Amazon适用于 的 托管策略 SageMaker 项目和 JumpStart - Amazon SageMaker
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 Amazon Web Services 服务入门

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

Amazon适用于 的 托管策略 SageMaker 项目和 JumpStart

这些Amazon托管策略添加使用内置亚马逊的权限 SageMaker 项目模板和 JumpStart 解决方案。这些策略可在您的中找到Amazon账户,并由从 SageMaker 控制台。

SageMaker 项目和 JumpStart 使用Amazon要配置的 Service CatalogAmazon客户账户中的资源。一些创建的资源需要担任执行角色。例如,如果Amazon创建 “Service Catalog” CodePipeline 管道代表客户获得 SageMaker 机器学习 CI/CD 项目,那么该管道需要 IAM 角色。

这些区域有:AmazonSageMaker 服务目录产品发布角色角色具有启动 SageMaker 来自的产品组合AmazonService Catalog。这些区域有:AmazonSageMaker 服务目录产品 Ssuserole角色具有使用所需的权限 SageMaker 来自的产品组合AmazonService Catalog。这些区域有:AmazonSageMakerServiceCatalogProductsLaunchRole传递角色传递AmazonSageMakerServiceCatalogProductsUseRole角色到已置备AmazonService Catalog 产品资源。

Amazon托管策略:AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy

此服务角色策略由Amazon Service Catalog预配亚马逊商品的服务 SageMaker 产品组合。策略向一组相关授予权限Amazon服务包括Amazon CodePipeline、Amazon CodeBuild、Amazon CodeCommit、AmazonGlue、Amazon CloudFront 等。

这些区域有:AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy策略旨在供AmazonSageMakerServiceCatalogProductsLaunchRole从创建的角色 SageMaker 控制台。该策略添加了资源调配的权限Amazon用于的资源 SageMaker 项目和 JumpStart 使用Amazon Service Catalog转入客户的账户。

权限详细信息

此策略包含以下权限。

  • apigateway— 允许角色调用带有标记的 API Gateway 终端节点sagemaker:launch-source.

  • cloudformation— 允许Amazon Service Catalog创建、更新和删除 CloudFormation 堆栈。

  • codebuild— 允许担任的角色Amazon Service Catalog并传递到 CloudFormation 创建、更新和删除 CodeBuild 项目。

  • codecommit— 允许担任的角色Amazon Service Catalog并传递到 CloudFormation 创建、更新和删除 CodeCommit 存储库。

  • codepipeline— 允许担任的角色Amazon Service Catalog并传递到 CloudFormation 以创建、更新和删除 CodePipeline。

  • codestar-connections— 允许角色通过 AWS CodeStar 连接。

  • cognito-idp— 允许该角色创建、更新和删除组和用户池。还允许为资源添加标记。

  • ecr— 允许担任的角色Amazon Service Catalog并传递到 CloudFormation 以创建和删除亚马逊 ECR 存储库。还允许为资源添加标记。

  • events— 允许担任的角色Amazon Service Catalog并传递到 CloudFormation 要创建和删除 EventBridge 规则。用于将 CICD 管道的各个组件捆绑在一起。

  • firehose— 允许角色与 Kinesis Data Firehose 流进行交互。

  • glue— 允许角色与Amazon Glue.

  • iam— 允许角色传递前面的角色AmazonSageMakerServiceCatalog. 当项目提供Amazon Service Catalog产品,因为角色需要传递给Amazon Service Catalog.

  • lambda— 允许角色与Amazon Lambda.

  • logs— 允许角色创建、删除和访问日志流。

  • s3— 允许担任的角色Amazon Service Catalog并传递到 CloudFormation 以访问存储项目模板代码的 Amazon S3 存储桶。

  • sagemaker— 允许角色与各种各样的互动 SageMaker 服务。这两种方式都是完成的 CloudFormation 在模板置备期间以及在 CodeBuild 在 CICD 管道执行期间。

