本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# Amazon SageMaker 项目管理策略和 JumpStart
这些 Amazon 托管策略增加了使用内置 Amazon A SageMaker I 项目模板和 JumpStart 解决方案的权限。这些策略可在您的 Amazon 账户中使用,并由从 SageMaker AI 控制台创建的执行角色使用。
SageMaker 项目并 JumpStart 使用 S Amazon ervice Catalog 在客户账户中配置 Amazon 资源。一些创建的资源需要代入执行角色。例如,如果 S Amazon ervice Catalog 代表客户为 SageMaker 人工智能机器学习 CI/CD 项目创建 CodePipeline 管道,则该管道需要一个 IAM 角色。
该[AmazonSageMakerServiceCatalogProductsLaunchRole](https://console.amazonaws.cn/iam/home?#/roles/AmazonSageMakerServiceCatalogProductsLaunchRole)角色具有从 S Amazon ervice Catalog 中启动 SageMaker AI 产品组合所需的权限。该[AmazonSageMakerServiceCatalogProductsUseRole](https://console.amazonaws.cn/iam/home?#/roles/AmazonSageMakerServiceCatalogProductsUseRole)角色拥有使用 S Amazon ervice Catalog 中的 SageMaker AI 产品组合所需的权限。该`AmazonSageMakerServiceCatalogProductsLaunchRole`角色将角色传递给预`AmazonSageMakerServiceCatalogProductsUseRole`配置的 S Amazon ervice Catalog 产品资源。
**Topics**
+ [Amazon 托管策略: AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy)
+ [Amazon 托管策略: AmazonSageMakerPartnerServiceCatalogProductsApiGatewayServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerPartnerServiceCatalogProductsApiGatewayServiceRolePolicy)
+ [Amazon 托管策略: AmazonSageMakerPartnerServiceCatalogProductsCloudFormationServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerPartnerServiceCatalogProductsCloudFormationServiceRolePolicy)
+ [Amazon 托管策略: AmazonSageMakerPartnerServiceCatalogProductsLambdaServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerPartnerServiceCatalogProductsLambdaServiceRolePolicy)
+ [Amazon 托管策略: AmazonSageMakerServiceCatalogProductsApiGatewayServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsApiGatewayServiceRolePolicy)
+ [Amazon 托管策略: AmazonSageMakerServiceCatalogProductsCloudformationServiceRole策略](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsCloudformationServiceRolePolicy)
+ [Amazon 托管策略: AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy)
+ [Amazon 托管策略: AmazonSageMakerServiceCatalogProductsCodePipelineServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsCodePipelineServiceRolePolicy)
+ [Amazon 托管策略: AmazonSageMakerServiceCatalogProductsEventsServiceRole策略](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsEventsServiceRolePolicy)
+ [Amazon 托管策略: AmazonSageMakerServiceCatalogProductsFirehoseServiceRole策略](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsFirehoseServiceRolePolicy)
+ [Amazon 托管策略: AmazonSageMakerServiceCatalogProductsGlueServiceRole策略](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsGlueServiceRolePolicy)
+ [Amazon 托管策略: AmazonSageMakerServiceCatalogProductsLambdaServiceRole策略](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsLambdaServiceRolePolicy)
+ [Amazon SageMaker AI 更新了 S Amazon ervice Catalog Amazon 托管策略](#security-iam-awsmanpol-sc-updates)
## Amazon 托管策略: AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy
该服务使用此服务角色策略来配置 Amazon A SageMaker I 产品组合中的产品。 Amazon Service Catalog 该策略向一组相关 Amazon 服务授予权限 Amazon CodePipeline,包括、 Amazon CodeBuild、 Amazon CodeCommit Amazon CloudFormation、 Amazon Glue 等。
该`AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy`策略旨在由从 SageMaker AI 控制台创建的`AmazonSageMakerServiceCatalogProductsLaunchRole`角色使用。该策略为客户账户添加了为 SageMaker 项目配置 Amazon 资源和 JumpStart 使用 Service Catalog 的权限。
**权限详细信息**
该策略包含以下权限。
+ `apigateway` - 允许角色调用标有 `sagemaker:launch-source` 的 API Gateway 端点。
+ `cloudformation`— Amazon Service Catalog 允许创建、更新和删除 CloudFormation 堆栈。还允许服务目录标记和取消标记资源。
+ `codebuild`— 允许由担任 Amazon Service Catalog 并传递 CloudFormation 给的角色创建、更新和删除 CodeBuild 项目。
+ `codecommit`— 允许由担任 Amazon Service Catalog 并传递 CloudFormation 给的角色创建、更新和删除 CodeCommit 存储库。
+ `codepipeline`— 允许由担任 Amazon Service Catalog 并传递 CloudFormation 给的角色创建、更新和删除 CodePipelines。
+ `codeconnections`,`codestar-connections`— 还允许角色传递 Amazon CodeConnections 和 AWS CodeStar 连接。
+ `cognito-idp` - 允许角色创建、更新和删除组和用户池。也允许标记资源。
+ `ecr`— 允许由担任 Amazon Service Catalog 并传递 CloudFormation 给的角色创建和删除 Amazon ECR 存储库。也允许标记资源。
+ `events`— 允许由担任 Amazon Service Catalog 并传递 CloudFormation 给的角色创建和删除 EventBridge 规则。用于连接 CICD 管道的各个组件。
+ `firehose`:允许角色与 Firehose 流交互。
+ `glue`— 允许角色与之交互 Amazon Glue。
+ `iam` - 允许角色传递前缀为 `AmazonSageMakerServiceCatalog` 的角色。当 Projects 预置 Amazon Service Catalog 产品时,需要该权限,因为需要将角色传递给 Amazon Service Catalog。
+ `lambda` - 允许角色与 Amazon Lambda交互。也允许标记资源。
+ `logs` - 允许角色创建、删除和访问日志流。
+ `s3`— 允许由担任 Amazon Service Catalog 并传递 CloudFormation 给的角色访问存储项目模板代码的 Amazon S3 存储桶。
+ `sagemaker`— 允许角色与各种 SageMaker AI 服务进行交互。这既可以在模板配置 CloudFormation 期间完成,也可以在CICD管道执行 CodeBuild 期间完成。也允许标记以下资源:端点、端点配置、模型、管道、项目和模型包。
+ `states` - 允许角色创建、删除和更新前缀为 `sagemaker` 的 Step Functions。
要查看此策略的权限,请参阅《 Amazon 托管策略参考》ServiceCatalogProductsServiceRolePolicy中的 [AmazonSageMakerAdmin-](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy.html)。
## Amazon 托管策略: AmazonSageMakerPartnerServiceCatalogProductsApiGatewayServiceRolePolicy
亚马逊 API Gatew SageMaker ay 在亚马逊 AI 产品组合中的 Amazon Service Catalog 预配置产品中使用此政策。该策略旨在附加到 IAM 角色,该角色将[AmazonSageMakerServiceCatalogProductsLaunchRole](https://console.amazonaws.cn/iam/home?#/roles/AmazonSageMakerServiceCatalogProductsLaunchRole)传递给由 API Gateway 创建的需要角色的 Amazon 资源。
**权限详细信息**
该策略包含以下权限。
+ `lambda` - 调用由合作伙伴模板创建的函数。
+ `sagemaker` - 调用由合作伙伴模板创建的端点。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:*:*:function:sagemaker-*",
"Condition": {
"Null": {
"aws:ResourceTag/sagemaker:project-name": "false",
"aws:ResourceTag/sagemaker:partner": "false"
},
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Effect": "Allow",
"Action": "sagemaker:InvokeEndpoint",
"Resource": "arn:aws:sagemaker:*:*:endpoint/*",
