# `StartEarthObservationJob` API: Execution role permissions
<a name="sagemaker-roles-start-eoj-perms"></a>

For an execution role that you can pass in a `StartEarthObservationJob` API request, you can attach the following minimum permissions policy to the role:

------
#### [ JSON ]

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:AbortMultipartUpload",
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListBucketMultipartUploads"
            ],
            "Resource": [
                "arn:aws:s3:::*SageMaker*",
                "arn:aws:s3:::*Sagemaker*",
                "arn:aws:s3:::*sagemaker*"
            ]
        },
        {
        "Effect": "Allow",
        "Action": "sagemaker-geospatial:GetEarthObservationJob",
        "Resource":  "arn:aws:sagemaker-geospatial:*:*:earth-observation-job/*"
        },
        {
        "Effect": "Allow",
        "Action": "sagemaker-geospatial:GetRasterDataCollection",
        "Resource": "arn:aws:sagemaker-geospatial:*:*:raster-data-collection/*"
        }
    ]
    }
```

------

If your input Amazon S3 bucket is encrypted using server-side encryption with an AWS KMS managed key (SSE-KMS), see [Using Amazon S3 Bucket Keys](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html) for more information.