本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
SageMakerStudioUserIAMPermissiveExecutionPolicy
描述:在 SageMaker Unified Studio 中使用 IAM 角色的执行策略。允许用户访问您账户中的资源(包括广泛访问 S3、G CloudWatch lue、Logs 等所有 APIs 数据服务),以便基于 IAM 使用 Uni SageMaker fied Studio。
SageMakerStudioUserIAMPermissiveExecutionPolicy 是一项 AWS 托管式策略。
使用此策略
您可以将 SageMakerStudioUserIAMPermissiveExecutionPolicy 附加到您的用户、组和角色。
策略详细信息
-
类型: AWS 托管策略
-
创建时间:世界标准时间 2025 年 8 月 18 日 17:19
-
编辑时间:世界标准时间 2025 年 8 月 26 日 21:34
-
ARN:
arn:aws:iam::aws:policy/SageMakerStudioUserIAMPermissiveExecutionPolicy
策略版本
策略版本:v2(默认)
此策略的默认版本是定义策略权限的版本。当使用该策略的用户或角色请求访问 AWS 资源时, AWS 会检查策略的默认版本以确定是否允许该请求。
JSON 策略文档
{ "Version" : "2012-10-17", "Statement" : [ { "Sid" : "DataAccess", "Effect" : "Allow", "Action" : [ "cloudwatch:*", "glue:*", "logs:*", "redshift-data:*", "redshift-serverless:*", "redshift:*", "s3:*" ], "Resource" : "*" }, { "Sid" : "ComputeAccess", "Effect" : "Allow", "Action" : [ "athena:*", "bedrock:*", "codewhisperer:*", "q:*", "sagemaker:*", "scheduler:*", "sqlworkbench:*" ], "Resource" : "*" }, { "Sid" : "DataZone", "Effect" : "Allow", "Action" : [ "datazone:CreateAsset*", "datazone:CreateConnection", "datazone:CreateProject", "datazone:DeleteAsset*", "datazone:DeleteConnection", "datazone:DeleteProject", "datazone:Get*", "datazone:List*", "datazone:PostLineageEvent", "datazone:Search", "datazone:SearchListings", "datazone:SearchUserProfiles", "datazone:UpdateAssetFilter", "datazone:UpdateConnection", "datazone:UpdateProject" ], "Resource" : "*" }, { "Sid" : "IamSts", "Effect" : "Allow", "Action" : [ "iam:GetRole", "iam:ListRoles", "sts:AssumeRole" ], "Resource" : "*" }, { "Sid" : "CreateSLR", "Effect" : "Allow", "Action" : "iam:CreateServiceLinkedRole", "Resource" : [ "arn:aws:iam::*:role/aws-service-role/neptune-graph.amazonaws.com/AWSServiceRoleForNeptuneGraph", "arn:aws:iam::*:role/aws-service-role/redshift.amazonaws.com/AWSServiceRoleForRedshift", "arn:aws:iam::*:role/aws-service-role/sagemaker.amazonaws.com/AWSServiceRoleForAmazonSageMakerNotebooks", "arn:aws:iam::*:role/aws-service-role/ops.emr-serverless.amazonaws.com/AWSServiceRoleForAmazonEMRServerless", "arn:aws:iam::*:role/aws-service-role/airflow.amazonaws.com/AWSServiceRoleForAmazonMWAA", "arn:aws:iam::*:role/aws-service-role/elasticmapreduce.amazonaws.com/AWSServiceRoleForEMRCleanup", "arn:aws:iam::*:role/aws-service-role/sagemaker.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_SageMakerEndpoint", "arn:aws:iam::*:role/aws-service-role/observability.aoss.amazonaws.com/AWSServiceRoleForAmazonOpenSearchServerless" ] }, { "Sid" : "TagSession", "Effect" : "Allow", "Action" : "sts:TagSession", "Resource" : "*", "Condition" : { "ForAllValues:StringLike" : { "aws:TagKeys" : [ "AmazonDataZone*" ] } } }, { "Sid" : "PassRole", "Effect" : "Allow", "Action" : "iam:PassRole", "Resource" : [ "arn:aws:iam::*:role/service-role/AmazonSageMaker*" ], "Condition" : { "StringEquals" : { "iam:PassedToService" : [ "sagemaker.amazonaws.com", "lakeformation.amazonaws.com", "glue.amazonaws.com", "bedrock.amazonaws.com", "redshift-serverless.amazonaws.com", "redshift.amazonaws.com", "scheduler.amazonaws.com" ] } } }, { "Sid" : "SourceIdentity", "Effect" : "Allow", "Action" : "sts:SetSourceIdentity", "Resource" : "*", "Condition" : { "StringLike" : { "sts:SourceIdentity" : "${aws:PrincipalTag/datazone:userId}" } } }, { "Sid" : "SSM", "Effect" : "Allow", "Action" : [ "ssm:GetParameter*" ], "Resource" : [ "arn:aws:ssm:*:*:parameter/amazon/datazone/q*", "arn:aws:ssm:*:*:parameter/amazon/datazone/genAI/*", "arn:aws:ssm:*::parameter/aws/service/sagemaker-distribution/*" ] }, { "Sid" : "LFAccess", "Effect" : "Allow", "Action" : [ "lakeformation:DescribeResource", "lakeformation:GetDataAccess", "lakeformation:ListResources" ], "Resource" : "*" }, { "Sid" : "FederatedConn", "Effect" : "Allow", "Action" : [ "dynamodb:List*", "dynamodb:Describe*", "dynamodb:Scan", "dynamodb:PartiQLSelect", "dynamodb:Query", "secretsmanager:ListSecrets", "resource-groups:GetGroupQuery", "resource-groups:ListGroupResources" ], "Resource" : "*" }, { "Sid" : "PrivateSecret", "Effect" : "Allow", "Action" : [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue" ], "Resource" : "*", "Condition" : { "StringEquals" : { "aws:ResourceTag/AmazonDataZoneProject" : "${datazone:projectId}" } } }, { "Sid" : "SharedSecret", "Effect" : "Allow", "Action" : [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue" ], "Resource" : "*", "Condition" : { "StringEquals" : { "aws:ResourceTag/for-use-with-all-datazone-projects" : "true" } } }, { "Sid" : "Ecr", "Effect" : "Allow", "Action" : [ "ecr:BatchCheckLayerAvailability", "ecr:BatchGetImage", "ecr:DescribeImages", "ecr:GetAuthorizationToken", "ecr:GetDownloadUrlForLayer" ], "Resource" : "*" } ] }
了解更多信息
