本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
SageMaker 角色
作为托管服务,亚马逊 SageMaker 代表你执行操作Amazon由 SageMaker 管理的硬件。 SageMaker 仅执行用户允许的操作。
一个 SageMaker 用户可为这些权限授予 IAM 角色 (称为执行角色)。
要创建和使用本地可用的执行角色,可以使用以下过程。
获取执行角色
您可以通过以下方式找到 IAM 执行角色:
来自笔记本
当你在内部运行笔记本 SageMaker 来自的 SageMaker 控制台或 SageMaker Studio) 你可以使用以下代码访问执行角色:
sagemaker_session = sagemaker.Session() role = sagemaker.get_execution_role()
只有在 SageMaker 中运行笔记本时,执行角色才可用。如果你跑get_execution_role在不在 SageMaker 上的笔记本中,预计会出现 “区域” 错误。
从 SageMaker 控制台
UNDER笔记本 > 笔记本实例中,选择笔记本。ARN 在权限和加密部分。
创建执行角色
使用以下过程使用 IAM 托管策略创建执行角色,AmazonSageMakerFullAccess挂载到。如果您的使用案例需要更精细的权限,请使用本页上的其他部分创建满足业务需求的执行角色。
IAM 托管式策略,AmazonSageMakerFullAccess,在以下过程中使用仅授予执行角色对存储桶或对象执行某些 Amazon S3 操作的权限SageMaker、Sagemaker、sagemaker,或者aws-glue在名字里。要了解如何向执行角色添加额外策略以授予其他 Amazon S3 存储桶和对象的访问权限,请参阅将其他 Amazon S3 权限添加到 SageMaker 执行角色.
如欲创建新角色
通过以下网址打开 IAM 控制台:https://console.aws.amazon.com/iam/
。 -
Select角色然后选择创建角色.
-
SelectSageMaker.
-
Select后续:Permissions (下一步:权限)。
-
IAM 托管式策略,
AmazonSageMakerFullAccess自动附加到此角色。要查看此策略中包含的权限,请选择策略名称旁边的侧向箭头。Select后续:标签。 -
(可选)添加标签并选择后续:审核。
-
在下面的文本字段中为角色命名Role name (角色名称)然后选择创建角色.
-
在存储库的角色在 IAM 控制台的部分中,选择您刚刚创建的角色。如果需要,请使用文本框使用您在步骤 7 中输入的角色名称搜索角色。
-
在角色摘要页面上,记录 ARN。
使用角色的已知 ARN,您可以在本地或在 SageMaker 上运行笔记本时以编程方式检查角色。ReplaceRoleName用你已知的 ARN:
try: role = sagemaker.get_execution_role() except ValueError: iam = boto3.client('iam') role = iam.get_role(RoleName='AmazonSageMaker-ExecutionRole-20201200T100000')['Role']['Arn']
将其他 Amazon S3 权限添加到 SageMaker 执行角色
当您使用 SageMaker 功能,其中包含 Amazon S3 中的资源,例如输入数据、您在请求中指定的执行角色(例如CreateTrainingJob) 用于访问这些资源。
如果您附加了 IAM 托管策略,AmazonSageMakerFullAccess,对于执行角色,则该角色有权对存储桶或对象执行某些 Amazon S3 操作SageMaker、Sagemaker、sagemaker,或者aws-glue在名字里。它还有权对任何 Amazon S3 资源执行以下操作:
"s3:CreateBucket", "s3:GetBucketLocation", "s3:ListBucket", "s3:ListAllMyBuckets", "s3:GetBucketCors", "s3:PutBucketCors"
要向执行角色授予访问 Amazon S3 中一个或多个特定存储桶的权限,您可以向该角色附加类似以下内容的策略。此策略授予 IAM 角色执行以下所有操作的权限:AmazonSageMakerFullAccess允许但限制对存储桶的此访问文档示例存储桶 1和DOC-例-BUCKET2. 有关具体的信息,请参阅安全文档 SageMaker 您正在使用的功能来了解有关该功能所需的 Amazon S3 权限的更多信息。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:AbortMultipartUpload" ], "Resource": [ "arn:aws:s3:::", "arn:aws:s3:::DOC-EXAMPLE-BUCKET1/*" ] }, { "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:GetBucketLocation", "s3:ListBucket", "s3:ListAllMyBuckets", "s3:GetBucketCors", "s3:PutBucketCors" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:GetBucketAcl", "s3:PutObjectAcl" ], "Resource": [ "arn:aws:s3:::DOC-EXAMPLE-BUCKET2/*", "arn:aws:s3:::DOC-EXAMPLE-BUCKET1" ] } ] }DOC-EXAMPLE-BUCKET2
传递角色
诸如在服务之间传递角色之类的操作是 SageMaker 中的常见功能。您可以在上找到更多详细信息SageMaker 的操作、资源和条件键中的IAM 用户指南.