"Condition": {
"Null": {
"aws:ResourceTag/sagemaker:project-name": "false",
"aws:ResourceTag/sagemaker:partner": "false"
},
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
}
]
}
```
------
## Amazon 托管策略: AmazonSageMakerPartnerServiceCatalogProductsCloudFormationServiceRolePolicy
此政策由 Amazon A SageMaker I 产品组合 Amazon CloudFormation 中的 Amazon Service Catalog 预配置产品使用。该策略旨在附加到一个 IAM 角色,该角色[AmazonSageMakerServiceCatalogProductsLaunchRole](https://console.amazonaws.cn/iam/home?#/roles/AmazonSageMakerServiceCatalogProductsLaunchRole)传递给由 Amazon CloudFormation 该角色创建的 Amazon 资源需要一个角色。
**权限详细信息**
该策略包含以下权限。
+ `iam` - 传递 `AmazonSageMakerServiceCatalogProductsLambdaRole` 和 `AmazonSageMakerServiceCatalogProductsApiGatewayRole` 角色。
+ `lambda`— 创建、更新、删除和调用 Amazon Lambda 函数;检索、发布和删除 Lambda 层的版本。
+ `apigateway` - 创建、更新和删除 Amazon API Gateway 资源。
+ `s3` - 从 Amazon Simple Storage Service (Amazon S3) 存储桶中检索 `lambda-auth-code/layer.zip` 文件。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/service-role/AmazonSageMakerServiceCatalogProductsLambdaRole"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": "lambda.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/service-role/AmazonSageMakerServiceCatalogProductsApiGatewayRole"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": "apigateway.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Action": [
"lambda:DeleteFunction",
"lambda:UpdateFunctionCode",
"lambda:ListTags",
"lambda:InvokeFunction"
],
"Resource": [
"arn:aws:lambda:*:*:function:sagemaker-*"
],
"Condition": {
"Null": {
"aws:ResourceTag/sagemaker:project-name": "false",
"aws:ResourceTag/sagemaker:partner": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"lambda:CreateFunction",
"lambda:TagResource"
],
"Resource": [
"arn:aws:lambda:*:*:function:sagemaker-*"
],
"Condition": {
"Null": {
"aws:ResourceTag/sagemaker:project-name": "false",
"aws:ResourceTag/sagemaker:partner": "false"
},
"ForAnyValue:StringEquals": {
"aws:TagKeys": [
"sagemaker:project-name",
"sagemaker:partner"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"lambda:PublishLayerVersion",
"lambda:GetLayerVersion",
"lambda:DeleteLayerVersion",
"lambda:GetFunction"
],
"Resource": [
"arn:aws:lambda:*:*:layer:sagemaker-*",
"arn:aws:lambda:*:*:function:sagemaker-*"
]
},
{
"Effect": "Allow",
"Action": [
"apigateway:GET",
"apigateway:DELETE",
"apigateway:PATCH",
"apigateway:POST",
"apigateway:PUT"
],
"Resource": [
"arn:aws:apigateway:*::/restapis/*",
"arn:aws:apigateway:*::/restapis"
],
"Condition": {
"Null": {
"aws:ResourceTag/sagemaker:project-name": "false",
"aws:ResourceTag/sagemaker:partner": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"apigateway:POST",
"apigateway:PUT"
],
"Resource": [
"arn:aws:apigateway:*::/restapis",
"arn:aws:apigateway:*::/tags/*"
],
"Condition": {
"Null": {
"aws:ResourceTag/sagemaker:project-name": "false",
"aws:ResourceTag/sagemaker:partner": "false"
},
"ForAnyValue:StringEquals": {
"aws:TagKeys": [
"sagemaker:project-name",
"sagemaker:partner"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::sagemaker-*/lambda-auth-code/layer.zip"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
}
]
}
```
------
## Amazon 托管策略: AmazonSageMakerPartnerServiceCatalogProductsLambdaServiceRolePolicy
此政策由 Amazon A SageMaker I 产品组合 Amazon Lambda 中的 Amazon Service Catalog 预配置产品使用。该策略旨在附加到 IAM 角色,该角色将[AmazonSageMakerServiceCatalogProductsLaunchRole](https://console.amazonaws.cn/iam/home?#/roles/AmazonSageMakerServiceCatalogProductsLaunchRole)传递给 Lambda 创建的需要角色的 Amazon 资源。
**权限详细信息**
该策略包含以下权限。
+ `secretsmanager` - 从合作伙伴为合作伙伴模板提供的密钥中检索数据。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "secretsmanager:GetSecretValue",
"Resource": "arn:aws:secretsmanager:*:*:secret:*",
"Condition": {
"Null": {
"aws:ResourceTag/sagemaker:partner": false
},
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
}
]
}
```
------
## Amazon 托管策略: AmazonSageMakerServiceCatalogProductsApiGatewayServiceRolePolicy
亚马逊 API Gatew SageMaker ay 在亚马逊 AI 产品组合中的 Amazon Service Catalog 预配置产品中使用此政策。该策略旨在附加到 IAM 角色,该角色将[AmazonSageMakerServiceCatalogProductsLaunchRole](https://console.amazonaws.cn/iam/home?#/roles/AmazonSageMakerServiceCatalogProductsLaunchRole)传递给由 API Gateway 创建的需要角色的 Amazon 资源。
**权限详细信息**
该策略包含以下权限。
+ `logs`— 创建和读取 CloudWatch 日志组、直播和事件;更新事件;描述各种资源。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogDelivery",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DeleteLogDelivery",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:DescribeResourcePolicies",
"logs:DescribeDestinations",
"logs:DescribeExportTasks",
"logs:DescribeMetricFilters",
"logs:DescribeQueries",
"logs:DescribeQueryDefinitions",
"logs:DescribeSubscriptionFilters",
"logs:GetLogDelivery",
"logs:GetLogEvents",
"logs:PutLogEvents",
"logs:PutResourcePolicy",
"logs:UpdateLogDelivery"
],
"Resource": "arn:aws:logs:*:*:log-group:/aws/apigateway/*"
}
]
}
```
------
## Amazon 托管策略: AmazonSageMakerServiceCatalogProductsCloudformationServiceRole策略
此政策由 Amazon A SageMaker I 产品组合 Amazon CloudFormation 中的 Amazon Service Catalog 预配置产品使用。该策略旨在附加到一个 IAM 角色,该角色[AmazonSageMakerServiceCatalogProductsLaunchRole](https://console.amazonaws.cn/iam/home?#/roles/AmazonSageMakerServiceCatalogProductsLaunchRole)传递给由 Amazon CloudFormation 该角色创建的 Amazon 资源需要一个角色。
**权限详细信息**
该策略包含以下权限。
+ `sagemaker`— 允许访问各种 SageMaker AI 资源,但域名、用户配置文件、应用程序和流程定义除外。
+ `iam` - 传递 `AmazonSageMakerServiceCatalogProductsCodeBuildRole` 和 `AmazonSageMakerServiceCatalogProductsExecutionRole` 角色。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sagemaker:AddAssociation",
"sagemaker:AddTags",
"sagemaker:AssociateTrialComponent",
