Amazon适用于 SageMaker 项目和快速启动的托管策略 - Amazon SageMaker
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 Amazon Web Services 服务入门

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

Amazon适用于 SageMaker 项目和快速启动的托管策略

这些Amazon托管策略添加了使用内置 Amazon SageMaker 项目模板和 JumpStart 解决方案的权限。这些策略可在您的Amazon帐户,并由从 SageMaker 控制台创建的执行角色使用。

SageMaker 项目和快速开始使用Amazon要置备的 Service CatalogAmazon客户帐户中的资源。某些创建的资源需要承担执行角色。例如,如果AmazonService Catalog 代表客户为 SageMaker 机器学习 CI/CD 项目创建 CodePipeline 管道,然后该管道需要 IAM 角色。

这些区域有:卓越亚马逊资料制造商服务目录商品发布角色角色具有启动 SageMaker 产品组合所需的权限AmazonService Catalog。这些区域有:卓越亚马逊制造商服务商品目录角色具有使用AmazonService Catalog。这些区域有:AmazonSageMakerServiceCatalogProductsLaunchRole角色传递AmazonSageMakerServiceCatalogProductsUseRole角色添加到已置备AmazonService Catalog 产品资源。

Amazon托管策略:卓越亚马逊商品展示-服务目录商品服务政策

此服务角色策略由Amazon Service Catalog服务来配置亚马逊 SageMaker 产品组合中的商品。策略向一组相关Amazon服务包括Amazon CodePipeline、Amazon CodeBuild、Amazon CodeCommit、AmazonGlue,Amazon CloudFront,和其他。

这些区域有:AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy策略旨在由AmazonSageMakerServiceCatalogProductsLaunchRole角色从 SageMaker 控制台创建。该策略将权限添加到置备Amazon用于 SageMaker 项目的资源和快速启动使用Amazon Service Catalog添加到客户的账户。

权限详细信息

此策略包含以下权限。

  • apigateway— 允许角色调 API Gateway 标记为sagemaker:launch-source.

  • cloudformation— 允许Amazon Service Catalog来创建、更新和删除 CloudFormation 堆栈。

  • codebuild— 允许由Amazon Service Catalog并传递给 CloudFormation 来创建、更新和删除 CodeBuild 项目。

  • codecommit— 允许由Amazon Service Catalog并传递给 CloudFormation 来创建、更新和删除 CodeCommit 存储库。

  • codepipeline— 允许由Amazon Service Catalog并传递给 CloudFormation 来创建、更新和删除代码库。

  • codestar-connections— 允许角色传递 AWS CodeStar 连接。

  • cognito-idp— 允许角色创建、更新和删除组和用户池。

  • ecr— 允许由Amazon Service Catalog并传递给 CloudFormation 以创建和删除亚马逊 ECR 存储库。

  • events— 允许由Amazon Service Catalog并传递给 CloudFormation 来创建和删除 EventBridge 梁规则。用于将 CICD 管道的各个组件捆绑在一起。

  • firehose— 允许角色与 Kinesis Data Firehose 流进行交互。

  • glue— 允许角色与Amazon Glue.

  • iam— 允许角色传递前置为AmazonSageMakerServiceCatalog. 当项目提供Amazon Service Catalog产品,因为角色需要传递给Amazon Service Catalog.

  • lambda— 允许角色与Amazon Lambda.

  • logs— 允许角色创建、删除和访问日志流。

  • s3— 允许由Amazon Service Catalog并传递给 CloudFormation 以访问存储项目模板代码的 Amazon S3 存储桶。

  • sagemaker— 允许角色与各种 SageMaker 服务进行交互。这既可以在模板置备期间在 CloudFormation 中完成,也可以在 CICD 管道执行期间在 CodeBuild 中完成。

