本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
适用于亚马逊的 IAM 政策 SageMaker
以下示例模板展示了如何根据状态机定义中的资源 Amazon Step Functions 生成 IAM 策略。有关更多信息,请参阅 集成服务的 IAM 策略 和 服务集成模式。
注意
对于这些示例,
请参阅 IAM 角色的 Amazon 资源名称 (ARN),该 SageMaker 角色用于访问模型工件和 docker 镜像,以便在 ML 计算实例上部署,或用于批量转换任务。有关更多信息,请参阅 Amazon SageMaker 角色。[[roleArn]]
CreateTrainingJob
静态资源
- Run a Job (.sync)
-
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sagemaker:CreateTrainingJob", "sagemaker:DescribeTrainingJob", "sagemaker:StopTrainingJob" ], "Resource": [ "arn:aws:sagemaker:
[[region]]
:[[accountId]]
:training-job/[[trainingJobName]]
*" ] }, { "Effect": "Allow", "Action": [ "sagemaker:ListTags" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "[[roleArn]]
" ], "Condition": { "StringEquals": { "iam:PassedToService": "sagemaker.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "events:PutTargets", "events:PutRule", "events:DescribeRule" ], "Resource": [ "arn:aws:events:[[region]]
:[[accountId]]
:rule/StepFunctionsGetEventsForSageMakerTrainingJobsRule" ] } ] } - Request Response and Callback (.waitForTaskToken)
-
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sagemaker:CreateTrainingJob" ], "Resource": [ "arn:aws:sagemaker:
[[region]]
:[[accountId]]
:training-job/[[trainingJobName]]
*" ] }, { "Effect": "Allow", "Action": [ "sagemaker:ListTags" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "[[roleArn]]
" ], "Condition": { "StringEquals": { "iam:PassedToService": "sagemaker.amazonaws.com" } } } ] }
动态资源
- .sync or .waitForTaskToken
-
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sagemaker:CreateTrainingJob", "sagemaker:DescribeTrainingJob", "sagemaker:StopTrainingJob" ], "Resource": [ "arn:aws:sagemaker:
[[region]]
:[[accountId]]
:training-job/*" ] }, { "Effect": "Allow", "Action": [ "sagemaker:ListTags" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "[[roleArn]]
" ], "Condition": { "StringEquals": { "iam:PassedToService": "sagemaker.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "events:PutTargets", "events:PutRule", "events:DescribeRule" ], "Resource": [ "arn:aws:events:[[region]]
:[[accountId]]
:rule/StepFunctionsGetEventsForSageMakerTrainingJobsRule" ] } ] } - Request Response and Callback (.waitForTaskToken)
-
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sagemaker:CreateTrainingJob" ], "Resource": [ "arn:aws:sagemaker:
[[region]]
:[[accountId]]
:training-job/*" ] }, { "Effect": "Allow", "Action": [ "sagemaker:ListTags" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "[[roleArn]]
" ], "Condition": { "StringEquals": { "iam:PassedToService": "sagemaker.amazonaws.com" } } } ] }
CreateTransformJob
注意
Amazon Step Functions 当您创建与集成的状态机CreateTransformJob
时,不会自动创建策略 SageMaker。您必须根据以下 IAM 示例之一将内联策略附加到创建的角色。
静态资源
- Run a Job (.sync)
-
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sagemaker:CreateTransformJob", "sagemaker:DescribeTransformJob", "sagemaker:StopTransformJob" ], "Resource": [ "arn:aws:sagemaker:
[[region]]
:[[accountId]]
:transform-job/[[transformJobName]]
*" ] }, { "Effect": "Allow", "Action": [ "sagemaker:ListTags" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "[[roleArn]]
" ], "Condition": { "StringEquals": { "iam:PassedToService": "sagemaker.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "events:PutTargets", "events:PutRule", "events:DescribeRule" ], "Resource": [ "arn:aws:events:[[region]]
:[[accountId]]
:rule/StepFunctionsGetEventsForSageMakerTransformJobsRule" ] } ] } - Request Response and Callback (.waitForTaskToken)
-
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sagemaker:CreateTransformJob" ], "Resource": [ "arn:aws:sagemaker:
[[region]]
:[[accountId]]
:transform-job/[[transformJobName]]
*" ] }, { "Effect": "Allow", "Action": [ "sagemaker:ListTags" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "[[roleArn]]
" ], "Condition": { "StringEquals": { "iam:PassedToService": "sagemaker.amazonaws.com" } } } ] }
动态资源
- Run a Job (.sync)
-
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sagemaker:CreateTransformJob", "sagemaker:DescribeTransformJob", "sagemaker:StopTransformJob" ], "Resource": [ "arn:aws:sagemaker:
[[region]]
:[[accountId]]
:transform-job/*" ] }, { "Effect": "Allow", "Action": [ "sagemaker:ListTags" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "[[roleArn]]
" ], "Condition": { "StringEquals": { "iam:PassedToService": "sagemaker.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "events:PutTargets", "events:PutRule", "events:DescribeRule" ], "Resource": [ "arn:aws:events:[[region]]
:[[accountId]]
:rule/StepFunctionsGetEventsForSageMakerTransformJobsRule" ] } ] } - Request Response and Callback (.waitForTaskToken)
-
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sagemaker:CreateTransformJob" ], "Resource": [ "arn:aws:sagemaker:
[[region]]
:[[accountId]]
:transform-job/*" ] }, { "Effect": "Allow", "Action": [ "sagemaker:ListTags" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "[[roleArn]]
" ], "Condition": { "StringEquals": { "iam:PassedToService": "sagemaker.amazonaws.com" } } } ] }
Amazon Glue DataBrew
Amazon SNS