"sagemaker:BatchDescribeModelPackage",
"sagemaker:BatchGetMetrics",
"sagemaker:BatchGetRecord",
"sagemaker:BatchPutMetrics",
"sagemaker:CreateAction",
"sagemaker:CreateAlgorithm",
"sagemaker:CreateApp",
"sagemaker:CreateAppImageConfig",
"sagemaker:CreateArtifact",
"sagemaker:CreateAutoMLJob",
"sagemaker:CreateCodeRepository",
"sagemaker:CreateCompilationJob",
"sagemaker:CreateContext",
"sagemaker:CreateDataQualityJobDefinition",
"sagemaker:CreateDeviceFleet",
"sagemaker:CreateDomain",
"sagemaker:CreateEdgePackagingJob",
"sagemaker:CreateEndpoint",
"sagemaker:CreateEndpointConfig",
"sagemaker:CreateExperiment",
"sagemaker:CreateFeatureGroup",
"sagemaker:CreateFlowDefinition",
"sagemaker:CreateHumanTaskUi",
"sagemaker:CreateHyperParameterTuningJob",
"sagemaker:CreateImage",
"sagemaker:CreateImageVersion",
"sagemaker:CreateInferenceRecommendationsJob",
"sagemaker:CreateLabelingJob",
"sagemaker:CreateLineageGroupPolicy",
"sagemaker:CreateModel",
"sagemaker:CreateModelBiasJobDefinition",
"sagemaker:CreateModelExplainabilityJobDefinition",
"sagemaker:CreateModelPackage",
"sagemaker:CreateModelPackageGroup",
"sagemaker:CreateModelQualityJobDefinition",
"sagemaker:CreateMonitoringSchedule",
"sagemaker:CreateNotebookInstance",
"sagemaker:CreateNotebookInstanceLifecycleConfig",
"sagemaker:CreatePipeline",
"sagemaker:CreatePresignedDomainUrl",
"sagemaker:CreatePresignedNotebookInstanceUrl",
"sagemaker:CreateProcessingJob",
"sagemaker:CreateProject",
"sagemaker:CreateTrainingJob",
"sagemaker:CreateTransformJob",
"sagemaker:CreateTrial",
"sagemaker:CreateTrialComponent",
"sagemaker:CreateUserProfile",
"sagemaker:CreateWorkforce",
"sagemaker:CreateWorkteam",
"sagemaker:DeleteAction",
"sagemaker:DeleteAlgorithm",
"sagemaker:DeleteApp",
"sagemaker:DeleteAppImageConfig",
"sagemaker:DeleteArtifact",
"sagemaker:DeleteAssociation",
"sagemaker:DeleteCodeRepository",
"sagemaker:DeleteContext",
"sagemaker:DeleteDataQualityJobDefinition",
"sagemaker:DeleteDeviceFleet",
"sagemaker:DeleteDomain",
"sagemaker:DeleteEndpoint",
"sagemaker:DeleteEndpointConfig",
"sagemaker:DeleteExperiment",
"sagemaker:DeleteFeatureGroup",
"sagemaker:DeleteFlowDefinition",
"sagemaker:DeleteHumanLoop",
"sagemaker:DeleteHumanTaskUi",
"sagemaker:DeleteImage",
"sagemaker:DeleteImageVersion",
"sagemaker:DeleteLineageGroupPolicy",
"sagemaker:DeleteModel",
"sagemaker:DeleteModelBiasJobDefinition",
"sagemaker:DeleteModelExplainabilityJobDefinition",
"sagemaker:DeleteModelPackage",
"sagemaker:DeleteModelPackageGroup",
"sagemaker:DeleteModelPackageGroupPolicy",
"sagemaker:DeleteModelQualityJobDefinition",
"sagemaker:DeleteMonitoringSchedule",
"sagemaker:DeleteNotebookInstance",
"sagemaker:DeleteNotebookInstanceLifecycleConfig",
"sagemaker:DeletePipeline",
"sagemaker:DeleteProject",
"sagemaker:DeleteRecord",
"sagemaker:DeleteTags",
"sagemaker:DeleteTrial",
"sagemaker:DeleteTrialComponent",
"sagemaker:DeleteUserProfile",
"sagemaker:DeleteWorkforce",
"sagemaker:DeleteWorkteam",
"sagemaker:DeregisterDevices",
"sagemaker:DescribeAction",
"sagemaker:DescribeAlgorithm",
"sagemaker:DescribeApp",
"sagemaker:DescribeAppImageConfig",
"sagemaker:DescribeArtifact",
"sagemaker:DescribeAutoMLJob",
"sagemaker:DescribeCodeRepository",
"sagemaker:DescribeCompilationJob",
"sagemaker:DescribeContext",
"sagemaker:DescribeDataQualityJobDefinition",
"sagemaker:DescribeDevice",
"sagemaker:DescribeDeviceFleet",
"sagemaker:DescribeDomain",
"sagemaker:DescribeEdgePackagingJob",
"sagemaker:DescribeEndpoint",
"sagemaker:DescribeEndpointConfig",
"sagemaker:DescribeExperiment",
"sagemaker:DescribeFeatureGroup",
"sagemaker:DescribeFlowDefinition",
"sagemaker:DescribeHumanLoop",
"sagemaker:DescribeHumanTaskUi",
"sagemaker:DescribeHyperParameterTuningJob",
"sagemaker:DescribeImage",
"sagemaker:DescribeImageVersion",
"sagemaker:DescribeInferenceRecommendationsJob",
"sagemaker:DescribeLabelingJob",
"sagemaker:DescribeLineageGroup",
"sagemaker:DescribeModel",
"sagemaker:DescribeModelBiasJobDefinition",
"sagemaker:DescribeModelExplainabilityJobDefinition",
"sagemaker:DescribeModelPackage",
"sagemaker:DescribeModelPackageGroup",
"sagemaker:DescribeModelQualityJobDefinition",
"sagemaker:DescribeMonitoringSchedule",
"sagemaker:DescribeNotebookInstance",
"sagemaker:DescribeNotebookInstanceLifecycleConfig",
"sagemaker:DescribePipeline",
"sagemaker:DescribePipelineDefinitionForExecution",
"sagemaker:DescribePipelineExecution",
"sagemaker:DescribeProcessingJob",
"sagemaker:DescribeProject",
"sagemaker:DescribeSubscribedWorkteam",
"sagemaker:DescribeTrainingJob",
"sagemaker:DescribeTransformJob",
"sagemaker:DescribeTrial",
"sagemaker:DescribeTrialComponent",
"sagemaker:DescribeUserProfile",
"sagemaker:DescribeWorkforce",
"sagemaker:DescribeWorkteam",
"sagemaker:DisableSagemakerServicecatalogPortfolio",
"sagemaker:DisassociateTrialComponent",
"sagemaker:EnableSagemakerServicecatalogPortfolio",
"sagemaker:GetDeviceFleetReport",
"sagemaker:GetDeviceRegistration",
"sagemaker:GetLineageGroupPolicy",
"sagemaker:GetModelPackageGroupPolicy",
"sagemaker:GetRecord",
"sagemaker:GetSagemakerServicecatalogPortfolioStatus",
"sagemaker:GetSearchSuggestions",
"sagemaker:InvokeEndpoint",
"sagemaker:InvokeEndpointAsync",
"sagemaker:ListActions",
"sagemaker:ListAlgorithms",
"sagemaker:ListAppImageConfigs",
"sagemaker:ListApps",
"sagemaker:ListArtifacts",
"sagemaker:ListAssociations",
"sagemaker:ListAutoMLJobs",
"sagemaker:ListCandidatesForAutoMLJob",
"sagemaker:ListCodeRepositories",
"sagemaker:ListCompilationJobs",
"sagemaker:ListContexts",
"sagemaker:ListDataQualityJobDefinitions",
"sagemaker:ListDeviceFleets",
