SageMaker 角色 - Amazon SageMaker
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 Amazon Web Services 服务入门

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

SageMaker 角色

作为一项托管服务,Amazon SageMaker 代表您对Amazon由 SageMaker 管理的硬件。SageMaker 仅执行用户允许的操作。

SageMaker 用户可为这些权限授予 IAM 角色 (称为执行角色)。

要创建和使用本地可用的执行角色,可以使用以下过程。

获取执行角色

您可以通过以下方式查找 IAM 执行角色:

从笔记本电脑

当您在 SageMaker 中(从 SageMaker 控制台或 SageMaker Studio)运行笔记本时,您可以使用以下代码访问执行角色:

sagemaker_session = sagemaker.Session() role = sagemaker.get_execution_role()
注意

只有在 SageMaker 中运行笔记本电脑时,执行角色才可用。如果您运行get_execution_role在不在 SageMaker 上的笔记本电脑中,预计会出现 “区域” 错误。

从 SageMaker 控制台

INTO笔记本 > 笔记本实例下,选择笔记本。ARN 在权限和加密部分。

创建执行角色

使用以下过程创建带有 IAM 托管策略的执行角色AmazonSageMakerFullAccess,附加此角色。如果您的使用案例需要更精细的权限,请使用本页上的其他部分创建满足您业务需求的执行角色。

重要

IAM 托管策略AmazonSageMakerFullAccess,在以下过程中使用的仅授予执行角色权限,以便在存储桶或数据元上执行某些 Amazon S3 操作SageMakerSagemakersagemaker,或者aws-glue在名称中。要了解如何向执行角色添加附加策略以向其授予对其他 Amazon S3 存储桶和对象的访问权限,请参阅将其他 Amazon S3 权限添加到 SageMaker 执行角色.

创建新角色

  1. 打开 IAM 控制台:https://console.aws.amazon.com/iam/

  2. Select角色,然后选择创建角色.

  3. SelectSageMaker.

  4. Select后续:Permissions (下一步:权限)

  5. IAM 托管策略AmazonSageMakerFullAccess会自动附加到此角色。要查看此策略中包含的权限,请选择策略名称旁边的横向箭头。Select后续:标签

  6. (可选)添加标签,然后选择后续:审核

  7. 在文本字段中为角色指定一个名称Role name (角色名称)并选择创建角色.

  8. 在存储库的角色部分中,选择您刚创建的角色。如果需要,请使用文本框使用您在步骤 7 中输入的角色名称搜索角色。

  9. 在角色摘要页面上,记录 ARN。

使用角色的已知 ARN,您可以在本地或 SageMaker 上运行笔记本电脑时以编程方式检查角色。ReplaceRoleName与您已知的 ARN:

try: role = sagemaker.get_execution_role() except ValueError: iam = boto3.client('iam') role = iam.get_role(RoleName='AmazonSageMaker-ExecutionRole-20201200T100000')['Role']['Arn']

将其他 Amazon S3 权限添加到 SageMaker 执行角色

当您将 SageMaker 功能与 Amazon S3 中的资源(例如输入数据)结合使用时,您在请求中指定的执行角色(例如CreateTrainingJob)用于访问这些资源。

如果您附加 IAM 托管策略,AmazonSageMakerFullAccess,则该角色有权对存储桶或对象执行某些 Amazon S3 操作SageMakerSagemakersagemaker,或者aws-glue在名称中。它还有权对任何 Amazon S3 资源执行以下操作:

"s3:CreateBucket", "s3:GetBucketLocation", "s3:ListBucket", "s3:ListAllMyBuckets", "s3:GetBucketCors", "s3:PutBucketCors"

