本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
Amazon SageMaker 项目管理策略和 JumpStart
这些 Amazon 托管策略增加了使用内置 Amazon A SageMaker I 项目模板和 JumpStart 解决方案的权限。这些策略可在您的 Amazon 账户中使用,并由从 SageMaker AI 控制台创建的执行角色使用。
SageMaker 项目并 JumpStart 使用 S Amazon ervice Catalog 在客户账户中配置 Amazon 资源。一些创建的资源需要代入执行角色。例如,如果 S Amazon ervice Catalog 代表客户为 SageMaker 人工智能机器学习 CI/CD 项目创建 CodePipeline 管道,则该管道需要一个 IAM 角色。
该AmazonSageMakerServiceCatalogProductsLaunchRoleAmazonSageMakerServiceCatalogProductsLaunchRole角色将角色传递给预AmazonSageMakerServiceCatalogProductsUseRole配置的 S Amazon ervice Catalog 产品资源。
主题
Amazon 托管策略: AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy
Amazon 托管策略: AmazonSageMakerPartnerServiceCatalogProductsApiGatewayServiceRolePolicy
Amazon 托管策略: AmazonSageMakerPartnerServiceCatalogProductsCloudFormationServiceRolePolicy
Amazon 托管策略: AmazonSageMakerPartnerServiceCatalogProductsLambdaServiceRolePolicy
Amazon 托管策略: AmazonSageMakerServiceCatalogProductsApiGatewayServiceRolePolicy
Amazon 托管策略: AmazonSageMakerServiceCatalogProductsCloudformationServiceRole策略
Amazon 托管策略: AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy
Amazon 托管策略: AmazonSageMakerServiceCatalogProductsCodePipelineServiceRolePolicy
Amazon 托管策略: AmazonSageMakerServiceCatalogProductsEventsServiceRole策略
Amazon 托管策略: AmazonSageMakerServiceCatalogProductsFirehoseServiceRole策略
Amazon 托管策略: AmazonSageMakerServiceCatalogProductsGlueServiceRole策略
Amazon 托管策略: AmazonSageMakerServiceCatalogProductsLambdaServiceRole策略
Amazon 托管策略: AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy
该服务使用此服务角色策略来配置 Amazon A SageMaker I 产品组合中的产品。 Amazon Service Catalog 该策略向一组相关 Amazon 服务授予权限 Amazon CodePipeline,包括、 Amazon CodeBuild、 Amazon CodeCommit Amazon CloudFormation、 Amazon Glue 等。
该AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy策略旨在由从 SageMaker AI 控制台创建的AmazonSageMakerServiceCatalogProductsLaunchRole角色使用。该策略为客户账户添加了为 SageMaker 项目配置 Amazon 资源和 JumpStart 使用 Service Catalog 的权限。
权限详细信息
该策略包含以下权限。
-
apigateway- 允许角色调用标有sagemaker:launch-source的 API Gateway 端点。 -
cloudformation— Amazon Service Catalog 允许创建、更新和删除 CloudFormation 堆栈。还允许服务目录标记和取消标记资源。 -
codebuild— 允许由担任 Amazon Service Catalog 并传递 CloudFormation 给的角色创建、更新和删除 CodeBuild 项目。 -
codecommit— 允许由担任 Amazon Service Catalog 并传递 CloudFormation 给的角色创建、更新和删除 CodeCommit 存储库。 -
codepipeline— 允许由担任 Amazon Service Catalog 并传递 CloudFormation 给的角色创建、更新和删除 CodePipelines。 -
codestarconnections,codestar-connections— 还允许角色传递 Amazon CodeConnections 和 AWS CodeStar 连接。 -
cognito-idp- 允许角色创建、更新和删除组和用户池。也允许标记资源。 -
ecr— 允许由担任 Amazon Service Catalog 并传递 CloudFormation 给的角色创建和删除 Amazon ECR 存储库。也允许标记资源。 -
events— 允许由担任 Amazon Service Catalog 并传递 CloudFormation 给的角色创建和删除 EventBridge 规则。用于连接 CICD 管道的各个组件。 -
firehose:允许角色与 Firehose 流交互。 -
glue— 允许角色与之交互 Amazon Glue。 -
iam- 允许角色传递前缀为AmazonSageMakerServiceCatalog的角色。当 Projects 预置 Amazon Service Catalog 产品时,需要该权限,因为需要将角色传递给 Amazon Service Catalog。 -