"sagemaker:ListDevices",
"sagemaker:ListDomains",
"sagemaker:ListEdgePackagingJobs",
"sagemaker:ListEndpointConfigs",
"sagemaker:ListEndpoints",
"sagemaker:ListExperiments",
"sagemaker:ListFeatureGroups",
"sagemaker:ListFlowDefinitions",
"sagemaker:ListHumanLoops",
"sagemaker:ListHumanTaskUis",
"sagemaker:ListHyperParameterTuningJobs",
"sagemaker:ListImageVersions",
"sagemaker:ListImages",
"sagemaker:ListInferenceRecommendationsJobs",
"sagemaker:ListLabelingJobs",
"sagemaker:ListLabelingJobsForWorkteam",
"sagemaker:ListLineageGroups",
"sagemaker:ListModelBiasJobDefinitions",
"sagemaker:ListModelExplainabilityJobDefinitions",
"sagemaker:ListModelMetadata",
"sagemaker:ListModelPackageGroups",
"sagemaker:ListModelPackages",
"sagemaker:ListModelQualityJobDefinitions",
"sagemaker:ListModels",
"sagemaker:ListMonitoringExecutions",
"sagemaker:ListMonitoringSchedules",
"sagemaker:ListNotebookInstanceLifecycleConfigs",
"sagemaker:ListNotebookInstances",
"sagemaker:ListPipelineExecutionSteps",
"sagemaker:ListPipelineExecutions",
"sagemaker:ListPipelineParametersForExecution",
"sagemaker:ListPipelines",
"sagemaker:ListProcessingJobs",
"sagemaker:ListProjects",
"sagemaker:ListSubscribedWorkteams",
"sagemaker:ListTags",
"sagemaker:ListTrainingJobs",
"sagemaker:ListTrainingJobsForHyperParameterTuningJob",
"sagemaker:ListTransformJobs",
"sagemaker:ListTrialComponents",
"sagemaker:ListTrials",
"sagemaker:ListUserProfiles",
"sagemaker:ListWorkforces",
"sagemaker:ListWorkteams",
"sagemaker:PutLineageGroupPolicy",
"sagemaker:PutModelPackageGroupPolicy",
"sagemaker:PutRecord",
"sagemaker:QueryLineage",
"sagemaker:RegisterDevices",
"sagemaker:RenderUiTemplate",
"sagemaker:Search",
"sagemaker:SendHeartbeat",
"sagemaker:SendPipelineExecutionStepFailure",
"sagemaker:SendPipelineExecutionStepSuccess",
"sagemaker:StartHumanLoop",
"sagemaker:StartMonitoringSchedule",
"sagemaker:StartNotebookInstance",
"sagemaker:StartPipelineExecution",
"sagemaker:StopAutoMLJob",
"sagemaker:StopCompilationJob",
"sagemaker:StopEdgePackagingJob",
"sagemaker:StopHumanLoop",
"sagemaker:StopHyperParameterTuningJob",
"sagemaker:StopInferenceRecommendationsJob",
"sagemaker:StopLabelingJob",
"sagemaker:StopMonitoringSchedule",
"sagemaker:StopNotebookInstance",
"sagemaker:StopPipelineExecution",
"sagemaker:StopProcessingJob",
"sagemaker:StopTrainingJob",
"sagemaker:StopTransformJob",
"sagemaker:UpdateAction",
"sagemaker:UpdateAppImageConfig",
"sagemaker:UpdateArtifact",
"sagemaker:UpdateCodeRepository",
"sagemaker:UpdateContext",
"sagemaker:UpdateDeviceFleet",
"sagemaker:UpdateDevices",
"sagemaker:UpdateDomain",
"sagemaker:UpdateEndpoint",
"sagemaker:UpdateEndpointWeightsAndCapacities",
"sagemaker:UpdateExperiment",
"sagemaker:UpdateImage",
"sagemaker:UpdateModelPackage",
"sagemaker:UpdateMonitoringSchedule",
"sagemaker:UpdateNotebookInstance",
"sagemaker:UpdateNotebookInstanceLifecycleConfig",
"sagemaker:UpdatePipeline",
"sagemaker:UpdatePipelineExecution",
"sagemaker:UpdateProject",
"sagemaker:UpdateTrainingJob",
"sagemaker:UpdateTrial",
"sagemaker:UpdateTrialComponent",
"sagemaker:UpdateUserProfile",
"sagemaker:UpdateWorkforce",
"sagemaker:UpdateWorkteam"
],
"NotResource": [
"arn:aws:sagemaker:*:*:domain/*",
"arn:aws:sagemaker:*:*:user-profile/*",
"arn:aws:sagemaker:*:*:app/*",
"arn:aws:sagemaker:*:*:flow-definition/*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/service-role/AmazonSageMakerServiceCatalogProductsCodeBuildRole",
"arn:aws:iam::*:role/service-role/AmazonSageMakerServiceCatalogProductsExecutionRole"
]
}
]
}
```
------
## Amazon 托管策略: AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy
此政策由 Amazon A SageMaker I 产品组合 Amazon CodeBuild 中的 Amazon Service Catalog 预配置产品使用。该策略旨在附加到一个 IAM 角色,该角色[AmazonSageMakerServiceCatalogProductsLaunchRole](https://console.amazonaws.cn/iam/home?#/roles/AmazonSageMakerServiceCatalogProductsLaunchRole)传递给由 CodeBuild 该角色创建的 Amazon 资源需要一个角色。
**权限详细信息**
该策略包含以下权限。
+ `sagemaker`— 允许访问各种 SageMaker AI 资源。
+ `codecommit`— 将 CodeCommit 档案上传到 CodeBuild 管道,获取上传状态并取消上传;获取分支和提交信息。这些权限仅限于名称以“sagemaker-”开头的资源。
+ `ecr` - 创建 Amazon ECR 存储库和容器映像;上传映像层。这些权限仅限于名称以“sagemaker-”开头的存储库。
`ecr` - 阅读所有资源。
+ `iam` - 传递以下角色:
+ `AmazonSageMakerServiceCatalogProductsCloudformationRole`到 Amazon CloudFormation。
+ `AmazonSageMakerServiceCatalogProductsCodeBuildRole`到 Amazon CodeBuild。
+ `AmazonSageMakerServiceCatalogProductsCodePipelineRole`到 Amazon CodePipeline。
+ `AmazonSageMakerServiceCatalogProductsEventsRole`到亚马逊 EventBridge。
+ `AmazonSageMakerServiceCatalogProductsExecutionRole`到 Amazon SageMaker AI。
+ `logs`— 创建和读取 CloudWatch 日志组、直播和事件;更新事件;描述各种资源。
+ `s3` - 创建、读取和列出 Amazon S3 存储桶。这些权限仅限于名称以“sagemaker-”开头的存储桶。
+ `codeconnections`,`codestar-connections`— 使用 Amazon CodeConnections 和 AWS CodeStar 连接。
要查看此策略的权限,请参阅《 Amazon 托管策略参考》[AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy.html)中的。
## Amazon 托管策略: AmazonSageMakerServiceCatalogProductsCodePipelineServiceRolePolicy
此政策由 Amazon A SageMaker I 产品组合 Amazon CodePipeline 中的 Amazon Service Catalog 预配置产品使用。该策略旨在附加到一个 IAM 角色,该角色[AmazonSageMakerServiceCatalogProductsLaunchRole](https://console.amazonaws.cn/iam/home?#/roles/AmazonSageMakerServiceCatalogProductsLaunchRole)传递给由 CodePipeline 该角色创建的 Amazon 资源需要一个角色。
**权限详细信息**
该策略包含以下权限。
+ `cloudformation`— 创建、读取、删除和更新 CloudFormation堆栈;创建、读取、删除和执行更改集;设置堆栈策略;标记和取消标记资源。这些权限仅限于名称以“sagemaker-”开头的资源。
+ `s3` - 创建、读取、列出和删除 Amazon S3 存储桶;在存储桶中添加、读取和删除对象;读取和设置 CORS 配置;读取访问控制列表 (ACL);以及读取存储桶所在的 Amazon 区域。
+ `iam` - 传递 `AmazonSageMakerServiceCatalogProductsCloudformationRole` 角色。
+ `codebuild`— 获取 CodeBuild 构建信息并开始构建。这些权限仅限于名称以“sagemaker-”开头的项目和构建资源。