要授予执行角色访问 Amazon S3 中一个或多个特定存储桶的权限,您可以将类似于以下内容的策略附加到角色。此策略授予 IAM 角色执行所有操作的权限AmazonSageMakerFullAccess允许但限制对存储桶的访问文档示例存储桶 1文档示例存储桶 2. 请参阅您正在使用的特定 SageMaker 功能的安全文档,以了解有关该功能所需的 Amazon S3 权限的更多信息。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:AbortMultipartUpload" ], "Resource": [ "arn:aws:s3:::DOC-EXAMPLE-BUCKET1/*", "arn:aws:s3:::DOC-EXAMPLE-BUCKET2/*" ] }, { "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:GetBucketLocation", "s3:ListBucket", "s3:ListAllMyBuckets", "s3:GetBucketCors", "s3:PutBucketCors" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:GetBucketAcl", "s3:PutObjectAcl" ], "Resource": [ "arn:aws:s3:::DOC-EXAMPLE-BUCKET1", "arn:aws:s3:::DOC-EXAMPLE-BUCKET2" ] } ] }

传递角色

在服务之间传递角色等操作是 SageMaker 中的常见功能。您可以在中找到更多详细信息SageMaker 的操作、资源和条件键中的IAM 用户指南.

您将角色 (iam:PassRole)进行这些 API 调用时:CreateAutoMLJobCreateCompilationJobCreateDomainCreateFlowDefinitonCreateHyperParameterTuningJobCreateImageCreateLabelingJobCreateModelCreateMonitoringScheduleCreateNotebookInstanceCreateProcessingJobCreateTrainingJobCreateUserProfileRenderUiTemplate, 和UpdateImage.

您可以将以下信任策略附加到 IAM 角色,该角色可授予 SageMaker 委托人权限以代入该角色,并且对于所有执行角色均相同:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "sagemaker.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }

您需要授予该角色的权限有所不同,具体取决于您所调用的 API。以下几节解释了这些权限。

注意

您无需通过创建权限策略来管理权限,而是可以使用Amazon管理AmazonSageMakerFullAccess权限策略。此策略中的权限相当广泛,以允许您在 SageMaker 中执行任何操作。有关此策略的列表,包括有关添加许多权限的原因的信息,请参阅 AmazonSageMakerFullAccess。如果您更愿意创建自定义策略和管理权限以将权限限定于您需要使用执行角色执行的操作,请参阅以下主题。

有关 IAM 角色的更多信息,请参阅《IAM 用户指南》中的 IAM 角色

CreateAutoMLJob API:执行角色权限

对于可以传入CreateAutoMLJobAPI 请求时,您可以将以下最低权限策略附加到该角色:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:PassRole", "sagemaker:DescribeEndpointConfig", "sagemaker:DescribeModel", "sagemaker:InvokeEndpoint", "sagemaker:ListTags", "sagemaker:DescribeEndpoint", "sagemaker:CreateModel", "sagemaker:CreateEndpointConfig", "sagemaker:CreateEndpoint", "sagemaker:DeleteModel", "sagemaker:DeleteEndpointConfig", "sagemaker:DeleteEndpoint", "cloudwatch:PutMetricData", "logs:CreateLogStream", "logs:PutLogEvents", "logs:CreateLogGroup", "logs:DescribeLogStreams", "s3:GetObject", "s3:PutObject", "s3:ListBucket", "ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage" ], "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": "sagemaker.amazonaws.com" } } } ] }

如果您为 AutoML 任务指定一个私有 VPC,请添加以下权限:

{ "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface", "ec2:CreateNetworkInterfacePermission", "ec2:DeleteNetworkInterface", "ec2:DeleteNetworkInterfacePermission", "ec2:DescribeNetworkInterfaces", "ec2:DescribeVpcs", "ec2:DescribeDhcpOptions", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups" ] }

如果您的输入采用服务器端加密加带有AmazonKMS 托管密钥 (SSE-KMS),添加以下权限:

{ "Effect": "Allow", "Action": [ "kms:Decrypt" ] }

如果在 AutoML 作业的输出配置中指定一个 KMS 密钥,则添加以下权限:

{ "Effect": "Allow", "Action": [ "kms:Encrypt" ] }

如果在 AutoML 作业的资源配置中指定一个批量 KMS 密钥,则添加以下权限:

{ "Effect": "Allow", "Action": [ "kms:CreateGrant" ] }

CreateDomain API:执行角色权限

的执行角色Amazon Web Services SSO域和 IAM 域的用户/执行角色需要以下权限,当您传递Amazon KMS客户托管密钥作为KmsKeyId中的CreateDomainAPI 请求。这些权限在CreateAppAPI 调用。

对于可以传递给CreateDomainAPI 请求时,您可以将以下权限策略附加到该角色:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kms:CreateGrant", "kms:DescribeKey" ], "Resource": "arn:aws:kms:region:account-id:key/kms-key-id" } ] }

或者,如果在 KMS 策略中指定权限,则可以将以下策略附加到该角色:

{ "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::account-id:role/ExecutionRole" ] }, "Action": [ "kms:DescribeKey", "kms:CreateGrant" ], "Resource": "*" }

CreateImage 和更新映像 API:执行角色权限

对于可以传入CreateImage或者UpdateImageAPI 请求时,您可以将以下权限策略附加到该角色:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecr:BatchGetImage", "ecr:GetDownloadUrlForLayer" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": "sagemaker.amazonaws.com" } } } ] }

CreateNotebookInstance API:执行角色权限

您向执行角色授予调用 CreateNotebookInstance API 的权限取决于您计划对笔记本实例执行的操作。如果您计划用它来调用 SageMaker API,并在调用CreateTrainingJobCreateModelAPI 中,将以下权限策略附加到角色:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sagemaker:*", "ecr:GetAuthorizationToken", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "ecr:BatchCheckLayerAvailability", "ecr:SetRepositoryPolicy", "ecr:CompleteLayerUpload", "ecr:BatchDeleteImage", "ecr:UploadLayerPart", "ecr:DeleteRepositoryPolicy", "ecr:InitiateLayerUpload", "ecr:DeleteRepository", "ecr:PutImage", "ecr:CreateRepository", "cloudwatch:PutMetricData", "cloudwatch:GetMetricData", "cloudwatch:GetMetricStatistics", "cloudwatch:ListMetrics", "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DescribeLogStreams", "logs:PutLogEvents", "logs:GetLogEvents", "s3:CreateBucket", "s3:ListBucket", "s3:GetBucketLocation", "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "robomaker:CreateSimulationApplication", "robomaker:DescribeSimulationApplication", "robomaker:DeleteSimulationApplication", "robomaker:CreateSimulationJob", "robomaker:DescribeSimulationJob", "robomaker:CancelSimulationJob", "ec2:CreateVpcEndpoint", "ec2:DescribeRouteTables", "elasticfilesystem:DescribeMountTargets" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "codecommit:GitPull", "codecommit:GitPush" ], "Resource": [ "arn:aws:codecommit:*:*:*sagemaker*", "arn:aws:codecommit:*:*:*SageMaker*", "arn:aws:codecommit:*:*:*Sagemaker*" ] }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": "sagemaker.amazonaws.com" } } } ] }

要收紧权限,请限制使权限仅限于特定的 Amazon S3 和 Amazon ECR 资源,方法是限制"Resource": "*",如下所示:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sagemaker:*", "ecr:GetAuthorizationToken", "cloudwatch:PutMetricData", "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DescribeLogStreams", "logs:PutLogEvents", "logs:GetLogEvents" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": "sagemaker.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::inputbucket" ] }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::inputbucket/object1", "arn:aws:s3:::outputbucket/path", "arn:aws:s3:::inputbucket/object2", "arn:aws:s3:::inputbucket/object3" ] }, { "Effect": "Allow", "Action": [ "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage" ], "Resource": [ "arn:aws:ecr:region::repository/my-repo1", "arn:aws:ecr:region::repository/my-repo2", "arn:aws:ecr:region::repository/my-repo3" ] } ] }