你通过了角色 (iam:PassRole) 进行这些 API 调用时:CreateAutoMLJob、CreateCompilationJob、CreateDomain、CreateFlowDefiniton、CreateHyperParameterTuningJob、CreateImage、CreateLabelingJob、CreateModel、CreateMonitoringSchedule、CreateNotebookInstance、CreateProcessingJob、CreateTrainingJob、CreateUserProfile、RenderUiTemplate, 和UpdateImage.
您将以下信任策略附加到授予的 IAM 角色。 SageMaker 委托人权限代入该角色,并且对于所有执行角色均相同:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "sagemaker.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
您需要授予该角色的权限有所不同,具体取决于您所调用的 API。以下几节解释了这些权限。
您可以使用,而不用通过创建权限策略来管理权限。Amazon-托管AmazonSageMakerFullAccess权限策略。此策略中的权限相当广泛,以允许您在 SageMaker 中执行您可能希望执行的任何操作。有关此策略的列表,包括有关添加许多权限的原因的信息,请参阅 Amazon托管策略:AmazonSageMakerFullAccess。如果您更愿意创建自定义策略和管理权限以将权限限定于您需要使用执行角色执行的操作,请参阅以下主题。
有关 IAM 角色的更多信息,请参阅《IAM 用户指南》中的 IAM 角色。
主题
CreateAutoMLJob API:执行角色权限
对于可以传入的执行角色CreateAutoMLJobAPI 请求,您可以将以下最低权限策略附加到该角色:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": "sagemaker.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "sagemaker:DescribeEndpointConfig", "sagemaker:DescribeModel", "sagemaker:InvokeEndpoint", "sagemaker:ListTags", "sagemaker:DescribeEndpoint", "sagemaker:CreateModel", "sagemaker:CreateEndpointConfig", "sagemaker:CreateEndpoint", "sagemaker:DeleteModel", "sagemaker:DeleteEndpointConfig", "sagemaker:DeleteEndpoint", "cloudwatch:PutMetricData", "logs:CreateLogStream", "logs:PutLogEvents", "logs:CreateLogGroup", "logs:DescribeLogStreams", "s3:GetObject", "s3:PutObject", "s3:ListBucket", "ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage" ], "Resource": "*" } ] }
如果您为 AutoML 任务指定一个私有 VPC,请添加以下权限:
{ "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface", "ec2:CreateNetworkInterfacePermission", "ec2:DeleteNetworkInterface", "ec2:DeleteNetworkInterfacePermission", "ec2:DescribeNetworkInterfaces", "ec2:DescribeVpcs", "ec2:DescribeDhcpOptions", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups" ] }
如果您的输入采用服务器端加密加密进行加密,则Amazon添加 KMS 托管密钥 (SSE-KMS),添加以下权限:
{ "Effect": "Allow", "Action": [ "kms:Decrypt" ] }
如果在 AutoML 作业的输出配置中指定一个 KMS 密钥,则添加以下权限:
{ "Effect": "Allow", "Action": [ "kms:Encrypt" ] }
如果在 AutoML 作业的资源配置中指定一个卷 KMS 密钥,则添加以下权限:
{ "Effect": "Allow", "Action": [ "kms:CreateGrant" ] }
CreateDomain API:执行角色权限
的执行角色IAM Identity Center当您通过 IAM 域名的域和用户/执行角色时需要以下权限Amazon KMS作为客户托管密钥KmsKeyId中的CreateDomainAPI 请求。这些权限是在CreateAppAPI 调用。
对于可以传入的执行角色CreateDomainAPI 请求,您可以将以下权限策略附加到该角色:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kms:CreateGrant", "kms:DescribeKey" ], "Resource": "arn:aws:kms:region:account-id:key/kms-key-id" } ] }
