DescribeEndpoint

sagemaker:DescribeEndpoint

arn:aws:sagemaker:region:account-id:endpoint/endpointName

DescribeEndpointConfig

sagemaker:DescribeEndpointConfig

arn:aws:sagemaker:region:account-id:endpoint-config/endpointConfigName

DescribeFlowDefinition

sagemaker:DescribeFlowDefinition

arn:aws:sagemaker:region:account-id:flow-definition/flowDefinitionName

DescribeHumanLoop

sagemaker:DescribeHumanLoop

arn:aws:sagemaker:region:account-id:human-loop/humanLoopName

DescribeHumanTaskUi

sagemaker:DescribeHumanTaskUi

arn:aws:sagemaker:region:account-id:human-task-ui/humanTaskUiName

DescribeHyperParameterTuningJob

sagemaker:DescribeHyperParameterTuningJob

arn:aws:sagemaker:region:account-id:hyper-parameter-tuning-job/hyperParameterTuningJob

DescribeImage

sagemaker:DescribeImage

arn:aws:sagemaker:region:account-id:image/imageName

DescribeImageVersion

sagemaker:DescribeImageVersion

arn:aws:sagemaker:region:account-id:image-version/imageName/versionNumber

DescribeLabelingJob

sagemaker:DescribeLabelingJob

arn:aws:sagemaker:region:account-id:labeling-job/labelingJobName

DescribeModel

sagemaker:DescribeModel

arn:aws:sagemaker:region:account-id:model/modelName

DescribeNotebookInstance

sagemaker:DescribeNotebookInstance

arn:aws:sagemaker:region:account-id:notebook-instance/notebookInstanceName

DescribeProcessingJob

sagemaker:DescribeProcessingJob

arn:aws:sagemaker:region:account-id:processing-job/processingjobname

DescribeSubscribedWorkteam

sagemaker:DescribeSubscribedWorkteam

aws-marketplace:ViewSubscriptions

arn:aws:sagemaker:region:account-id:workteam/*

DescribeTrainingJob

sagemaker:DescribeTrainingJob

arn:aws:sagemaker:region:account-id:training-job/trainingjobname

DescribeTransformJob

sagemaker:DescribeTransformJob

arn:aws:sagemaker:region:account-id:transform-job/transformjobname

DescribeWorkteam

sagemaker:DescribeWorkteam

arn:aws:sagemaker:region:account-id:workteam/*

runtime_InvokeEndpoint

sagemaker:InvokeEndpoint

arn:aws:sagemaker:region:account-id:endpoint/endpointName

ListEndpointConfigs

sagemaker:ListEndpointConfigs

*

ListEndpoints

sagemaker:ListEndpoints

*

ListFlowDefinitions

sagemaker:ListFlowDefinitions

*

ListHumanLoops

sagemaker:ListHumanLoops

*

ListHumanTaskUis

sagemaker:ListHumanTaskUis

*

ListHyperParameterTuningJobs

sagemaker:ListHyperParameterTuningJobs

arn:aws:sagemaker:region:account-id:hyper-parameter-tuning-job/hyperParameterTuningJob

ListImages

sagemaker:ListImages

*

ListImageVersions

sagemaker:ListImageVersions

arn:aws:sagemaker:region:account-id:image/*

ListLabelingJobs

sagemaker:ListLabelingJobs

*

ListLabelingJobsForWorkteam

sagemaker:ListLabelingJobForWorkteam

*

ListModels

sagemaker:ListModels

*

ListNotebookInstances

sagemaker:ListNotebookInstances

*

ListProcessingJobs

sagemaker:ListProcessingJobs

*

ListSubscribedWorkteams

sagemaker:ListSubscribedWorkteams

aws-marketplace:ViewSubscriptions

arn:aws:sagemaker:region:account-id:workteam/*

ListTags

sagemaker:ListTags

arn:aws:sagemaker:region:account-id:*

ListTrainingJobs

sagemaker:ListTrainingJobs

*

ListTrainingJobsForHyperParameterTuningJob

sagemaker:ListTrainingJobsForHyperParameterTuningJob

arn:aws:sagemaker:region:account-id:hyper-parameter-tuning-job/hyperParameterTuningJob

ListTransformJobs

sagemaker:ListTransformJobs

*

ListWorkteams

sagemaker:ListWorkteams

arn:aws:sagemaker:region:account-id:workteam/*

StartHumanLoop

sagemaker:StartHumanLoop

arn:aws:sagemaker:region:account-id:human-loop/humanLoopName

StartNotebookInstance

sagemaker:StartNotebookInstance

iam:PassRole

仅当您在创建笔记本实例时指定了 VPC 的情况下,才需要以下权限:

ec2:CreateNetworkInterface

ec2:DescribeNetworkInterfaces

ec2:DescribeSecurityGroups

ec2:DescribeSubnets

ec2:DescribeVpcs

仅当您为您的笔记本实例指定 VPC 和弹性推理加速器时,才需要以下权限:

ec2:DescribeVpcEndpoints

仅当您在创建笔记本实例时指定了加密密钥的情况下,才需要以下权限:

kms:DescribeKey

kms:CreateGrant

仅当您在创建笔记本实例时指定了 AWS Secrets Manager 密钥以访问私有 Git 存储库时,才需要以下权限:

secretsmanager:GetSecretValue

arn:aws:sagemaker:region:account-id:notebook-instance/notebookInstanceName

StopHumanLoop

sagemaker:StopHumanLoop

arn:aws:sagemaker:region:account-id:human-loop/humanLoopName

StopHyperParameterTuningJob

sagemaker:StopHyperParameterTuningJob

arn:aws:sagemaker:region:account-id:hyper-parameter-tuning-job/hyperParameterTuningJob

StopLabelingJob

sagemaker:StopLabelingJob

arn:aws:sagemaker:region:account-id:labeling-job/labelingJobName

StopNotebookInstance

sagemaker:StopNotebookInstance

arn:aws:sagemaker:region:account-id:notebook-instance/notebookInstanceName

StopProcessingJob

sagemaker:StopProcessingJob

arn:aws:sagemaker:region:account-id:processing-job/processingJobName

StopTrainingJob

sagemaker:StopTrainingJob

arn:aws:sagemaker:region:account-id:training-job/trainingJobName

StopTransformJob

sagemaker:StopTransformJob

arn:aws:sagemaker:region:account-id:transform-job/transformJobName

UpdateEndpoint

sagemaker:UpdateEndpoint

arn:aws:sagemaker:region:account-id:endpoint/endpointName

UpdateEndpointWeightsAndCapacities

sagemaker:UpdateEndpointWeightsAndCapacities

arn:aws:sagemaker:region:account-id:endpoint/endpointName

UpdateImage

sagemaker:UpdateImage

iam:PassRole

arn:aws:sagemaker:region:account-id:image/imageName

UpdateNotebookInstance

sagemaker:UpdateNotebookInstance

iam:PassRole

arn:aws:sagemaker:region:account-id:notebook-instance/notebookInstanceName

UpdateWorkteam

sagemaker:UpdateWorkteam

arn:aws:sagemaker:region:account-id:workteam/*