如果您计划访问其他资源 (如 Amazon DynamoDB 或 Amazon Relational Database Service),请向此策略添加相关权限。

在上一个策略中,您按如下方式确定策略范围:

  • 仅向您在 s3:ListBucket 请求中指定作为 InputDataConfig.DataSource.S3DataSource.S3Uri 的特定存储桶授予 CreateTrainingJob 权限。

  • 按如下方式确定 s3:GetObject s3:PutObjects3:DeleteObject 的权限范围:

    • 将范围限定为您在 CreateTrainingJob 请求中指定的以下值:

      InputDataConfig.DataSource.S3DataSource.S3Uri

      OutputDataConfig.S3OutputPath

    • 将范围限定为您在 CreateModel 请求中指定的以下值:

      PrimaryContainer.ModelDataUrl

      SuplementalContainers.ModelDataUrl

  • 按如下方式确定 ecr 权限的范围:

    • 将范围限定为您在 AlgorithmSpecification.TrainingImage 请求中指定的 CreateTrainingJob 值。

    • 将范围限定为您在 PrimaryContainer.Image 请求中指定的 CreateModel 值:

cloudwatchlogs 操作适用于“*”资源。有关更多信息,请参阅 。CloudWatch 资源和操作

CreateHyperParameterTuningJob API API:执行角色权限

对于可在 CreateHyperParameterTuningJob API 请求中传递的执行角色,您可以将以下权限策略附加到该角色:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData", "logs:CreateLogStream", "logs:PutLogEvents", "logs:CreateLogGroup", "logs:DescribeLogStreams", "s3:GetObject", "s3:PutObject", "s3:ListBucket", "ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage" ], "Resource": "*" } ] }

而不是指定"Resource": "*",您可以将这些权限制为特定的 Amazon S3 和 Amazon ECR 资源:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData", "logs:CreateLogStream", "logs:PutLogEvents", "logs:CreateLogGroup", "logs:DescribeLogStreams", "ecr:GetAuthorizationToken" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::inputbucket" ] }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::inputbucket/object", "arn:aws:s3:::outputbucket/path" ] }, { "Effect": "Allow", "Action": [ "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage" ], "Resource": "arn:aws:ecr:region::repository/my-repo" } ] }

如果与超参数优化作业关联的训练容器需要访问其他数据源 (如 DynamoDB 或 Amazon RDS 资源),则向此策略添加相关权限。

在上一个策略中,您按如下方式确定策略范围:

  • 仅向您在 s3:ListBucket 请求中指定作为 InputDataConfig.DataSource.S3DataSource.S3Uri 的特定存储桶授予 CreateTrainingJob 权限。

  • 仅向您在 s3:GetObject 请求的输入和输出数据配置中指定的以下对象授予 s3:PutObjectCreateHyperParameterTuningJob 权限:

    InputDataConfig.DataSource.S3DataSource.S3Uri

    OutputDataConfig.S3OutputPath

  • 将 Amazon ECR 权限限范围至注册表路径 (AlgorithmSpecification.TrainingImage)中指定的CreateHyperParameterTuningJob请求.

cloudwatchlogs 操作适用于“*”资源。有关更多信息,请参阅 。CloudWatch 资源和操作

如果您为超参数优化作业指定一个私有 VPC,请添加以下权限:

{ "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface", "ec2:CreateNetworkInterfacePermission", "ec2:DeleteNetworkInterface", "ec2:DeleteNetworkInterfacePermission", "ec2:DescribeNetworkInterfaces", "ec2:DescribeVpcs", "ec2:DescribeDhcpOptions", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups" ] }

如果您的输入采用服务器端加密加带有AmazonKMS 托管密钥 (SSE-KMS),添加以下权限:

{ "Effect": "Allow", "Action": [ "kms:Decrypt" ] }

如果在超参数优化作业的输出配置中指定一个 KMS 密钥,则添加以下权限:

{ "Effect": "Allow", "Action": [ "kms:Encrypt" ] }

如果在超参数优化作业的资源配置中指定一个批量 KMS 密钥,则添加以下权限:

{ "Effect": "Allow", "Action": [ "kms:CreateGrant" ] }

CreateProcessingJob API:执行角色权限

对于可在 CreateProcessingJob API 请求中传递的执行角色,您可以将以下权限策略附加到该角色:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData", "logs:CreateLogStream", "logs:PutLogEvents", "logs:CreateLogGroup", "logs:DescribeLogStreams", "s3:GetObject", "s3:PutObject", "s3:ListBucket", "ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage" ], "Resource": "*" } ] }

而不是指定"Resource": "*",您可以将这些权限制为特定的 Amazon S3 和 Amazon ECR 资源:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData", "logs:CreateLogStream", "logs:PutLogEvents", "logs:CreateLogGroup", "logs:DescribeLogStreams", "ecr:GetAuthorizationToken" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::inputbucket" ] }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::inputbucket/object", "arn:aws:s3:::outputbucket/path" ] }, { "Effect": "Allow", "Action": [ "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage" ], "Resource": "arn:aws:ecr:region::repository/my-repo" } ] }

如果CreateProcessingJob.AppSpecification.ImageUri需要访问其他数据源 (如 DynamoDB 或 Amazon RDS 资源),则向此策略添加相关权限。

在上一个策略中,您按如下方式确定策略范围:

  • 仅向您在 s3:ListBucket 请求中指定作为 ProcessingInputs 的特定存储桶授予 CreateProcessingJob 权限。

  • s3:GetObject s3:PutObject 权限的范围限定在 CreateProcessingJob 请求中要在 ProcessingInputsProcessingOutputConfig 中下载或上传的对象。

  • 将 Amazon ECR 权限限范围至注册表路径 (AppSpecification.ImageUri)中指定的CreateProcessingJob请求.

cloudwatchlogs 操作适用于“*”资源。有关更多信息,请参阅 。CloudWatch 资源和操作

如果您为处理作业指定一个私有 VPC,请添加以下权限:

{ "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface", "ec2:CreateNetworkInterfacePermission", "ec2:DeleteNetworkInterface", "ec2:DeleteNetworkInterfacePermission", "ec2:DescribeNetworkInterfaces", "ec2:DescribeVpcs", "ec2:DescribeDhcpOptions", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups" ] }

如果您的输入采用服务器端加密加带有AmazonKMS 托管密钥 (SSE-KMS),添加以下权限:

{ "Effect": "Allow", "Action": [ "kms:Decrypt" ] }

如果在处理作业的输出配置中指定一个 KMS 密钥,则添加以下权限:

{ "Effect": "Allow", "Action": [ "kms:Encrypt" ] }

如果在处理作业的资源配置中指定一个批量 KMS 密钥,则添加以下权限:

{ "Effect": "Allow", "Action": [ "kms:CreateGrant" ] }

CreateTrainingJob API:执行角色权限

对于可在 CreateTrainingJob API 请求中传递的执行角色,您可以将以下权限策略附加到该角色:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData", "logs:CreateLogStream", "logs:PutLogEvents", "logs:CreateLogGroup", "logs:DescribeLogStreams", "s3:GetObject", "s3:PutObject", "s3:ListBucket", "ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage" ], "Resource": "*" } ] }

而不是指定"Resource": "*",您可以将这些权限制为特定的 Amazon S3 和 Amazon ECR 资源:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData", "logs:CreateLogStream", "logs:PutLogEvents", "logs:CreateLogGroup", "logs:DescribeLogStreams", "ecr:GetAuthorizationToken" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::inputbucket" ] }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::inputbucket/object", "arn:aws:s3:::outputbucket/path" ] }, { "Effect": "Allow", "Action": [ "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage" ], "Resource": "arn:aws:ecr:region::repository/my-repo" } ] }