+ `codecommit`— 将 CodeCommit 档案上传到 CodeBuild 管道,获取上传状态并取消上传;获取分支和提交信息。
+ `codeconnections`,`codestar-connections`— 使用 Amazon CodeConnections 和 AWS CodeStar 连接。
要查看此策略的权限,请参阅《 Amazon 托管策略参考》[AmazonSageMakerServiceCatalogProductsCodePipelineServiceRolePolicy](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AmazonSageMakerServiceCatalogProductsCodePipelineServiceRolePolicy.html)中的。
## Amazon 托管策略: AmazonSageMakerServiceCatalogProductsEventsServiceRole策略
亚马逊 EventBridge 在 Amazon A SageMaker I 产品组合中的 Amazon Service Catalog 预配置产品中使用此政策。该策略旨在附加到一个 IAM 角色,该角色[AmazonSageMakerServiceCatalogProductsLaunchRole](https://console.amazonaws.cn/iam/home?#/roles/AmazonSageMakerServiceCatalogProductsLaunchRole)传递给由 EventBridge 该角色创建的 Amazon 资源需要一个角色。
**权限详细信息**
该策略包含以下权限。
+ `codepipeline`— 开始 CodeBuild 执行。这些权限仅限于名称以“sagemaker-”开头的管道。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "codepipeline:StartPipelineExecution",
"Resource": "arn:aws:codepipeline:*:*:sagemaker-*"
}
]
}
```
------
## Amazon 托管策略: AmazonSageMakerServiceCatalogProductsFirehoseServiceRole策略
亚马逊 Data Firehose 在亚马逊 AI 产品组合中的 Amazon Service Catalog 预配置产品中使用此政策。 SageMaker 该策略旨在附加到 IAM 角色,该角色将[AmazonSageMakerServiceCatalogProductsLaunchRole](https://console.amazonaws.cn/iam/home?#/roles/AmazonSageMakerServiceCatalogProductsLaunchRole)传递给 Firehose 创建的需要角色的 Amazon 资源。
**权限详细信息**
该策略包含以下权限。
+ `firehose`:发送 Firehose 记录。这些权限仅限于传输流名称以“sagemaker-”开头的资源。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"firehose:PutRecord",
"firehose:PutRecordBatch"
],
"Resource": "arn:aws:firehose:*:*:deliverystream/sagemaker-*"
}
]
}
```
------
## Amazon 托管策略: AmazonSageMakerServiceCatalogProductsGlueServiceRole策略
Amazon Glue 在亚马逊 A SageMaker I 产品组合中的 Amazon 服务目录预配置产品中使用此政策。该策略旨在附加到 IAM 角色,该角色将[AmazonSageMakerServiceCatalogProductsLaunchRole](https://console.amazonaws.cn/iam/home?#/roles/AmazonSageMakerServiceCatalogProductsLaunchRole)传递给 Glue 创建的需要角色的 Amazon 资源。
**权限详细信息**
该策略包含以下权限。
+ `glue`— 创建、读取和删除 Amazon Glue 分区、表和表版本。这些权限仅限于名称以“sagemaker-”开头的资源。创建和读取 Amazon Glue 数据库。这些权限仅限于名称为“default”、“global\$1temp”或以“sagemaker-”开头的数据库。获取用户定义的函数。
+ `s3` - 创建、读取、列出和删除 Amazon S3 存储桶;在存储桶中添加、读取和删除对象;读取和设置 CORS 配置;读取访问控制列表 (ACL);以及读取存储桶所在的 Amazon 区域。
+ `logs`— 创建、读取和删除 CloudWatch 日志组、流和传输;并创建资源策略。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"glue:BatchCreatePartition",
"glue:BatchDeletePartition",
"glue:BatchDeleteTable",
"glue:BatchDeleteTableVersion",
"glue:BatchGetPartition",
"glue:CreateDatabase",
"glue:CreatePartition",
"glue:CreateTable",
"glue:DeletePartition",
"glue:DeleteTable",
"glue:DeleteTableVersion",
"glue:GetDatabase",
"glue:GetPartition",
"glue:GetPartitions",
"glue:GetTable",
"glue:GetTables",
"glue:GetTableVersion",
"glue:GetTableVersions",
"glue:SearchTables",
"glue:UpdatePartition",
"glue:UpdateTable",
"glue:GetUserDefinedFunctions"
],
"Resource": [
"arn:aws:glue:*:*:catalog",
"arn:aws:glue:*:*:database/default",
"arn:aws:glue:*:*:database/global_temp",
"arn:aws:glue:*:*:database/sagemaker-*",
"arn:aws:glue:*:*:table/sagemaker-*",
"arn:aws:glue:*:*:tableVersion/sagemaker-*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:GetBucketAcl",
"s3:GetBucketCors",
"s3:GetBucketLocation",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:PutBucketCors"
],
"Resource": [
"arn:aws:s3:::aws-glue-*",
"arn:aws:s3:::sagemaker-*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::aws-glue-*",
"arn:aws:s3:::sagemaker-*"
]
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogDelivery",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DeleteLogDelivery",
"logs:Describe*",
"logs:GetLogDelivery",
"logs:GetLogEvents",
"logs:ListLogDeliveries",
"logs:PutLogEvents",
"logs:PutResourcePolicy",
"logs:UpdateLogDelivery"
],
"Resource": "arn:aws:logs:*:*:log-group:/aws/glue/*"
}
]
}
```
------
## Amazon 托管策略: AmazonSageMakerServiceCatalogProductsLambdaServiceRole策略
此政策由 Amazon A SageMaker I 产品组合 Amazon Lambda 中的 Amazon Service Catalog 预配置产品使用。该策略旨在附加到 IAM 角色,该角色将[AmazonSageMakerServiceCatalogProductsLaunchRole](https://console.amazonaws.cn/iam/home?#/roles/AmazonSageMakerServiceCatalogProductsLaunchRole)传递给 Lambda 创建的需要角色的 Amazon 资源。
**权限详细信息**
该策略包含以下权限。
+ `sagemaker`— 允许访问各种 SageMaker AI 资源。
+ `ecr` - 创建和删除 Amazon ECR 存储库;创建、读取和删除容器映像;上传映像层。这些权限仅限于名称以“sagemaker-”开头的存储库。
+ `events`— 创建、读取和删除 Amazon EventBridge 规则;以及创建和删除目标。这些权限仅限于名称以“sagemaker-”开头的规则。
+ `s3` - 创建、读取、列出和删除 Amazon S3 存储桶;在存储桶中添加、读取和删除对象;读取和设置 CORS 配置;读取访问控制列表 (ACL);以及读取存储桶所在的 Amazon 区域。
+ `iam` - 传递 `AmazonSageMakerServiceCatalogProductsExecutionRole` 角色。
+ `logs`— 创建、读取和删除 CloudWatch 日志组、流和传输;并创建资源策略。
+ `codebuild`— 开始并获取有关 Amazon CodeBuild 版本的信息。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid" : "AmazonSageMakerLambdaECRPermission",
"Effect": "Allow",
"Action": [
"ecr:DescribeImages",
"ecr:BatchDeleteImage",
"ecr:CompleteLayerUpload",
"ecr:CreateRepository",
"ecr:DeleteRepository",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart"
],
"Resource": [
"arn:aws:ecr:*:*:repository/sagemaker-*"
]
},
{
"Sid" : "AmazonSageMakerLambdaEventBridgePermission",
"Effect": "Allow",
"Action": [
"events:DeleteRule",
"events:DescribeRule",
"events:PutRule",
"events:PutTargets",
"events:RemoveTargets"
],
"Resource": [
"arn:aws:events:*:*:rule/sagemaker-*"
]
},
{
"Sid" : "AmazonSageMakerLambdaS3BucketPermission",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:GetBucketAcl",
"s3:GetBucketCors",
"s3:GetBucketLocation",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:PutBucketCors"
],
"Resource": [
"arn:aws:s3:::aws-glue-*",
"arn:aws:s3:::sagemaker-*"
]
},
{
"Sid" : "AmazonSageMakerLambdaS3ObjectPermission",