或者,如果在 KMS 策略中指定权限,您可以将以下策略附加到该角色:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::account-id:role/ExecutionRole" ] }, "Action": [ "kms:CreateGrant", "kms:DescribeKey" ], "Resource": "*" } ] }
CreateImage 并更新 Image API:执行角色权限
对于可以传入的执行角色CreateImage要么UpdateImageAPI 请求,您可以将以下权限策略附加到该角色:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecr:BatchGetImage", "ecr:GetDownloadUrlForLayer" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": "sagemaker.amazonaws.com" } } } ] }
CreateNotebookInstance API:执行角色权限
您向执行角色授予调用 CreateNotebookInstance API 的权限取决于您计划对笔记本实例执行的操作。如果您计划使用它来调用 SageMaker API 并在调用时传递相同的角色CreateTrainingJob和CreateModelAPI,将以下权限策略附加到角色:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sagemaker:*", "ecr:GetAuthorizationToken", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "ecr:BatchCheckLayerAvailability", "ecr:SetRepositoryPolicy", "ecr:CompleteLayerUpload", "ecr:BatchDeleteImage", "ecr:UploadLayerPart", "ecr:DeleteRepositoryPolicy", "ecr:InitiateLayerUpload", "ecr:DeleteRepository", "ecr:PutImage", "ecr:CreateRepository", "cloudwatch:PutMetricData", "cloudwatch:GetMetricData", "cloudwatch:GetMetricStatistics", "cloudwatch:ListMetrics", "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DescribeLogStreams", "logs:PutLogEvents", "logs:GetLogEvents", "s3:CreateBucket", "s3:ListBucket", "s3:GetBucketLocation", "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "robomaker:CreateSimulationApplication", "robomaker:DescribeSimulationApplication", "robomaker:DeleteSimulationApplication", "robomaker:CreateSimulationJob", "robomaker:DescribeSimulationJob", "robomaker:CancelSimulationJob", "ec2:CreateVpcEndpoint", "ec2:DescribeRouteTables", "elasticfilesystem:DescribeMountTargets" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "codecommit:GitPull", "codecommit:GitPush" ], "Resource": [ "arn:aws:codecommit:*:*:*sagemaker*", "arn:aws:codecommit:*:*:*SageMaker*", "arn:aws:codecommit:*:*:*Sagemaker*" ] }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": "sagemaker.amazonaws.com" } } } ] }
要收紧权限,请通过限制使其仅限于特定 Amazon S3 和 Amazon ECR 资源。"Resource": "*",如下所示:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sagemaker:*", "ecr:GetAuthorizationToken", "cloudwatch:PutMetricData", "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DescribeLogStreams", "logs:PutLogEvents", "logs:GetLogEvents" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": "sagemaker.