lambda- 允许角色与 Amazon Lambda交互。也允许标记资源。 -
logs- 允许角色创建、删除和访问日志流。 -
s3— 允许由担任 Amazon Service Catalog 并传递 CloudFormation 给的角色访问存储项目模板代码的 Amazon S3 存储桶。 -
sagemaker— 允许角色与各种 SageMaker AI 服务进行交互。这既可以在模板配置 CloudFormation 期间完成,也可以在CICD管道执行 CodeBuild 期间完成。也允许标记以下资源:端点、端点配置、模型、管道、项目和模型包。 -
states- 允许角色创建、删除和更新前缀为sagemaker的 Step Functions。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AmazonSageMakerServiceCatalogAPIGatewayPermission", "Effect": "Allow", "Action": [ "apigateway:GET", "apigateway:POST", "apigateway:PUT", "apigateway:PATCH", "apigateway:DELETE" ], "Resource": "*", "Condition": { "StringLike": { "aws:ResourceTag/sagemaker:launch-source": "*" } } }, { "Sid": "AmazonSageMakerServiceCatalogAPIGatewayPostPermission", "Effect": "Allow", "Action": [ "apigateway:POST" ], "Resource": "*", "Condition": { "ForAnyValue:StringLike": { "aws:TagKeys": [ "sagemaker:launch-source" ] } } }, { "Sid": "AmazonSageMakerServiceCatalogAPIGatewayPatchPermission", "Effect": "Allow", "Action": [ "apigateway:PATCH" ], "Resource": [ "arn:aws:apigateway:*::/account" ] }, { "Sid": "AmazonSageMakerServiceCatalogCFnMutatePermission", "Effect": "Allow", "Action": [ "cloudformation:CreateStack", "cloudformation:UpdateStack", "cloudformation:DeleteStack" ], "Resource": "arn:aws:cloudformation:*:*:stack/SC-*", "Condition": { "ArnLikeIfExists": { "cloudformation:RoleArn": [ "arn:aws:sts::*:assumed-role/AmazonSageMakerServiceCatalog*" ] } } }, { "Sid": "AmazonSageMakerServiceCatalogCFnTagPermission", "Effect": "Allow", "Action": [ "cloudformation:TagResource", "cloudformation:UntagResource" ], "Resource": "arn:aws:cloudformation:*:*:stack/SC-*", "Condition" : { "Null": { "aws:ResourceTag/sagemaker:project-name": "false" } } }, { "Sid": "AmazonSageMakerServiceCatalogCFnReadPermission", "Effect": "Allow", "Action": [ "cloudformation:DescribeStackEvents", "cloudformation:DescribeStacks" ], "Resource": "arn:aws:cloudformation:*:*:stack/SC-*" }, { "Sid": "AmazonSageMakerServiceCatalogCFnTemplatePermission", "Effect": "Allow", "Action": [ "cloudformation:GetTemplateSummary", "cloudformation:ValidateTemplate" ], "Resource": "*" }, { "Sid": "AmazonSageMakerServiceCatalogCodeBuildPermission", "Effect": "Allow", "Action": [ "codebuild:CreateProject", "codebuild:DeleteProject", "codebuild:UpdateProject" ], "Resource": [ "arn:aws:codebuild:*:*:project/sagemaker-*" ] }, { "Sid": "AmazonSageMakerServiceCatalogCodeCommitPermission", "Effect": "Allow", "Action": [ "codecommit:CreateCommit", "codecommit:CreateRepository", "codecommit:DeleteRepository", "codecommit:GetRepository", "codecommit:TagResource" ], "Resource": [ "arn:aws:codecommit:*:*:sagemaker-*" ] }, { "Sid": "AmazonSageMakerServiceCatalogCodeCommitListPermission", "Effect": "Allow", "Action": [ "codecommit:ListRepositories" ], "Resource": "*" }, { "Sid": "AmazonSageMakerServiceCatalogCodePipelinePermission", "Effect": "Allow", "Action": [ "codepipeline:CreatePipeline", "codepipeline:DeletePipeline", "codepipeline:GetPipeline", "codepipeline:GetPipelineState", "codepipeline:StartPipelineExecution", "codepipeline:TagResource", "codepipeline:UpdatePipeline" ], "Resource": [ "arn:aws:codepipeline:*:*:sagemaker-*" ] }, { "Sid": "AmazonSageMakerServiceCatalogCIAMUserPermission", "Effect": "Allow", "Action": [ "cognito-idp:CreateUserPool", "cognito-idp:TagResource" ], "Resource": "*", "Condition": { "ForAnyValue:StringLike": { "aws:TagKeys": [ "sagemaker:launch-source" ] } } }, { "Sid": "AmazonSageMakerServiceCatalogCIAMPermission", "Effect": "Allow", "Action": [ "cognito-idp:CreateGroup", "cognito-idp:CreateUserPoolDomain", "cognito-idp:CreateUserPoolClient", "cognito-idp:DeleteGroup", "cognito-idp:DeleteUserPool", "cognito-idp:DeleteUserPoolClient", "cognito-idp:DeleteUserPoolDomain", "cognito-idp:DescribeUserPool", "cognito-idp:DescribeUserPoolClient", "cognito-idp:UpdateUserPool", "cognito-idp:UpdateUserPoolClient" ], "Resource": "*", "Condition": { "StringLike": { "aws:ResourceTag/sagemaker:launch-source": "*" } } }, { "Sid": "AmazonSageMakerServiceCatalogECRPermission", "Effect": "Allow", "Action": [ "ecr:CreateRepository", "ecr:DeleteRepository", "ecr:TagResource" ], "Resource": [ "arn:aws:ecr:*:*:repository/sagemaker-*" ] }, { "Sid": "AmazonSageMakerServiceCatalogEventBridgePermission", "Effect": "Allow", "Action": [ "events:DescribeRule", "events:DeleteRule", "events:DisableRule", "events:EnableRule", "events:PutRule", "events:PutTargets", "events:RemoveTargets" ], "Resource": [ "arn:aws:events:*:*:rule/sagemaker-*" ] }, { "Sid": "AmazonSageMakerServiceCatalogFirehosePermission", "Effect": "Allow", "Action": [ "firehose:CreateDeliveryStream", "firehose:DeleteDeliveryStream", "firehose:DescribeDeliveryStream", "firehose:StartDeliveryStreamEncryption", "firehose:StopDeliveryStreamEncryption", "firehose:UpdateDestination" ], "Resource": "arn:aws:firehose:*:*:deliverystream/sagemaker-*" }, { "Sid": "AmazonSageMakerServiceCatalogGluePermission", "Effect": "Allow", "Action": [ "glue:CreateDatabase", "glue:DeleteDatabase" ], "Resource": [ "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/sagemaker-*", "arn:aws:glue:*:*:table/sagemaker-*", "arn:aws:glue:*:*:userDefinedFunction/sagemaker-*" ] }, { "Sid": "AmazonSageMakerServiceCatalogGlueClassiferPermission", "Effect": "Allow", "Action": [ "glue:CreateClassifier", "glue:DeleteClassifier", "glue:DeleteCrawler", "glue:DeleteJob", "glue:DeleteTrigger", "glue:DeleteWorkflow", "glue:StopCrawler" ], "Resource": [ "*" ] }, { "Sid": "AmazonSageMakerServiceCatalogGlueWorkflowPermission", "Effect": "Allow", "Action": [ "glue:CreateWorkflow" ], "Resource": [ "arn:aws:glue:*:*:workflow/sagemaker-*" ] }, { "Sid": "AmazonSageMakerServiceCatalogGlueJobPermission", "Effect": "Allow", "Action": [ "glue:CreateJob" ], "Resource": [ "arn:aws:glue:*:*:job/sagemaker-*" ] }, { "Sid": "AmazonSageMakerServiceCatalogGlueCrawlerPermission", "Effect": "Allow", "Action": [ "glue:CreateCrawler", "glue:GetCrawler" ], "Resource": [ "arn:aws:glue:*:*:crawler/sagemaker-*" ] }, { "Sid": "AmazonSageMakerServiceCatalogGlueTriggerPermission", "Effect": "Allow", "Action": [ "glue:CreateTrigger", "glue:GetTrigger" ], "Resource": [ "arn:aws:glue:*:*:trigger/sagemaker-*" ] }, { "Sid": "AmazonSageMakerServiceCatalogPassRolePermission", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::*:role/service-role/AmazonSageMakerServiceCatalog*" ] }, { "Sid": "AmazonSageMakerServiceCatalogLambdaPermission", "Effect": "Allow", "Action": [ "lambda:AddPermission", "lambda:CreateFunction", "lambda:DeleteFunction", "lambda:GetFunction", "lambda:GetFunctionConfiguration", "lambda:InvokeFunction", "lambda:RemovePermission" ], "Resource": [ "arn:aws:lambda:*:*:function:sagemaker-*" ] }, { "Sid": "AmazonSageMakerServiceCatalogLambdaTagPermission", "Effect": "Allow", "Action": "lambda:TagResource", "Resource": [ "arn:aws:lambda:*:*:function:sagemaker-*" ], "Condition": { "ForAllValues:StringLike": { "aws:TagKeys": [ "sagemaker:*" ] } } }, { "Sid": "AmazonSageMakerServiceCatalogLogGroupPermission", "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DeleteLogGroup", "logs:DeleteLogStream", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:PutRetentionPolicy" ], "Resource": [ "arn:aws:logs:*:*:log-group:/aws/apigateway/AccessLogs/*", "arn:aws:logs:*:*:log-group::log-stream:*" ] }, { "Sid": "AmazonSageMakerServiceCatalogS3ReadPermission", "Effect": "Allow", "Action": "s3:GetObject", "Resource": "*", "Condition": { "StringEquals": { "s3:ExistingObjectTag/servicecatalog:provisioning": "true" } } }, { "Sid": "AmazonSageMakerServiceCatalogS3ReadSagemakerResourcePermission", "Effect": "Allow", "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::sagemaker-*" ] }, { "Sid": "AmazonSageMakerServiceCatalogS3MutatePermission", "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:DeleteBucket", "s3:DeleteBucketPolicy", "s3:GetBucketPolicy", "s3:PutBucketAcl", "s3:PutBucketNotification", "s3:PutBucketPolicy", "s3:PutBucketPublicAccessBlock", "s3:PutBucketLogging", "s3:PutEncryptionConfiguration", "s3:PutBucketCORS", "s3:PutBucketTagging", "s3:PutObjectTagging" ], "Resource": "arn:aws:s3:::sagemaker-*" }, { "Sid": "AmazonSageMakerServiceCatalogSageMakerPermission", "Effect": "Allow", "Action": [ "sagemaker:CreateEndpoint", "sagemaker:CreateEndpointConfig", "sagemaker:CreateModel", "sagemaker:CreateWorkteam", "sagemaker:DeleteEndpoint", "sagemaker:DeleteEndpointConfig", "sagemaker:DeleteModel", "sagemaker:DeleteWorkteam", "sagemaker:DescribeModel", "sagemaker:DescribeEndpointConfig", "sagemaker:DescribeEndpoint", "sagemaker:DescribeWorkteam", "sagemaker:CreateCodeRepository", "sagemaker:DescribeCodeRepository", "sagemaker:UpdateCodeRepository", "sagemaker:DeleteCodeRepository" ], "Resource": [ "arn:aws:sagemaker:*:*:*" ] }, { "Sid": "AmazonSageMakerServiceCatalogSageMakerTagPermission", "Effect": "Allow", "Action": [ "sagemaker:AddTags" ], "Resource": [ "arn:aws:sagemaker:*:*:endpoint/*", "arn:aws:sagemaker:*:*:endpoint-config/*", "arn:aws:sagemaker:*:*:model/*", "arn:aws:sagemaker:*:*:pipeline/*", "arn:aws:sagemaker:*:*:project/*", "arn:aws:sagemaker:*:*:model-package/*" ], "Condition": { "ForAllValues:StringLike": { "aws:TagKeys": [ "sagemaker:*" ] } } }, { "Sid": "AmazonSageMakerServiceCatalogSageMakerImagePermission", "Effect": "Allow", "Action": [ "sagemaker:CreateImage", "sagemaker:DeleteImage", "sagemaker:DescribeImage", "sagemaker:UpdateImage", "sagemaker:ListTags" ], "Resource": [ "arn:aws:sagemaker:*:*:image/*" ] }, { "Sid": "AmazonSageMakerServiceCatalogStepFunctionPermission", "Effect": "Allow", "Action": [ "states:CreateStateMachine", "states:DeleteStateMachine", "states:UpdateStateMachine" ], "Resource": [ "arn:aws:states:*:*:stateMachine:sagemaker-*" ] }, { "Sid": "AmazonSageMakerServiceCatalogCodeStarPermission", "Effect": "Allow", "Action": "codestar-connections:PassConnection", "Resource": "arn:aws:codestar-connections:*:*:connection/*", "Condition": { "StringEquals": { "codestar-connections:PassedToService": "codepipeline.amazonaws.com" } } }, { "Sid": "AmazonSageMakerServiceCatalogCodeConnectionPermission", "Effect": "Allow", "Action": "codeconnections:PassConnection", "Resource": "arn:aws:codeconnections:*:*:connection/*", "Condition": { "StringEquals": { "codeconnections:PassedToService": "codepipeline.amazonaws.com" } } }, ] }
Amazon 托管策略: AmazonSageMakerPartnerServiceCatalogProductsApiGatewayServiceRolePolicy
亚马逊 API Gatew SageMaker ay 在亚马逊 AI 产品组合中的 Amazon Service Catalog 预配置产品中使用此政策。该策略旨在附加到 IAM 角色,该角色将AmazonSageMakerServiceCatalogProductsLaunchRole
权限详细信息
该策略包含以下权限。
-
lambda- 调用由合作伙伴模板创建的函数。 -
sagemaker- 调用由合作伙伴模板创建的端点。
Amazon 托管策略: AmazonSageMakerPartnerServiceCatalogProductsCloudFormationServiceRolePolicy
此政策由 Amazon A SageMaker I 产品组合 Amazon CloudFormation 中的 Amazon Service Catalog 预配置产品使用。该策略旨在附加到一个 IAM 角色,该角色AmazonSageMakerServiceCatalogProductsLaunchRole
权限详细信息
该策略包含以下权限。
-
iam- 传递AmazonSageMakerServiceCatalogProductsLambdaRole和AmazonSageMakerServiceCatalogProductsApiGatewayRole角色。 -
lambda— 创建、更新、删除和调用 Amazon Lambda 函数;检索、发布和删除 Lambda 层的版本。 -
apigateway- 创建、更新和删除 Amazon API Gateway 资源。 -
s3- 从 Amazon Simple Storage Service (Amazon S3) 存储桶中检索lambda-auth-code/layer.zip文件。
Amazon 托管策略: AmazonSageMakerPartnerServiceCatalogProductsLambdaServiceRolePolicy
此政策由 Amazon A SageMaker I 产品组合 Amazon Lambda 中的 Amazon Service Catalog 预配置产品使用。该策略旨在附加到 IAM 角色,该角色将AmazonSageMakerServiceCatalogProductsLaunchRole
权限详细信息
该策略包含以下权限。
-
secretsmanager- 从合作伙伴为合作伙伴模板提供的密钥中检索数据。
Amazon 托管策略: AmazonSageMakerServiceCatalogProductsApiGatewayServiceRolePolicy
亚马逊 API Gatew SageMaker ay 在亚马逊 AI 产品组合中的 Amazon Service Catalog 预配置产品中使用此政策。该策略旨在附加到 IAM 角色,该角色将AmazonSageMakerServiceCatalogProductsLaunchRole
权限详细信息
该策略包含以下权限。
-