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::aws-glue-*",
"arn:aws:s3:::sagemaker-*"
]
},
{
"Sid" : "AmazonSageMakerLambdaSageMakerPermission",
"Effect": "Allow",
"Action": [
"sagemaker:AddAssociation",
"sagemaker:AddTags",
"sagemaker:AssociateTrialComponent",
"sagemaker:BatchDescribeModelPackage",
"sagemaker:BatchGetMetrics",
"sagemaker:BatchGetRecord",
"sagemaker:BatchPutMetrics",
"sagemaker:CreateAction",
"sagemaker:CreateAlgorithm",
"sagemaker:CreateApp",
"sagemaker:CreateAppImageConfig",
"sagemaker:CreateArtifact",
"sagemaker:CreateAutoMLJob",
"sagemaker:CreateCodeRepository",
"sagemaker:CreateCompilationJob",
"sagemaker:CreateContext",
"sagemaker:CreateDataQualityJobDefinition",
"sagemaker:CreateDeviceFleet",
"sagemaker:CreateDomain",
"sagemaker:CreateEdgePackagingJob",
"sagemaker:CreateEndpoint",
"sagemaker:CreateEndpointConfig",
"sagemaker:CreateExperiment",
"sagemaker:CreateFeatureGroup",
"sagemaker:CreateFlowDefinition",
"sagemaker:CreateHumanTaskUi",
"sagemaker:CreateHyperParameterTuningJob",
"sagemaker:CreateImage",
"sagemaker:CreateImageVersion",
"sagemaker:CreateInferenceRecommendationsJob",
"sagemaker:CreateLabelingJob",
"sagemaker:CreateLineageGroupPolicy",
"sagemaker:CreateModel",
"sagemaker:CreateModelBiasJobDefinition",
"sagemaker:CreateModelExplainabilityJobDefinition",
"sagemaker:CreateModelPackage",
"sagemaker:CreateModelPackageGroup",
"sagemaker:CreateModelQualityJobDefinition",
"sagemaker:CreateMonitoringSchedule",
"sagemaker:CreateNotebookInstance",
"sagemaker:CreateNotebookInstanceLifecycleConfig",
"sagemaker:CreatePipeline",
"sagemaker:CreatePresignedDomainUrl",
"sagemaker:CreatePresignedNotebookInstanceUrl",
"sagemaker:CreateProcessingJob",
"sagemaker:CreateProject",
"sagemaker:CreateTrainingJob",
"sagemaker:CreateTransformJob",
"sagemaker:CreateTrial",
"sagemaker:CreateTrialComponent",
"sagemaker:CreateUserProfile",
"sagemaker:CreateWorkforce",
"sagemaker:CreateWorkteam",
"sagemaker:DeleteAction",
"sagemaker:DeleteAlgorithm",
"sagemaker:DeleteApp",
"sagemaker:DeleteAppImageConfig",
"sagemaker:DeleteArtifact",
"sagemaker:DeleteAssociation",
"sagemaker:DeleteCodeRepository",
"sagemaker:DeleteContext",
"sagemaker:DeleteDataQualityJobDefinition",
"sagemaker:DeleteDeviceFleet",
"sagemaker:DeleteDomain",
"sagemaker:DeleteEndpoint",
"sagemaker:DeleteEndpointConfig",
"sagemaker:DeleteExperiment",
"sagemaker:DeleteFeatureGroup",
"sagemaker:DeleteFlowDefinition",
"sagemaker:DeleteHumanLoop",
"sagemaker:DeleteHumanTaskUi",
"sagemaker:DeleteImage",
"sagemaker:DeleteImageVersion",
"sagemaker:DeleteLineageGroupPolicy",
"sagemaker:DeleteModel",
"sagemaker:DeleteModelBiasJobDefinition",
"sagemaker:DeleteModelExplainabilityJobDefinition",
"sagemaker:DeleteModelPackage",
"sagemaker:DeleteModelPackageGroup",
"sagemaker:DeleteModelPackageGroupPolicy",
"sagemaker:DeleteModelQualityJobDefinition",
"sagemaker:DeleteMonitoringSchedule",
"sagemaker:DeleteNotebookInstance",
"sagemaker:DeleteNotebookInstanceLifecycleConfig",
"sagemaker:DeletePipeline",
"sagemaker:DeleteProject",
"sagemaker:DeleteRecord",
"sagemaker:DeleteTags",
"sagemaker:DeleteTrial",
"sagemaker:DeleteTrialComponent",
"sagemaker:DeleteUserProfile",
"sagemaker:DeleteWorkforce",
"sagemaker:DeleteWorkteam",
"sagemaker:DeregisterDevices",
"sagemaker:DescribeAction",
"sagemaker:DescribeAlgorithm",
"sagemaker:DescribeApp",
"sagemaker:DescribeAppImageConfig",
"sagemaker:DescribeArtifact",
"sagemaker:DescribeAutoMLJob",
"sagemaker:DescribeCodeRepository",
"sagemaker:DescribeCompilationJob",
"sagemaker:DescribeContext",
"sagemaker:DescribeDataQualityJobDefinition",
"sagemaker:DescribeDevice",
"sagemaker:DescribeDeviceFleet",
"sagemaker:DescribeDomain",
"sagemaker:DescribeEdgePackagingJob",
"sagemaker:DescribeEndpoint",
"sagemaker:DescribeEndpointConfig",
"sagemaker:DescribeExperiment",
"sagemaker:DescribeFeatureGroup",
"sagemaker:DescribeFlowDefinition",
"sagemaker:DescribeHumanLoop",
"sagemaker:DescribeHumanTaskUi",
"sagemaker:DescribeHyperParameterTuningJob",
"sagemaker:DescribeImage",
"sagemaker:DescribeImageVersion",
"sagemaker:DescribeInferenceRecommendationsJob",
"sagemaker:DescribeLabelingJob",
"sagemaker:DescribeLineageGroup",
"sagemaker:DescribeModel",
"sagemaker:DescribeModelBiasJobDefinition",
"sagemaker:DescribeModelExplainabilityJobDefinition",
"sagemaker:DescribeModelPackage",
"sagemaker:DescribeModelPackageGroup",
"sagemaker:DescribeModelQualityJobDefinition",
"sagemaker:DescribeMonitoringSchedule",
"sagemaker:DescribeNotebookInstance",
"sagemaker:DescribeNotebookInstanceLifecycleConfig",
"sagemaker:DescribePipeline",
"sagemaker:DescribePipelineDefinitionForExecution",
"sagemaker:DescribePipelineExecution",
"sagemaker:DescribeProcessingJob",
"sagemaker:DescribeProject",
"sagemaker:DescribeSubscribedWorkteam",
"sagemaker:DescribeTrainingJob",
"sagemaker:DescribeTransformJob",
"sagemaker:DescribeTrial",
"sagemaker:DescribeTrialComponent",
"sagemaker:DescribeUserProfile",
"sagemaker:DescribeWorkforce",
"sagemaker:DescribeWorkteam",
"sagemaker:DisableSagemakerServicecatalogPortfolio",
"sagemaker:DisassociateTrialComponent",
"sagemaker:EnableSagemakerServicecatalogPortfolio",
"sagemaker:GetDeviceFleetReport",
"sagemaker:GetDeviceRegistration",
"sagemaker:GetLineageGroupPolicy",
"sagemaker:GetModelPackageGroupPolicy",
"sagemaker:GetRecord",
"sagemaker:GetSagemakerServicecatalogPortfolioStatus",
"sagemaker:GetSearchSuggestions",
"sagemaker:InvokeEndpoint",
"sagemaker:InvokeEndpointAsync",
"sagemaker:ListActions",
"sagemaker:ListAlgorithms",
"sagemaker:ListAppImageConfigs",
"sagemaker:ListApps",
"sagemaker:ListArtifacts",
"sagemaker:ListAssociations",