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::inputbucket" ] }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::inputbucket/object1", "arn:aws:s3:::outputbucket/path", "arn:aws:s3:::inputbucket/object2", "arn:aws:s3:::inputbucket/object3" ] }, { "Effect": "Allow", "Action": [ "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage" ], "Resource": [ "arn:aws:ecr:region::repository/my-repo1", "arn:aws:ecr:region::repository/my-repo2", "arn:aws:ecr:region::repository/my-repo3" ] } ] }
如果您计划访问其他资源(如 Amazon DynamoDB 或 Amazon Relational Database Service),请向此策略添加相关权限。
在上一个策略中,您按如下方式确定策略范围:
-
仅向您在
s3:ListBucket请求中指定作为InputDataConfig.DataSource.S3DataSource.S3Uri的特定存储桶授予CreateTrainingJob权限。 -
按如下方式确定
s3:GetObject、s3:PutObject和s3:DeleteObject的权限范围:-
将范围限定为您在
CreateTrainingJob请求中指定的以下值:InputDataConfig.DataSource.S3DataSource.S3UriOutputDataConfig.S3OutputPath -
将范围限定为您在
CreateModel请求中指定的以下值:PrimaryContainer.ModelDataUrlSuplementalContainers.ModelDataUrl
-
-
按如下方式确定
ecr权限的范围:-
将范围限定为您在
AlgorithmSpecification.TrainingImage请求中指定的CreateTrainingJob值。 -
将范围限定为您在
PrimaryContainer.Image请求中指定的CreateModel值:
-
cloudwatch 和 logs 操作适用于“*”资源。有关更多信息,请参阅 。CloudWatch 资源和操作在 Amazon 中 CloudWatch 用户指南。
CreateHyperParameterTuningJob API:执行角色权限
对于可在 CreateHyperParameterTuningJob API 请求中传递的执行角色,您可以将以下权限策略附加到该角色:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData", "logs:CreateLogStream", "logs:PutLogEvents", "logs:CreateLogGroup", "logs:DescribeLogStreams", "s3:GetObject", "s3:PutObject", "s3:ListBucket", "ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage" ], "Resource": "*" } ] }
而不是指定"Resource": "*",您可以将这些权限限制为特定的 Amazon S3 和 Amazon ECR 资源:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData", "logs:CreateLogStream", "logs:PutLogEvents", "logs:CreateLogGroup", "logs:DescribeLogStreams", "ecr:GetAuthorizationToken" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::inputbucket" ] }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::inputbucket/object", "arn:aws:s3:::outputbucket/path" ] }, { "Effect": "Allow", "Action": [ "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage" ], "Resource": "arn:aws:ecr:region::repository/my-repo" } ] }
如果与超参数优化作业关联的训练容器需要访问其他数据源 (如 DynamoDB 或 Amazon RDS 资源),则向此策略添加相关权限。
在上一个策略中,您按如下方式确定策略范围:
-
仅向您在
s3:ListBucket请求中指定作为InputDataConfig.DataSource.S3DataSource.S3Uri的特定存储桶授予CreateTrainingJob权限。 -
仅向您在
s3:GetObject请求的输入和输出数据配置中指定的以下对象授予s3:PutObject和CreateHyperParameterTuningJob权限:InputDataConfig.DataSource.S3DataSource.S3UriOutputDataConfig.S3OutputPath -
将 Amazon ECR 权限限定为注册表路径 (
AlgorithmSpecification.TrainingImage) 你在CreateHyperParameterTuningJob请求.
