为本地 Jupyter 环境安装策略和权限 - Amazon SageMaker
IAM 用户权限作业执行角色权限
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

为本地 Jupyter 环境安装策略和权限

如前所述,您安装了两组权限:IAM 用户的权限和笔记本作业代入的 IAM 角色的权限。如下图所示,IAM 用户需要设置 IAM 权限才能向提交任务 SageMaker。用户提交笔记本作业后,作业本身将代入一个 IAM 角色,该角色需要根据作业任务获得资源访问权限。

用户所需的 IAM 权限示意图,以及该任务在笔记本运行中扮演的 IAM 角色。

以下几节将帮助您为 IAM 用户和作业执行角色安装必要的策略和权限。

IAM 用户权限

向其提交作业的权限 SageMaker

要添加提交作业的权限,请完成以下步骤:

  1. 打开 IAM 控制台

  2. 在左侧面板中选择用户

  3. 找到您的笔记本作业的 IAM 用户并选择用户名。

  4. 选择添加权限,然后从下拉菜单中选择创建内联策略

  5. 选择 JSON 选项卡。

  6. 复制并粘贴以下策略:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "EventBridgeSchedule",
            "Effect": "Allow",
            "Action": [
                "events:TagResource",
                "events:DeleteRule",
                "events:PutTargets",
                "events:DescribeRule",
                "events:EnableRule",
                "events:PutRule",
                "events:RemoveTargets",
                "events:DisableRule"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/sagemaker:is-scheduling-notebook-job": "true"
                }
            }
        },
        {
            "Sid": "IAMPassrole",
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "arn:aws:iam::*:role/*",
            "Condition": {
                "StringLike": {
                    "iam:PassedToService": [
                        "sagemaker.amazonaws.com",
                        "events.amazonaws.com"
                    ]
                }
            }
        },
        {
            "Sid": "IAMListRoles",
            "Effect": "Allow",
            "Action": "iam:ListRoles",
            "Resource": "*"
        },
        {
            "Sid": "S3ArtifactsAccess",
            "Effect": "Allow",
            "Action": [
                "s3:PutEncryptionConfiguration",
                "s3:CreateBucket",
                "s3:PutBucketVersioning",
                "s3:ListBucket",
                "s3:PutObject",
                "s3:GetObject",
                "s3:GetEncryptionConfiguration",
                "s3:DeleteObject",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::sagemaker-automated-execution-*"
            ]
        },
        {
            "Sid": "S3DriverAccess",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetObject",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::sagemakerheadlessexecution-*"
            ]
        },
        {
            "Sid": "SagemakerJobs",
            "Effect": "Allow",
            "Action": [
                "sagemaker:DescribeTrainingJob",
                "sagemaker:StopTrainingJob",
                "sagemaker:DescribePipeline",
                "sagemaker:CreateTrainingJob",
                "sagemaker:DeletePipeline",
                "sagemaker:CreatePipeline"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/sagemaker:is-scheduling-notebook-job": "true"
                }
            }
        },
        {
            "Sid": "AllowSearch",
            "Effect": "Allow",
            "Action": "sagemaker:Search",
            "Resource": "*"
        },
        {
            "Sid": "SagemakerTags",
            "Effect": "Allow",
            "Action": [
                "sagemaker:ListTags",
                "sagemaker:AddTags"
            ],
            "Resource": [
                "arn:aws:sagemaker:*:*:pipeline/*",
                "arn:aws:sagemaker:*:*:space/*",
                "arn:aws:sagemaker:*:*:training-job/*",
                "arn:aws:sagemaker:*:*:user-profile/*"
            ]
        },
        {
            "Sid": "ECRImage",
            "Effect": "Allow",
            "Action": [
                "ecr:GetAuthorizationToken",
                "ecr:BatchGetImage"
            ],
            "Resource": "*"
        }
    ]
}

Amazon KMS 权限策略(可选)

默认情况下,输入和输出 Amazon S3 存储桶使用服务器端加密进行加密,但您可以指定自定义 KMS 密钥来加密输出 Amazon S3 存储桶和附加到笔记本作业的存储卷中的数据。

如果要使用自定义 KMS 密钥,请重复前面的说明,附加以下策略,并提供自己的 KMS 密钥 ARN。

{
    "Version": "2012-10-17",
    "Statement": [
      {
         "Effect":"Allow",
         "Action":[
            "kms:Encrypt",
            "kms:Decrypt",
            "kms:ReEncrypt*",
            "kms:GenerateDataKey*",
            "kms:DescribeKey",
            "kms:CreateGrant"
         ],
         "Resource":"your_KMS_key_ARN"
      }
   ]
}

作业执行角色权限

信任关系

要修改作业执行角色信任关系,请完成以下步骤:

  1. 打开 IAM 控制台

  2. 在左侧面板中选择角色

  3. 找到笔记本作业的作业执行角色并选择角色名称。

  4. 选择信任关系选项卡。

  5. 选择编辑信任策略

  6. 复制并粘贴以下策略:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "sagemaker.amazonaws.com",
                    "events.amazonaws.com"
                ]
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

其他权限

提交后,笔记本作业需要访问资源的权限。以下说明向您介绍如何添加一组最低限度的权限。如果需要,您可根据笔记本作业的需求添加更多权限。要为作业执行角色添加权限,请完成以下步骤:

  1. 打开 IAM 控制台

  2. 在左侧面板中选择角色

  3. 找到笔记本作业的作业执行角色并选择角色名称。

  4. 选择添加权限,然后从下拉菜单中选择创建内联策略

  5. 选择 JSON 选项卡。

  6. 复制并粘贴以下策略:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PassroleForJobCreation",
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "arn:aws:iam::*:role/*",
            "Condition": {
                "StringLike": {
                    "iam:PassedToService": "sagemaker.amazonaws.com"
                }
            }
        },
        {
            "Sid": "S3ForStoringArtifacts",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": "arn:aws:s3:::sagemaker-automated-execution-*"
        },
        {
            "Sid": "S3DriverAccess",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetObject",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::sagemakerheadlessexecution-*"
            ]
        },
        {
            "Sid": "SagemakerJobs",
            "Effect": "Allow",
            "Action": [
                "sagemaker:StartPipelineExecution",
                "sagemaker:CreateTrainingJob"
            ],
            "Resource": "*"
        },
        {
            "Sid": "ECRImage",
            "Effect": "Allow",
            "Action": [
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "ecr:GetAuthorizationToken",
                "ecr:BatchCheckLayerAvailability"
            ],
            "Resource": "*"
        }
    ]
}

  7. 添加对笔记本作业访问的其他资源的权限。

  8. 选择查看策略

  9. 输入策略的名称。

  10. 选择创建策略