  • states— 允许角色创建、删除和更新随附的 Step Functions 创建、删除和更新步骤函数。sagemaker.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "apigateway:GET", "apigateway:POST", "apigateway:PUT", "apigateway:PATCH", "apigateway:DELETE" ], "Resource": "*", "Condition": { "StringLike": { "aws:ResourceTag/sagemaker:launch-source": "*" } } }, { "Effect": "Allow", "Action": [ "apigateway:POST" ], "Resource": "*", "Condition": { "ForAnyValue:StringLike": { "aws:TagKeys": [ "sagemaker:launch-source" ] } } }, { "Effect": "Allow", "Action": [ "apigateway:PATCH" ], "Resource": [ "arn:aws:apigateway:*::/account" ] }, { "Effect": "Allow", "Action": [ "cloudformation:CreateStack", "cloudformation:UpdateStack", "cloudformation:DeleteStack" ], "Resource": "arn:aws:cloudformation:*:*:stack/SC-*", "Condition": { "ArnLikeIfExists": { "cloudformation:RoleArn": [ "arn:aws:sts::*:assumed-role/AmazonSageMakerServiceCatalog*" ] } } }, { "Effect": "Allow", "Action": [ "cloudformation:DescribeStackEvents", "cloudformation:DescribeStacks" ], "Resource": "arn:aws:cloudformation:*:*:stack/SC-*" }, { "Effect": "Allow", "Action": [ "cloudformation:GetTemplateSummary", "cloudformation:ValidateTemplate" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "codebuild:CreateProject", "codebuild:DeleteProject", "codebuild:UpdateProject" ], "Resource": [ "arn:aws:codebuild:*:*:project/sagemaker-*" ] }, { "Effect": "Allow", "Action": [ "codecommit:CreateCommit", "codecommit:CreateRepository", "codecommit:DeleteRepository", "codecommit:GetRepository", "codecommit:TagResource" ], "Resource": [ "arn:aws:codecommit:*:*:sagemaker-*" ] }, { "Effect": "Allow", "Action": [ "codecommit:ListRepositories" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "codepipeline:CreatePipeline", "codepipeline:DeletePipeline", "codepipeline:GetPipeline", "codepipeline:GetPipelineState", "codepipeline:StartPipelineExecution", "codepipeline:TagResource", "codepipeline:UpdatePipeline" ], "Resource": [ "arn:aws:codepipeline:*:*:sagemaker-*" ] }, { "Effect": "Allow", "Action": [ "cognito-idp:CreateUserPool", "cognito-idp:TagResource" ], "Resource": "*", "Condition": { "ForAnyValue:StringLike": { "aws:TagKeys": [ "sagemaker:launch-source" ] } } }, { "Effect": "Allow", "Action": [ "cognito-idp:CreateGroup", "cognito-idp:CreateUserPoolDomain", "cognito-idp:CreateUserPoolClient", "cognito-idp:DeleteGroup", "cognito-idp:DeleteUserPool", "cognito-idp:DeleteUserPoolClient", "cognito-idp:DeleteUserPoolDomain", "cognito-idp:DescribeUserPool", "cognito-idp:DescribeUserPoolClient", "cognito-idp:UpdateUserPool", "cognito-idp:UpdateUserPoolClient" ], "Resource": "*", "Condition": { "StringLike": { "aws:ResourceTag/sagemaker:launch-source": "*" } } }, { "Effect": "Allow", "Action": [ "ecr:CreateRepository", "ecr:DeleteRepository", "ecr:TagResource" ], "Resource": [ "arn:aws:ecr:*:*:repository/sagemaker-*" ] }, { "Effect": "Allow", "Action": [ "events:DescribeRule", "events:DeleteRule", "events:DisableRule", "events:EnableRule", "events:PutRule", "events:PutTargets", "events:RemoveTargets" ], "Resource": [ "arn:aws:events:*:*:rule/sagemaker-*" ] }, { "Effect": "Allow", "Action": [ "firehose:CreateDeliveryStream", "firehose:DeleteDeliveryStream", "firehose:DescribeDeliveryStream", "firehose:StartDeliveryStreamEncryption", "firehose:StopDeliveryStreamEncryption", "firehose:UpdateDestination" ], "Resource": "arn:aws:firehose:*:*:deliverystream/sagemaker-*" }, { "Effect": "Allow", "Action": [ "glue:CreateDatabase", "glue:DeleteDatabase" ], "Resource": [ "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/sagemaker-*", "arn:aws:glue:*:*:table/sagemaker-*", "arn:aws:glue:*:*:userDefinedFunction/sagemaker-*" ] }, { "Effect": "Allow", "Action": [ "glue:CreateClassifier", "glue:DeleteClassifier", "glue:DeleteCrawler", "glue:DeleteJob", "glue:DeleteTrigger", "glue:DeleteWorkflow", "glue:StopCrawler" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "glue:CreateWorkflow" ], "Resource": [ "arn:aws:glue:*:*:workflow/sagemaker-*" ] }, { "Effect": "Allow", "Action": [ "glue:CreateJob" ], "Resource": [ "arn:aws:glue:*:*:job/sagemaker-*" ] }, { "Effect": "Allow", "Action": [ "glue:CreateCrawler", "glue:GetCrawler" ], "Resource": [ "arn:aws:glue:*:*:crawler/sagemaker-*" ] }, { "Effect": "Allow", "Action": [ "glue:CreateTrigger", "glue:GetTrigger" ], "Resource": [ "arn:aws:glue:*:*:trigger/sagemaker-*" ] }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::*:role/service-role/AmazonSageMakerServiceCatalog*" ] }, { "Effect": "Allow", "Action": [ "lambda:AddPermission", "lambda:CreateFunction", "lambda:DeleteFunction", "lambda:GetFunction", "lambda:GetFunctionConfiguration", "lambda:InvokeFunction", "lambda:RemovePermission" ], "Resource": [ "arn:aws:lambda:*:*:function:sagemaker-*" ] }, { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DeleteLogGroup", "logs:DeleteLogStream", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:PutRetentionPolicy" ], "Resource": [ "arn:aws:logs:*:*:log-group:/aws/apigateway/AccessLogs/*", "arn:aws:logs:*:*:log-group::log-stream:*" ] }, { "Effect": "Allow", "Action": "s3:GetObject", "Resource": "*", "Condition": { "StringEquals": { "s3:ExistingObjectTag/servicecatalog:provisioning": "true" } } }, { "Effect": "Allow", "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::sagemaker-*" ] }, { "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:DeleteBucket", "s3:DeleteBucketPolicy", "s3:GetBucketPolicy", "s3:PutBucketAcl", "s3:PutBucketNotification", "s3:PutBucketPolicy", "s3:PutBucketPublicAccessBlock", "s3:PutBucketLogging", "s3:PutEncryptionConfiguration", "s3:PutBucketTagging", "s3:PutObjectTagging", "s3:PutBucketCORS" ], "Resource": "arn:aws:s3:::sagemaker-*" }, { "Effect": "Allow", "Action": [ "sagemaker:CreateEndpoint", "sagemaker:CreateEndpointConfig", "sagemaker:CreateModel", "sagemaker:CreateWorkteam", "sagemaker:DeleteEndpoint", "sagemaker:DeleteEndpointConfig", "sagemaker:DeleteModel", "sagemaker:DeleteWorkteam", "sagemaker:DescribeModel", "sagemaker:DescribeEndpointConfig", "sagemaker:DescribeEndpoint", "sagemaker:DescribeWorkteam", "sagemaker:CreateCodeRepository", "sagemaker:DescribeCodeRepository", "sagemaker:UpdateCodeRepository", "sagemaker:DeleteCodeRepository" ], "Resource": [ "arn:aws:sagemaker:*:*:*" ] }, { "Effect": "Allow", "Action": [ "sagemaker:CreateImage", "sagemaker:DeleteImage", "sagemaker:DescribeImage", "sagemaker:UpdateImage", "sagemaker:ListTags" ], "Resource": [ "arn:aws:sagemaker:*:*:image/*" ] }, { "Effect": "Allow", "Action": [ "states:CreateStateMachine", "states:DeleteStateMachine", "states:UpdateStateMachine" ], "Resource": [ "arn:aws:states:*:*:stateMachine:sagemaker-*" ] }, { "Effect": "Allow", "Action": "codestar-connections:PassConnection", "Resource": "arn:aws:codestar-connections:*:*:connection/*", "Condition": { "StringEquals": { "codestar-connections:PassedToService": "codepipeline.amazonaws.com" } } } ] }

亚马逊 SageMaker 更新到AmazonService CatalogAmazon托管策略

查看有关更新的详细信息Amazon适用于 Amazon 的托管策略 SageMaker 因为该服务开始跟踪这些更改。要获得有关此页面更改的自动提示,请订阅上的 RSS 源。 SageMaker 文档历史记录页面。

策略 版本 更改 日期

AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy

5

添加新权限ecr-idp:TagResource.

2022 年 3 月 21 日
AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy 4

添加的新权限cognito-idp:TagResources3:PutBucketCORS.

2022 年 2 月 16 日
AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy 3

添加的新权限sagemaker.

创建、读取、更新和删除 SageMaker 映像。

2021 年 9 月 15 日
AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy 2

添加的新权限sagemakercodestar-connections.

创建、读取、更新和删除代码存储库。

传递 AWS CodeStar 连接到Amazon CodePipeline.

2021 年 7 月 1 日
AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy 1

初始策略

2020 年 11 月 27 日