"sagemaker:ListAutoMLJobs",
"sagemaker:ListCandidatesForAutoMLJob",
"sagemaker:ListCodeRepositories",
"sagemaker:ListCompilationJobs",
"sagemaker:ListContexts",
"sagemaker:ListDataQualityJobDefinitions",
"sagemaker:ListDeviceFleets",
"sagemaker:ListDevices",
"sagemaker:ListDomains",
"sagemaker:ListEdgePackagingJobs",
"sagemaker:ListEndpointConfigs",
"sagemaker:ListEndpoints",
"sagemaker:ListExperiments",
"sagemaker:ListFeatureGroups",
"sagemaker:ListFlowDefinitions",
"sagemaker:ListHumanLoops",
"sagemaker:ListHumanTaskUis",
"sagemaker:ListHyperParameterTuningJobs",
"sagemaker:ListImageVersions",
"sagemaker:ListImages",
"sagemaker:ListInferenceRecommendationsJobs",
"sagemaker:ListLabelingJobs",
"sagemaker:ListLabelingJobsForWorkteam",
"sagemaker:ListLineageGroups",
"sagemaker:ListModelBiasJobDefinitions",
"sagemaker:ListModelExplainabilityJobDefinitions",
"sagemaker:ListModelMetadata",
"sagemaker:ListModelPackageGroups",
"sagemaker:ListModelPackages",
"sagemaker:ListModelQualityJobDefinitions",
"sagemaker:ListModels",
"sagemaker:ListMonitoringExecutions",
"sagemaker:ListMonitoringSchedules",
"sagemaker:ListNotebookInstanceLifecycleConfigs",
"sagemaker:ListNotebookInstances",
"sagemaker:ListPipelineExecutionSteps",
"sagemaker:ListPipelineExecutions",
"sagemaker:ListPipelineParametersForExecution",
"sagemaker:ListPipelines",
"sagemaker:ListProcessingJobs",
"sagemaker:ListProjects",
"sagemaker:ListSubscribedWorkteams",
"sagemaker:ListTags",
"sagemaker:ListTrainingJobs",
"sagemaker:ListTrainingJobsForHyperParameterTuningJob",
"sagemaker:ListTransformJobs",
"sagemaker:ListTrialComponents",
"sagemaker:ListTrials",
"sagemaker:ListUserProfiles",
"sagemaker:ListWorkforces",
"sagemaker:ListWorkteams",
"sagemaker:PutLineageGroupPolicy",
"sagemaker:PutModelPackageGroupPolicy",
"sagemaker:PutRecord",
"sagemaker:QueryLineage",
"sagemaker:RegisterDevices",
"sagemaker:RenderUiTemplate",
"sagemaker:Search",
"sagemaker:SendHeartbeat",
"sagemaker:SendPipelineExecutionStepFailure",
"sagemaker:SendPipelineExecutionStepSuccess",
"sagemaker:StartHumanLoop",
"sagemaker:StartMonitoringSchedule",
"sagemaker:StartNotebookInstance",
"sagemaker:StartPipelineExecution",
"sagemaker:StopAutoMLJob",
"sagemaker:StopCompilationJob",
"sagemaker:StopEdgePackagingJob",
"sagemaker:StopHumanLoop",
"sagemaker:StopHyperParameterTuningJob",
"sagemaker:StopInferenceRecommendationsJob",
"sagemaker:StopLabelingJob",
"sagemaker:StopMonitoringSchedule",
"sagemaker:StopNotebookInstance",
"sagemaker:StopPipelineExecution",
"sagemaker:StopProcessingJob",
"sagemaker:StopTrainingJob",
"sagemaker:StopTransformJob",
"sagemaker:UpdateAction",
"sagemaker:UpdateAppImageConfig",
"sagemaker:UpdateArtifact",
"sagemaker:UpdateCodeRepository",
"sagemaker:UpdateContext",
"sagemaker:UpdateDeviceFleet",
"sagemaker:UpdateDevices",
"sagemaker:UpdateDomain",
"sagemaker:UpdateEndpoint",
"sagemaker:UpdateEndpointWeightsAndCapacities",
"sagemaker:UpdateExperiment",
"sagemaker:UpdateImage",
"sagemaker:UpdateModelPackage",
"sagemaker:UpdateMonitoringSchedule",
"sagemaker:UpdateNotebookInstance",
"sagemaker:UpdateNotebookInstanceLifecycleConfig",
"sagemaker:UpdatePipeline",
"sagemaker:UpdatePipelineExecution",
"sagemaker:UpdateProject",
"sagemaker:UpdateTrainingJob",
"sagemaker:UpdateTrial",
"sagemaker:UpdateTrialComponent",
"sagemaker:UpdateUserProfile",
"sagemaker:UpdateWorkforce",
"sagemaker:UpdateWorkteam"
],
"Resource": [
"arn:aws:sagemaker:*:*:action/*",
"arn:aws:sagemaker:*:*:algorithm/*",
"arn:aws:sagemaker:*:*:app-image-config/*",
"arn:aws:sagemaker:*:*:artifact/*",
"arn:aws:sagemaker:*:*:automl-job/*",
"arn:aws:sagemaker:*:*:code-repository/*",
"arn:aws:sagemaker:*:*:compilation-job/*",
"arn:aws:sagemaker:*:*:context/*",
"arn:aws:sagemaker:*:*:data-quality-job-definition/*",
"arn:aws:sagemaker:*:*:device-fleet/*/device/*",
"arn:aws:sagemaker:*:*:device-fleet/*",
"arn:aws:sagemaker:*:*:edge-packaging-job/*",
"arn:aws:sagemaker:*:*:endpoint/*",
"arn:aws:sagemaker:*:*:endpoint-config/*",
"arn:aws:sagemaker:*:*:experiment/*",
"arn:aws:sagemaker:*:*:experiment-trial/*",
"arn:aws:sagemaker:*:*:experiment-trial-component/*",
"arn:aws:sagemaker:*:*:feature-group/*",
"arn:aws:sagemaker:*:*:human-loop/*",
"arn:aws:sagemaker:*:*:human-task-ui/*",
"arn:aws:sagemaker:*:*:hyper-parameter-tuning-job/*",
"arn:aws:sagemaker:*:*:image/*",
"arn:aws:sagemaker:*:*:image-version/*/*",
"arn:aws:sagemaker:*:*:inference-recommendations-job/*",
"arn:aws:sagemaker:*:*:labeling-job/*",
"arn:aws:sagemaker:*:*:model/*",
"arn:aws:sagemaker:*:*:model-bias-job-definition/*",
"arn:aws:sagemaker:*:*:model-explainability-job-definition/*",
"arn:aws:sagemaker:*:*:model-package/*",
"arn:aws:sagemaker:*:*:model-package-group/*",
"arn:aws:sagemaker:*:*:model-quality-job-definition/*",
"arn:aws:sagemaker:*:*:monitoring-schedule/*",
"arn:aws:sagemaker:*:*:notebook-instance/*",
"arn:aws:sagemaker:*:*:notebook-instance-lifecycle-config/*",
"arn:aws:sagemaker:*:*:pipeline/*",
"arn:aws:sagemaker:*:*:pipeline/*/execution/*",
"arn:aws:sagemaker:*:*:processing-job/*",
"arn:aws:sagemaker:*:*:project/*",
"arn:aws:sagemaker:*:*:training-job/*",
"arn:aws:sagemaker:*:*:transform-job/*",
"arn:aws:sagemaker:*:*:workforce/*",
"arn:aws:sagemaker:*:*:workteam/*"
]
},
{
"Sid" : "AmazonSageMakerLambdaPassRolePermission",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/service-role/AmazonSageMakerServiceCatalogProductsExecutionRole"
]
},
{
"Sid" : "AmazonSageMakerLambdaLogPermission",
"Effect": "Allow",
"Action": [
"logs:CreateLogDelivery",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DeleteLogDelivery",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:DescribeResourcePolicies",