如果CreateTrainingJob.AlgorithSpecifications.TrainingImage需要访问其他数据源 (如 DynamoDB 或 Amazon RDS 资源),则向此策略添加相关权限。

在上一个策略中,您按如下方式确定策略范围:

  • 仅向您在 s3:ListBucket 请求中指定作为 InputDataConfig.DataSource.S3DataSource.S3Uri 的特定存储桶授予 CreateTrainingJob 权限。

  • 仅向您在 s3:GetObject 请求的输入和输出数据配置中指定的以下对象授予 s3:PutObjectCreateTrainingJob 权限:

    InputDataConfig.DataSource.S3DataSource.S3Uri

    OutputDataConfig.S3OutputPath

  • 将 Amazon ECR 权限限范围至注册表路径 (AlgorithmSpecification.TrainingImage)中指定的CreateTrainingJob请求.

cloudwatchlogs 操作适用于“*”资源。有关更多信息,请参阅 。CloudWatch 资源和操作

如果您为训练作业指定一个私有 VPC,请添加以下权限:

{ "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface", "ec2:CreateNetworkInterfacePermission", "ec2:DeleteNetworkInterface", "ec2:DeleteNetworkInterfacePermission", "ec2:DescribeNetworkInterfaces", "ec2:DescribeVpcs", "ec2:DescribeDhcpOptions", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups" ] }

如果您的输入采用服务器端加密加带有AmazonKMS 托管密钥 (SSE-KMS),添加以下权限:

{ "Effect": "Allow", "Action": [ "kms:Decrypt" ] }

如果在训练作业的输出配置中指定一个 KMS 密钥,则添加以下权限:

{ "Effect": "Allow", "Action": [ "kms:Encrypt" ] }

如果在训练作业的资源配置中指定一个批量 KMS 密钥,则添加以下权限:

{ "Effect": "Allow", "Action": [ "kms:CreateGrant" ] }

CreateModel API:执行角色权限

对于可在 CreateModel API 请求中传递的执行角色,您可以将以下权限策略附加到该角色:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData", "logs:CreateLogStream", "logs:PutLogEvents", "logs:CreateLogGroup", "logs:DescribeLogStreams", "s3:GetObject", "ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage" ], "Resource": "*" } ] }

而不是指定"Resource": "*",您可以将这些权限制为特定 Amazon S3 和 Amazon ECR 资源:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData", "logs:CreateLogStream", "logs:PutLogEvents", "logs:CreateLogGroup", "logs:DescribeLogStreams", "ecr:GetAuthorizationToken" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::inputbucket/object" ] }, { "Effect": "Allow", "Action": [ "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage" ], "Resource": [ "arn:aws:ecr:region::repository/my-repo", "arn:aws:ecr:region::repository/my-repo" ] } ] }

如果 CreateModel.PrimaryContainer.Image 需要访问其他数据源 (如 Amazon DynamoDB 或 Amazon RDS 资源),则向此策略添加相关权限。

在上一个策略中,您按如下方式确定策略范围:

  • 将 S3 权限范围到您在PrimaryContainer.ModelDataUrlCreateModel请求.

  • 将 Amazon ECR 权限制为您指定作为PrimaryContainer.ImageSecondaryContainer.ImageCreateModel请求.

cloudwatchlogs 操作适用于“*”资源。有关更多信息,请参阅 。CloudWatch 资源和操作

如果您为模型指定一个私有 VPC,请添加以下权限:

{ "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface", "ec2:CreateNetworkInterfacePermission", "ec2:DeleteNetworkInterface", "ec2:DeleteNetworkInterfacePermission", "ec2:DescribeNetworkInterfaces", "ec2:DescribeVpcs", "ec2:DescribeDhcpOptions", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups" ] }