logs— 创建和读取 CloudWatch 日志组、直播和事件;更新事件;描述各种资源。
Amazon 托管策略: AmazonSageMakerServiceCatalogProductsCloudformationServiceRole策略
此政策由 Amazon A SageMaker I 产品组合 Amazon CloudFormation 中的 Amazon Service Catalog 预配置产品使用。该策略旨在附加到一个 IAM 角色,该角色AmazonSageMakerServiceCatalogProductsLaunchRole
权限详细信息
该策略包含以下权限。
-
sagemaker— 允许访问各种 SageMaker AI 资源,但域名、用户配置文件、应用程序和流程定义除外。 -
iam- 传递AmazonSageMakerServiceCatalogProductsCodeBuildRole和AmazonSageMakerServiceCatalogProductsExecutionRole角色。
Amazon 托管策略: AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy
此政策由 Amazon A SageMaker I 产品组合 Amazon CodeBuild 中的 Amazon Service Catalog 预配置产品使用。该策略旨在附加到一个 IAM 角色,该角色AmazonSageMakerServiceCatalogProductsLaunchRole
权限详细信息
该策略包含以下权限。
-
sagemaker— 允许访问各种 SageMaker AI 资源。 -
codecommit— 将 CodeCommit 档案上传到 CodeBuild 管道,获取上传状态并取消上传;获取分支和提交信息。这些权限仅限于名称以“sagemaker-”开头的资源。 -
ecr- 创建 Amazon ECR 存储库和容器映像;上传映像层。这些权限仅限于名称以“sagemaker-”开头的存储库。ecr- 阅读所有资源。 -
iam- 传递以下角色:-
AmazonSageMakerServiceCatalogProductsCloudformationRole到 Amazon CloudFormation。 -
AmazonSageMakerServiceCatalogProductsCodeBuildRole到 Amazon CodeBuild。 -
AmazonSageMakerServiceCatalogProductsCodePipelineRole到 Amazon CodePipeline。 -
AmazonSageMakerServiceCatalogProductsEventsRole到亚马逊 EventBridge。 -
AmazonSageMakerServiceCatalogProductsExecutionRole到 Amazon SageMaker AI。
-
-
logs— 创建和读取 CloudWatch 日志组、直播和事件;更新事件;描述各种资源。 -
s3- 创建、读取和列出 Amazon S3 存储桶。这些权限仅限于名称以“sagemaker-”开头的存储桶。 -
codestarconnections,codestar-connections— 使用 Amazon CodeConnections 和 AWS CodeStar 连接。
Amazon 托管策略: AmazonSageMakerServiceCatalogProductsCodePipelineServiceRolePolicy
此政策由 Amazon A SageMaker I 产品组合 Amazon CodePipeline 中的 Amazon Service Catalog 预配置产品使用。该策略旨在附加到一个 IAM 角色,该角色AmazonSageMakerServiceCatalogProductsLaunchRole
权限详细信息
该策略包含以下权限。
-
cloudformation— 创建、读取、删除和更新 CloudFormation堆栈;创建、读取、删除和执行更改集;设置堆栈策略;标记和取消标记资源。这些权限仅限于名称以“sagemaker-”开头的资源。 -
s3- 创建、读取、列出和删除 Amazon S3 存储桶;在存储桶中添加、读取和删除对象;读取和设置 CORS 配置;读取访问控制列表 (ACL);以及读取存储桶所在的 Amazon 区域。 -
iam- 传递AmazonSageMakerServiceCatalogProductsCloudformationRole角色。 -
codebuild— 获取 CodeBuild 构建信息并开始构建。这些权限仅限于名称以“sagemaker-”开头的项目和构建资源。 -
codecommit— 将 CodeCommit 档案上传到 CodeBuild 管道,获取上传状态并取消上传;获取分支和提交信息。 -
codestarconnections,codestar-connections— 使用 Amazon CodeConnections 和 AWS CodeStar 连接。
{ "Version": "2012-10-17", "Statement": [ { "Sid" : "AmazonSageMakerCodePipelineCFnPermission", "Effect": "Allow", "Action": [ "cloudformation:CreateChangeSet", "cloudformation:CreateStack", "cloudformation:DescribeChangeSet", "cloudformation:DeleteChangeSet", "cloudformation:DeleteStack", "cloudformation:DescribeStacks", "cloudformation:ExecuteChangeSet", "cloudformation:SetStackPolicy", "cloudformation:UpdateStack" ], "Resource": "arn:aws:cloudformation:*:*:stack/sagemaker-*" }, { "Sid" : "AmazonSageMakerCodePipelineCFnTagPermission", "Effect": "Allow", "Action": [ "cloudformation:TagResource", "cloudformation:UntagResource" ], "Resource": "arn:aws:cloudformation:*:*:stack/sagemaker-*" "Condition" : { "ForAnyValue:StringEquals": { "aws:TagKeys": [ "sagemaker:project-name" ] } }, { "Sid" : "AmazonSageMakerCodePipelineS3Permission", "Effect": "Allow", "Action": [ "s3:AbortMultipartUpload", "s3:DeleteObject", "s3:GetObject", "s3:GetObjectVersion", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::sagemaker-*" ] }, { "Sid" : "AmazonSageMakerCodePipelinePassRolePermission", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::*:role/service-role/AmazonSageMakerServiceCatalogProductsCloudformationRole" ] }, { "Sid" : "AmazonSageMakerCodePipelineCodeBuildPermission", "Effect": "Allow", "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild" ], "Resource": [ "arn:aws:codebuild:*:*:project/sagemaker-*", "arn:aws:codebuild:*:*:build/sagemaker-*" ] }, { "Sid" : "AmazonSageMakerCodePipelineCodeCommitPermission", "Effect": "Allow", "Action": [ "codecommit:CancelUploadArchive", "codecommit:GetBranch", "codecommit:GetCommit", "codecommit:GetUploadArchiveStatus", "codecommit:UploadArchive" ], "Resource": "arn:aws:codecommit:*:*:sagemaker-*" }, { "Sid" : "AmazonSageMakerCodePipelineCodeStarConnectionPermission", "Effect": "Allow", "Action": [ "codestar-connections:UseConnection" ], "Resource": [ "arn:aws:codestar-connections:*:*:connection/*" ], "Condition": { "StringEqualsIgnoreCase": { "aws:ResourceTag/sagemaker": "true" } } }, { "Sid" : "AmazonSageMakerCodePipelineCodeConnectionPermission", "Effect": "Allow", "Action": [ "codeconnections:UseConnection" ], "Resource": [ "arn:aws:codeconnections:*:*:connection/*" ], "Condition": { "StringEqualsIgnoreCase": { "aws:ResourceTag/sagemaker": "true" } } } ] }
Amazon 托管策略: AmazonSageMakerServiceCatalogProductsEventsServiceRole策略
亚马逊 EventBridge 在 Amazon A SageMaker I 产品组合中的 Amazon Service Catalog 预配置产品中使用此政策。该策略旨在附加到一个 IAM 角色,该角色AmazonSageMakerServiceCatalogProductsLaunchRole
权限详细信息
该策略包含以下权限。
-
codepipeline— 开始 CodeBuild 执行。这些权限仅限于名称以“sagemaker-”开头的管道。
Amazon 托管策略: AmazonSageMakerServiceCatalogProductsFirehoseServiceRole策略
亚马逊 Data Firehose 在亚马逊 AI 产品组合中的 Amazon Service Catalog 预配置产品中使用此政策。 SageMaker 该策略旨在附加到 IAM 角色,该角色将AmazonSageMakerServiceCatalogProductsLaunchRole
权限详细信息
该策略包含以下权限。
-
firehose:发送 Firehose 记录。这些权限仅限于传输流名称以“sagemaker-”开头的资源。
Amazon 托管策略: AmazonSageMakerServiceCatalogProductsGlueServiceRole策略
Amazon Glue 在亚马逊 A SageMaker I 产品组合中的 Amazon 服务目录预配置产品中使用此政策。该策略旨在附加到 IAM 角色,该角色将AmazonSageMakerServiceCatalogProductsLaunchRole
权限详细信息
该策略包含以下权限。
-
glue— 创建、读取和删除 Amazon Glue 分区、表和表版本。这些权限仅限于名称以“sagemaker-”开头的资源。创建和读取 Amazon Glue 数据库。这些权限仅限于名称为“default”、“global_temp”或以“sagemaker-”开头的数据库。获取用户定义的函数。 -
s3- 创建、读取、列出和删除 Amazon S3 存储桶;在存储桶中添加、读取和删除对象;读取和设置 CORS 配置;读取访问控制列表 (ACL);以及读取存储桶所在的 Amazon 区域。 -
logs— 创建、读取和删除 CloudWatch 日志组、流和传输;并创建资源策略。
Amazon 托管策略: AmazonSageMakerServiceCatalogProductsLambdaServiceRole策略
此政策由 Amazon A SageMaker I 产品组合 Amazon Lambda 中的 Amazon Service Catalog 预配置产品使用。该策略旨在附加到 IAM 角色,该角色将AmazonSageMakerServiceCatalogProductsLaunchRole