"logs:DescribeDestinations",
"logs:DescribeExportTasks",
"logs:DescribeMetricFilters",
"logs:DescribeQueries",
"logs:DescribeQueryDefinitions",
"logs:DescribeSubscriptionFilters",
"logs:GetLogDelivery",
"logs:GetLogEvents",
"logs:ListLogDeliveries",
"logs:PutLogEvents",
"logs:PutResourcePolicy",
"logs:UpdateLogDelivery"
],
"Resource": "arn:aws:logs:*:*:log-group:/aws/lambda/*"
},
{
"Sid" : "AmazonSageMakerLambdaCodeBuildPermission",
"Effect": "Allow",
"Action": [
"codebuild:StartBuild",
"codebuild:BatchGetBuilds"
],
"Resource": "arn:aws:codebuild:*:*:project/sagemaker-*",
"Condition": {
"StringLike": {
"aws:ResourceTag/sagemaker:project-name": "*"
}
}
}
]
}
```
------
## Amazon SageMaker AI 更新了 S Amazon ervice Catalog Amazon 托管策略
查看自该服务开始跟踪这些更改以来,Amazon SageMaker AI Amazon 托管策略更新的详细信息。
| Policy | 版本 | 更改 | 日期 |
| --- | --- | --- | --- |
| [AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy):更新策略 | 10 | 更新`codestar-connections:PassConnection`和`codeconnections:PassConnection`权限。 | 2025年9月27日 |
| [AmazonSageMakerServiceCatalogProductsCodePipelineServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsCodePipelineServiceRolePolicy):更新策略 | 3 | 更新`codestar-connections:UseConnection`和`codeconnections:UseConnection`权限。 | 2025年9月27日 |
| [AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy):更新策略 | 3 | 更新`codestar-connections:UseConnection`和`codeconnections:UseConnection`权限。 | 2025年9月27日 |
| [AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy):更新策略 | 9 | 添加 `cloudformation:TagResource`、`cloudformation:UntagResource` 和 `codeconnections:PassConnection` 权限。 | 2024 年 7 月 1 日 |
| AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy -更新政策 | 7 | 将策略回滚到版本 7 (v7)。删除 `cloudformation:TagResource`、`cloudformation:UntagResource` 和 `codeconnections:PassConnection` 权限。 | 2024 年 6 月 12 日 |
| AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy -更新政策 | 8 | 添加 `cloudformation:TagResource`、`cloudformation:UntagResource` 和 `codeconnections:PassConnection` 权限。 | 2024 年 6 月 11 日 |
| [AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy):更新策略 | 2 | 添加 `codestar-connections:UseConnection` 和 `codeconnections:UseConnection` 权限。 | 2024 年 6 月 11 日 |
| [AmazonSageMakerServiceCatalogProductsCodePipelineServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsCodePipelineServiceRolePolicy):更新策略 | 2 | 添加 `cloudformation:TagResource`、`cloudformation:UntagResource`、`codestar-connections:UseConnection` 和 `codeconnections:UseConnection` 权限。 | 2024 年 6 月 11 日 |
| [AmazonSageMakerServiceCatalogProductsLambdaServiceRole政策](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsLambdaServiceRolePolicy):更新策略 | 2 | 添加 `codebuild:StartBuild` 和 `codebuild:BatchGetBuilds` 权限。 | 2024 年 6 月 11 日 |
| [AmazonSageMakerPartnerServiceCatalogProductsApiGatewayServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerPartnerServiceCatalogProductsApiGatewayServiceRolePolicy) | 1 | 初始策略 | 2023 年 8 月 1 日 |
| [AmazonSageMakerPartnerServiceCatalogProductsCloudFormationServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerPartnerServiceCatalogProductsCloudFormationServiceRolePolicy) | 1 | 初始策略 | 2023 年 8 月 1 日 |
| [AmazonSageMakerPartnerServiceCatalogProductsLambdaServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerPartnerServiceCatalogProductsLambdaServiceRolePolicy) | 1 | 初始策略 | 2023 年 8 月 1 日 |
| [AmazonSageMakerServiceCatalogProductsGlueServiceRole政策](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsGlueServiceRolePolicy):更新策略 | 2 | 为 `glue:GetUserDefinedFunctions` 添加权限。 | 2022 年 8 月 26 日 |
| AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy -更新政策 | 7 | 为 `sagemaker:AddTags` 添加权限。 | 2022 年 8 月 2 日 |
| AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy -更新政策 | 6 | 为 `lambda:TagResource` 添加权限。 | 2022 年 7 月 14 日 |
| AmazonSageMakerServiceCatalogProductsLambdaServiceRole政策 | 1 | 初始策略 | 2022 年 4 月 4 日 |
| [AmazonSageMakerServiceCatalogProductsApiGatewayServiceRolePolicy](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsApiGatewayServiceRolePolicy) | 1 | 初始策略 | 2022 年 3 月 24 日 |
| [AmazonSageMakerServiceCatalogProductsCloudformationServiceRole政策](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsCloudformationServiceRolePolicy) | 1 | 初始策略 | 2022 年 3 月 24 日 |
| AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy | 1 | 初始策略 | 2022 年 3 月 24 日 |
| AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy -更新政策 | 5 | 为 `ecr-idp:TagResource` 添加权限。 | 2022 年 3 月 21 日 |
| AmazonSageMakerServiceCatalogProductsCodePipelineServiceRolePolicy | 1 | 初始策略 | 2022 年 2 月 22 日 |
| [AmazonSageMakerServiceCatalogProductsEventsServiceRole政策](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsEventsServiceRolePolicy) | 1 | 初始策略 | 2022 年 2 月 22 日 |
| [AmazonSageMakerServiceCatalogProductsFirehoseServiceRole政策](#security-iam-awsmanpol-AmazonSageMakerServiceCatalogProductsFirehoseServiceRolePolicy) | 1 | 初始策略 | 2022 年 2 月 22 日 |
| AmazonSageMakerServiceCatalogProductsGlueServiceRole政策 | 1 | 初始策略 | 2022 年 2 月 22 日 |
| AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy -更新政策 | 4 | 为 `cognito-idp:TagResource` 和 `s3:PutBucketCORS` 添加权限。 | 2022 年 2 月 16 日 |
| AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy -更新政策 | 3 | 为 `sagemaker` 添加新权限。 创建、读取、更新和删除 SageMaker 图片。 | 2021 年 9 月 15 日 |
| AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy -更新政策 | 2 | 为 `sagemaker` 和 `codestar-connections` 添加权限。 创建、读取、更新和删除代码存储库。 将 AWS CodeStar 连接传递给 Amazon CodePipeline。 | 2021 年 7 月 1 日 |
| AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy | 1 | 初始策略 | 2020 年 11 月 27 日 |