域资源隔离
您可以使用 Amazon Identity and Access Management 策略在账户和区域中的每个域之间隔离资源。通过资源隔离,无法从其他域访问在某个域中创建的 SageMaker 资源(如模型、实验、训练作业和管道)。以下主题介绍了如何创建新的 IAM 策略(以便将能够访问的域中资源限制为带有域标签的用户配置文件),以及如何将此策略附加到域的 IAM 执行角色。您必须对账户中的每个域重复此过程。有关域标签和回填这些标签的更多信息,请参阅多个域概述。
控制台
以下部分介绍了如何创建新的 IAM 策略(以便将能够访问的域中资源限制为带有域标签的用户配置文件),以及如何从 Amazon SageMaker 控制台将此策略附加到域的 IAM 执行角色。
-
通过完成创建 IAM 策略(控制台)中的步骤来创建名为
StudioDomainResourceIsolationPolicy-
的 IAM 策略,该策略包含以下 JSON 策略文档。domain-id
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CreateAPIs", "Effect": "Allow", "Action": "sagemaker:Create*", "NotResource": [ "arn:aws:sagemaker:*:*:domain/*", "arn:aws:sagemaker:*:*:user-profile/*", "arn:aws:sagemaker:*:*:space/*" ] }, { "Sid": "ResourceAccessRequireDomainTag", "Effect": "Allow", "Action": [ "sagemaker:Update*", "sagemaker:Delete*", "sagemaker:Describe*" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/sagemaker:domain-arn": "
domain-arn
" } } }, { "Sid": "AllowActionsThatDontSupportTagging", "Effect": "Allow", "Action": [ "sagemaker:DescribeImageVersion", "sagemaker:UpdateImageVersion", "sagemaker:DeleteImageVersion", "sagemaker:DescribeModelCardExportJob", "sagemaker:DescribeAction" ], "Resource": "*" }, { "Sid": "DeleteDefaultApp", "Effect": "Allow", "Action": "sagemaker:DeleteApp", "Resource": "arn:aws:sagemaker:*:*:app/domain-id
/*/jupyterserver/default" } ] } -
通过完成修改角色(控制台)中的步骤,将
StudioDomainResourceIsolationPolicy-
策略附加到域的执行角色。domain-id
Amazon CLI
以下部分介绍了如何创建新的 IAM 策略(以便将能够访问的域中资源限制为带有域标签的用户配置文件),以及如何从 Amazon CLI 将此策略附加到域的执行角色。
-
在本地计算机上创建一个名为
StudioDomainResourceIsolationPolicy-
的文件,该文件包含以下内容。domain-id
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CreateAPIs", "Effect": "Allow", "Action": "sagemaker:Create*", "NotResource": [ "arn:aws:sagemaker:*:*:domain/*", "arn:aws:sagemaker:*:*:user-profile/*", "arn:aws:sagemaker:*:*:space/*" ] }, { "Sid": "ResourceAccessRequireDomainTag", "Effect": "Allow", "Action": [ "sagemaker:Update*", "sagemaker:Delete*", "sagemaker:Describe*" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/sagemaker:domain-arn": "
domain-arn
" } } }, { "Sid": "AllowActionsThatDontSupportTagging", "Effect": "Allow", "Action": [ "sagemaker:DescribeImageVersion", "sagemaker:UpdateImageVersion", "sagemaker:DeleteImageVersion", "sagemaker:DescribeModelCardExportJob", "sagemaker:DescribeAction" ], "Resource": "*" }, { "Sid": "DeleteDefaultApp", "Effect": "Allow", "Action": "sagemaker:DeleteApp", "Resource": "arn:aws:sagemaker:*:*:app/domain-id
/*/jupyterserver/default" } ] } -
使用
StudioDomainResourceIsolationPolicy-
文件创建新的 IAM 策略。domain-id
aws iam create-policy --policy-name
StudioDomainResourceIsolationPolicy-
--policy-document file://domain-id
StudioDomainResourceIsolationPolicy-
domain-id
-
将新创建的策略附加到用作域执行角色的新角色或现有角色。
aws iam attach-role-policy --policy-arn arn:aws:iam:
account-id
:policy/StudioDomainResourceIsolationPolicy-
--role-namedomain-id
domain-execution-role