cloudwatch 和 logs 操作适用于“*”资源。有关更多信息,请参阅 。CloudWatch 资源和操作在 Amazon 中 CloudWatch 用户指南。
如果您为超参数优化作业指定一个私有 VPC,请添加以下权限:
{ "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface", "ec2:CreateNetworkInterfacePermission", "ec2:DeleteNetworkInterface", "ec2:DeleteNetworkInterfacePermission", "ec2:DescribeNetworkInterfaces", "ec2:DescribeVpcs", "ec2:DescribeDhcpOptions", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups" ] }
如果您的输入采用服务器端加密加密进行加密,则Amazon添加 KMS 托管密钥 (SSE-KMS),添加以下权限:
{ "Effect": "Allow", "Action": [ "kms:Decrypt" ] }
如果在超参数优化作业的输出配置中指定一个 KMS 密钥,则添加以下权限:
{ "Effect": "Allow", "Action": [ "kms:Encrypt" ] }
如果在超参数优化作业的资源配置中指定一个批量 KMS 密钥,则添加以下权限:
{ "Effect": "Allow", "Action": [ "kms:CreateGrant" ] }
CreateProcessingJob API:执行角色权限
对于可在 CreateProcessingJob API 请求中传递的执行角色,您可以将以下权限策略附加到该角色:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData", "logs:CreateLogStream", "logs:PutLogEvents", "logs:CreateLogGroup", "logs:DescribeLogStreams", "s3:GetObject", "s3:PutObject", "s3:ListBucket", "ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage" ], "Resource": "*" } ] }
而不是指定"Resource": "*",您可以将这些权限限制为特定的 Amazon S3 和 Amazon ECR 资源:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData", "logs:CreateLogStream", "logs:PutLogEvents", "logs:CreateLogGroup", "logs:DescribeLogStreams", "ecr:GetAuthorizationToken" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::inputbucket" ] }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::inputbucket/object", "arn:aws:s3:::outputbucket/path" ] }, { "Effect": "Allow", "Action": [ "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage" ], "Resource": "arn:aws:ecr:region::repository/my-repo" } ] }
如果CreateProcessingJob.AppSpecification.ImageUri如果需要访问其他数据源 (如 DynamoDB 或 Amazon RDS 资源),则向此策略添加相关权限。
在上一个策略中,您按如下方式确定策略范围:
-
仅向您在
s3:ListBucket请求中指定作为ProcessingInputs的特定存储桶授予CreateProcessingJob权限。 -
将
s3:GetObject和s3:PutObject权限的范围限定在CreateProcessingJob请求中要在ProcessingInputs和ProcessingOutputConfig中下载或上传的对象。 -
将 Amazon ECR 权限限定为注册表路径 (
AppSpecification.ImageUri) 你在CreateProcessingJob请求.
cloudwatch 和 logs 操作适用于“*”资源。有关更多信息,请参阅 。CloudWatch 资源和操作在 Amazon 中 CloudWatch 用户指南。
如果您为处理作业指定一个私有 VPC,请添加以下权限:
{ "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface", "ec2:CreateNetworkInterfacePermission", "ec2:DeleteNetworkInterface", "ec2:DeleteNetworkInterfacePermission", "ec2:DescribeNetworkInterfaces", "ec2:DescribeVpcs", "ec2:DescribeDhcpOptions", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups" ] }
如果您的输入采用服务器端加密加密进行加密,则Amazon添加 KMS 托管密钥 (SSE-KMS),添加以下权限:
{ "Effect": "Allow", "Action": [ "kms:Decrypt" ] }
如果在处理作业的输出配置中指定一个 KMS 密钥,则添加以下权限:
{ "Effect": "Allow", "Action": [ "kms:Encrypt" ] }
如果在处理作业的资源配置中指定一个批量 KMS 密钥,则添加以下权限:
{ "Effect": "Allow", "Action": [ "kms:CreateGrant" ] }
CreateTrainingJob API:执行角色权限
对于可在 CreateTrainingJob API 请求中传递的执行角色,您可以将以下权限策略附加到该角色:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData", "logs:CreateLogStream", "logs:PutLogEvents", "logs:CreateLogGroup", "logs:DescribeLogStreams", "s3:GetObject", "s3:PutObject", "s3:ListBucket", "ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage" ], "Resource": "*" } ] }
而不是指定"Resource": "*",您可以将这些权限限制为特定的 Amazon S3 和 Amazon ECR 资源:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData", "logs:CreateLogStream", "logs:PutLogEvents", "logs:CreateLogGroup", "logs:DescribeLogStreams", "ecr:GetAuthorizationToken" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::inputbucket" ] }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::inputbucket/object", "arn:aws:s3:::outputbucket/path" ] }, { "Effect": "Allow", "Action": [ "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage" ], "Resource": "arn:aws:ecr:region::repository/my-repo" } ] }
如果CreateTrainingJob.AlgorithSpecifications.TrainingImage如果需要访问其他数据源 (如 DynamoDB 或 Amazon RDS 资源),则向此策略添加相关权限。
在上一个策略中,您按如下方式确定策略范围:
-
仅向您在
s3:ListBucket请求中指定作为InputDataConfig.DataSource.S3DataSource.S3Uri的特定存储桶授予CreateTrainingJob权限。 -
仅向您在
s3:GetObject请求的输入和输出数据配置中指定的以下对象授予s3:PutObject和CreateTrainingJob权限:InputDataConfig.DataSource.S3DataSource.S3UriOutputDataConfig.S3OutputPath -
将 Amazon ECR 权限限定为注册表路径 (
AlgorithmSpecification.TrainingImage) 你在CreateTrainingJob请求.