  • states— 允许角色创建、删除和更新前置为sagemaker.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "apigateway:GET", "apigateway:POST", "apigateway:PUT", "apigateway:PATCH", "apigateway:DELETE" ], "Resource": "*", "Condition": { "StringLike": { "aws:ResourceTag/sagemaker:launch-source": "*" } } }, { "Effect": "Allow", "Action": [ "apigateway:POST" ], "Resource": "*", "Condition": { "ForAnyValue:StringLike": { "aws:TagKeys": [ "sagemaker:launch-source" ] } } }, { "Effect": "Allow", "Action": [ "apigateway:PATCH" ], "Resource": [ "arn:aws:apigateway:*::/account" ] }, { "Effect": "Allow", "Action": [ "cloudformation:CreateStack", "cloudformation:UpdateStack", "cloudformation:DeleteStack" ], "Resource": "arn:aws:cloudformation:*:*:stack/SC-*", "Condition": { "ArnLikeIfExists": { "cloudformation:RoleArn": [ "arn:aws:sts::*:assumed-role/AmazonSageMakerServiceCatalog*" ] } } }, { "Effect": "Allow", "Action": [ "cloudformation:DescribeStackEvents", "cloudformation:DescribeStacks" ], "Resource": "arn:aws:cloudformation:*:*:stack/SC-*" }, { "Effect": "Allow", "Action": [ "cloudformation:GetTemplateSummary", "cloudformation:ValidateTemplate" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "codebuild:CreateProject", "codebuild:DeleteProject", "codebuild:UpdateProject" ], "Resource": [ "arn:aws:codebuild:*:*:project/sagemaker-*" ] }, { "Effect": "Allow", "Action": [ "codecommit:CreateCommit", "codecommit:CreateRepository", "codecommit:DeleteRepository", "codecommit:GetRepository", "codecommit:TagResource" ], "Resource": [ "arn:aws:codecommit:*:*:sagemaker-*" ] }, { "Effect": "Allow", "Action": [ "codecommit:ListRepositories" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "codepipeline:CreatePipeline", "codepipeline:DeletePipeline", "codepipeline:GetPipeline", "codepipeline:GetPipelineState", "codepipeline:StartPipelineExecution", "codepipeline:TagResource", "codepipeline:UpdatePipeline" ], "Resource": [ "arn:aws:codepipeline:*:*:sagemaker-*" ] }, { "Effect": "Allow", "Action": [ "cognito-idp:CreateUserPool" ], "Resource": "*", "Condition": { "ForAnyValue:StringLike": { "aws:TagKeys": [ "sagemaker:launch-source" ] } } }, { "Effect": "Allow", "Action": [ "cognito-idp:CreateGroup", "cognito-idp:CreateUserPoolDomain", "cognito-idp:CreateUserPoolClient", "cognito-idp:DeleteGroup", "cognito-idp:DeleteUserPool", "cognito-idp:DeleteUserPoolClient", "cognito-idp:DeleteUserPoolDomain", "cognito-idp:DescribeUserPool", "cognito-idp:DescribeUserPoolClient", "cognito-idp:UpdateUserPool", "cognito-idp:UpdateUserPoolClient" ], "Resource": "*", "Condition": { "StringLike": { "aws:ResourceTag/sagemaker:launch-source": "*" } } }, { "Effect": "Allow", "Action": [ "ecr:CreateRepository", "ecr:DeleteRepository" ], "Resource": [ "arn:aws:ecr:*:*:repository/sagemaker-*" ] }, { "Effect": "Allow", "Action": [ "events:DescribeRule", "events:DeleteRule", "events:DisableRule", "events:EnableRule", "events:PutRule", "events:PutTargets", "events:RemoveTargets" ], "Resource": [ "arn:aws:events:*:*:rule/sagemaker-*" ] }, { "Effect": "Allow", "Action": [ "firehose:CreateDeliveryStream", "firehose:DeleteDeliveryStream", "firehose:DescribeDeliveryStream", "firehose:StartDeliveryStreamEncryption", "firehose:StopDeliveryStreamEncryption", "firehose:UpdateDestination" ], "Resource": "arn:aws:firehose:*:*:deliverystream/sagemaker-*" }, { "Effect": "Allow", "Action": [ "glue:CreateDatabase", "glue:DeleteDatabase" ], "Resource": [ "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/sagemaker-*", "arn:aws:glue:*:*:table/sagemaker-*", "arn:aws:glue:*:*:userDefinedFunction/sagemaker-*" ] }, { "Effect": "Allow", "Action": [ "glue:CreateClassifier", "glue:DeleteClassifier", "glue:DeleteCrawler", "glue:DeleteJob", "glue:DeleteTrigger", "glue:DeleteWorkflow", "glue:StopCrawler" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "glue:CreateWorkflow" ], "Resource": [ "arn:aws:glue:*:*:workflow/sagemaker-*" ] }, { "Effect": "Allow", "Action": [ "glue:CreateJob" ], "Resource": [ "arn:aws:glue:*:*:job/sagemaker-*" ] }, { "Effect": "Allow", "Action": [ "glue:CreateCrawler", "glue:GetCrawler" ], "Resource": [ "arn:aws:glue:*:*:crawler/sagemaker-*" ] }, { "Effect": "Allow", "Action": [ "glue:CreateTrigger", "glue:GetTrigger" ], "Resource": [ "arn:aws:glue:*:*:trigger/sagemaker-*" ] }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::*:role/service-role/AmazonSageMakerServiceCatalog*" ] }, { "Effect": "Allow", "Action": [ "lambda:AddPermission", "lambda:CreateFunction", "lambda:DeleteFunction", "lambda:GetFunction", "lambda:GetFunctionConfiguration", "lambda:InvokeFunction", "lambda:RemovePermission" ], "Resource": [ "arn:aws:lambda:*:*:function:sagemaker-*" ] }, { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DeleteLogGroup", "logs:DeleteLogStream", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:PutRetentionPolicy" ], "Resource": [ "arn:aws:logs:*:*:log-group:/aws/apigateway/AccessLogs/*", "arn:aws:logs:*:*:log-group::log-stream:*" ] }, { "Effect": "Allow", "Action": "s3:GetObject", "Resource": "*", "Condition": { "StringEquals": { "s3:ExistingObjectTag/servicecatalog:provisioning": "true" } } }, { "Effect": "Allow", "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::sagemaker-*" ] }, { "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:DeleteBucket", "s3:DeleteBucketPolicy", "s3:GetBucketPolicy", "s3:PutBucketAcl", "s3:PutBucketNotification", "s3:PutBucketPolicy", "s3:PutBucketPublicAccessBlock", "s3:PutBucketLogging", "s3:PutEncryptionConfiguration", "s3:PutBucketTagging", "s3:PutObjectTagging" ], "Resource": "arn:aws:s3:::sagemaker-*" }, { "Effect": "Allow", "Action": [ "sagemaker:CreateEndpoint", "sagemaker:CreateEndpointConfig", "sagemaker:CreateModel", "sagemaker:CreateWorkteam", "sagemaker:DeleteEndpoint", "sagemaker:DeleteEndpointConfig", "sagemaker:DeleteModel", "sagemaker:DeleteWorkteam", "sagemaker:DescribeModel", "sagemaker:DescribeEndpointConfig", "sagemaker:DescribeEndpoint", "sagemaker:DescribeWorkteam", "sagemaker:CreateCodeRepository", "sagemaker:DescribeCodeRepository", "sagemaker:UpdateCodeRepository", "sagemaker:DeleteCodeRepository" ], "Resource": [ "arn:aws:sagemaker:*:*:*" ] }, { "Action": [ "sagemaker:CreateImage", "sagemaker:DeleteImage", "sagemaker:DescribeImage", "sagemaker:UpdateImage", "sagemaker:ListTags" ], "Resource": [ "arn:aws:sagemaker:*:*:image/*" ], "Effect": "Allow" }, { "Effect": "Allow", "Action": [ "states:CreateStateMachine", "states:DeleteStateMachine", "states:UpdateStateMachine" ], "Resource": [ "arn:aws:states:*:*:stateMachine:sagemaker-*" ] }, { "Effect": "Allow", "Action": "codestar-connections:PassConnection", "Resource": "arn:aws:codestar-connections:*:*:connection/*", "Condition": { "StringEquals": { "codestar-connections:PassedToService": "codepipeline.amazonaws.com" } } } ] }

Amazon SageMaker 更新到AmazonService CatalogAmazon托管策略

查看有关更新的详细信息Amazon托管式策略 Amazon SageMaker 从该服务开始跟踪这些更改开始)。有关此页面更改的自动提示,请订阅 SageMaker 上的 RSS 源文档历史记录页面。

更改 说明 日期

卓越亚马逊商品展示-服务目录商品服务政策版本 3 — 对现有策略的更新

添加的新权限sagemaker.

创建、读取、更新和删除 SageMaker 映像。

2021 年 9 月 15 日

卓越亚马逊商品展示-服务目录商品服务政策版本 2 — 对现有策略的更新

添加的新权限sagemakercodestar-connections.

创建、读取、更新和删除代码存储库。

将 AWS CodeStar 连接传递到Amazon CodePipeline.

2021 年 7 月 1 日

SageMaker 开启跟踪更改

SageMaker 为其AmazonService CatalogAmazon托管策略。

  • 卓越亚马逊商品展示-服务目录商品服务政策

2021 年 6 月 17 日