权限详细信息
该策略包含以下权限。
-
sagemaker— 允许访问各种 SageMaker AI 资源。 -
ecr- 创建和删除 Amazon ECR 存储库;创建、读取和删除容器映像;上传映像层。这些权限仅限于名称以“sagemaker-”开头的存储库。 -
events— 创建、读取和删除 Amazon EventBridge 规则;以及创建和删除目标。这些权限仅限于名称以“sagemaker-”开头的规则。 -
s3- 创建、读取、列出和删除 Amazon S3 存储桶;在存储桶中添加、读取和删除对象;读取和设置 CORS 配置;读取访问控制列表 (ACL);以及读取存储桶所在的 Amazon 区域。 -
iam- 传递AmazonSageMakerServiceCatalogProductsExecutionRole角色。 -
logs— 创建、读取和删除 CloudWatch 日志组、流和传输;并创建资源策略。 -
codebuild— 开始并获取有关 Amazon CodeBuild 版本的信息。
Amazon SageMaker AI 更新了 S Amazon ervice Catalog Amazon 托管策略
查看自该服务开始跟踪这些更改以来,Amazon SageMaker AI Amazon 托管策略更新的详细信息。
| 策略 | 版本 | 更改 | 日期 |
|---|---|---|---|
|
AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy - 更新的策略 |
9 |
添加 |
2024 年 7 月 1 日 |
AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy -更新政策 |
7 |
将策略回滚到版本 7 (v7)。删除 |
2024 年 6 月 12 日 |
AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy -更新政策 |
8 |
添加 |
2024 年 6 月 11 日 |
|
AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy:更新策略 |
2 |
添加 |
2024 年 6 月 11 日 |
|
AmazonSageMakerServiceCatalogProductsCodePipelineServiceRolePolicy:更新策略 |
2 |
添加 |
2024 年 6 月 11 日 |
|
AmazonSageMakerServiceCatalogProductsLambdaServiceRole政策:更新策略 |
2 |
添加 |
2024 年 6 月 11 日 |
|
AmazonSageMakerPartnerServiceCatalogProductsApiGatewayServiceRolePolicy |
1 | 初始策略 |
2023 年 8 月 1 日 |
|
AmazonSageMakerPartnerServiceCatalogProductsCloudFormationServiceRolePolicy |
1 | 初始策略 |
2023 年 8 月 1 日 |
|
AmazonSageMakerPartnerServiceCatalogProductsLambdaServiceRolePolicy |
1 | 初始策略 |
2023 年 8 月 1 日 |
| 2 |
为 |
2022 年 8 月 26 日 | |
AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy -更新政策 |
7 |
为 |
2022 年 8 月 2 日 |
| AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy -更新政策 | 6 |
为 |
2022 年 7 月 14 日 |
AmazonSageMakerServiceCatalogProductsLambdaServiceRole政策 |
1 |
初始策略 |
2022 年 4 月 22 日 |
|
AmazonSageMakerServiceCatalogProductsApiGatewayServiceRolePolicy |
1 |
初始策略 |
2022 年 3 月 24 日 |
|
AmazonSageMakerServiceCatalogProductsCloudformationServiceRole政策 |
1 |
初始策略 |
2022 年 3 月 24 日 |
AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy |
1 |
初始策略 |
2022 年 3 月 24 日 |
| AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy -更新政策 | 5 |
为 |
2022 年 3 月 21 日 |
AmazonSageMakerServiceCatalogProductsCodePipelineServiceRolePolicy |
1 |
初始策略 |
2022 年 2 月 22 日 |
| 1 |
初始策略 |
2022 年 2 月 22 日 | |
| 1 |
初始策略 |
2022 年 2 月 22 日 | |
| AmazonSageMakerServiceCatalogProductsGlueServiceRole政策 | 1 |
初始策略 |
2022 年 2 月 22 日 |
| AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy -更新政策 | 4 |
为 |
2022 年 2 月 16 日 |
| AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy -更新政策 | 3 |
为 创建、读取、更新和删除 SageMaker 图片。 |
2021 年 9 月 15 日 |
| AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy -更新政策 | 2 |
为 创建、读取、更新和删除代码存储库。 将 AWS CodeStar 连接传递给 Amazon CodePipeline。 |
2021 年 7 月 1 日 |
| AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy | 1 | 初始策略 |
2020 年 11 月 27 日 |