cloudwatch 和 logs 操作适用于“*”资源。有关更多信息,请参阅 。CloudWatch 资源和操作在 Amazon 中 CloudWatch 用户指南。
如果您为训练作业指定一个私有 VPC,请添加以下权限:
{ "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface", "ec2:CreateNetworkInterfacePermission", "ec2:DeleteNetworkInterface", "ec2:DeleteNetworkInterfacePermission", "ec2:DescribeNetworkInterfaces", "ec2:DescribeVpcs", "ec2:DescribeDhcpOptions", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups" ] }
如果您的输入采用服务器端加密加密进行加密,则Amazon添加 KMS 托管密钥 (SSE-KMS),添加以下权限:
{ "Effect": "Allow", "Action": [ "kms:Decrypt" ] }
如果在训练作业的输出配置中指定一个 KMS 密钥,则添加以下权限:
{ "Effect": "Allow", "Action": [ "kms:Encrypt" ] }
如果在训练作业的资源配置中指定一个批量 KMS 密钥,则添加以下权限:
{ "Effect": "Allow", "Action": [ "kms:CreateGrant" ] }
CreateModel API:执行角色权限
对于可在 CreateModel API 请求中传递的执行角色,您可以将以下权限策略附加到该角色:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData", "logs:CreateLogStream", "logs:PutLogEvents", "logs:CreateLogGroup", "logs:DescribeLogStreams", "s3:GetObject", "s3:ListBucket", "ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage" ], "Resource": "*" } ] }
而不是指定"Resource": "*",您可以将这些权限限制为特定的 Amazon S3 和 Amazon ECR 资源:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData", "logs:CreateLogStream", "logs:PutLogEvents", "logs:CreateLogGroup", "logs:DescribeLogStreams", "ecr:GetAuthorizationToken" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::inputbucket/object" ] }, { "Effect": "Allow", "Action": [ "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage" ], "Resource": [ "arn:aws:ecr:region::repository/my-repo", "arn:aws:ecr:region::repository/my-repo" ] } ] }
如果 CreateModel.PrimaryContainer.Image 需要访问其他数据源 (如 Amazon DynamoDB 或 Amazon RDS 资源),则向此策略添加相关权限。
在上一个策略中,您按如下方式确定策略范围:
-
仅向您在
PrimaryContainer.ModelDataUrl请求的CreateModel中指定的对象授予 S3 权限。 -
将 Amazon ECR 权限限定为您指定作为的特定注册表路径。
PrimaryContainer.Image和SecondaryContainer.Image在CreateModel请求.
cloudwatch 和 logs 操作适用于“*”资源。有关更多信息,请参阅 。CloudWatch 资源和操作在 Amazon 中 CloudWatch 用户指南。
如果您为模型指定一个私有 VPC,请添加以下权限:
{ "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface", "ec2:CreateNetworkInterfacePermission", "ec2:DeleteNetworkInterface", "ec2:DeleteNetworkInterfacePermission", "ec2:DescribeNetworkInterfaces", "ec2:DescribeVpcs", "ec2:DescribeDhcpOptions", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups" ] }