关于 AmazonBraketFullAccess 政策 - Amazon Braket

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

关于 AmazonBraketFullAccess 政策

AmazonBraketFullAccess政策授予 Amazon Braket 操作权限,包括执行以下任务的权限:

  • 从 Amazon Elastic Container Re gistry 下载容器 — 读取和下载用于 Amazon Braket Hybrid Jobs 功能的容器镜像。容器必须符合 “arn: aws: ecr:: repository/amazon-braket” 的格式。

  • 保留 AWS CloudTrail 日志-除了启动和停止查询、测试指标筛选器和筛选日志事件外,还适用于所有描述获取出操作。该 AWS CloudTrail 日志文件包含您的账户中发生的所有 Amazon Braket API 活动的记录。

  • 利用角色控制资源-在您的账户中创建服务相关角色。服务相关角色可以代表您访问 AWS 资源。它只能由 Amazon Braket 服务使用。此外,还可以将 IAM 角色传递给 Amazon Braket CreateJobAPI,创建角色并将范围限定为的策略附加 AmazonBraketFullAccess 到该角色。

  • 创建日志组、日志事件和查询日志组,以维护您账户的使用情况日志文件 — 创建、存储和查看账户中有关 Amazon Braket 使用情况的日志信息。查询混合作业日志组的指标。包含正确的 Braket 路径并允许放置日志数据。将指标数据放入 CloudWatch。

  • 在 Amazon S3 存储桶中创建和存储数据,并列出所有存储桶 — 要创建 S3 存储桶,请列出您账户中的 S3 存储桶,然后将对象放入账户中名称以 amazon-braket-开头的任何存储桶并从中获取对象。Braket 需要这些权限才能将包含已处理量子任务结果的文件放入存储桶并从存储桶中检索。

  • 传递 IAM 角色 — 将 IAM 角色传递给CreateJobAPI。

  • 亚马逊 A SageMaker I Notebook — 创建和管理范围为 “arn: aws: sagemaker:: notebook-instance/amazon-braket-” 中资源的SageMaker笔记本实例。

  • 验证服务配额 — 要创建 SageMaker AI 笔记本和 Amazon Braket Hybrid 任务,您的资源数量不能超过账户的配额

  • 查看产品定价 — 在提交工作负载之前,请查看并计划量子硬件成本。

政策内容

JSON
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:ListBucket", "s3:CreateBucket", "s3:PutBucketPublicAccessBlock", "s3:PutBucketPolicy" ], "Resource": "arn:aws:s3:::amazon-braket-*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "servicequotas:GetServiceQuota", "cloudwatch:GetMetricData", "pricing:GetProducts" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "ecr:BatchCheckLayerAvailability" ], "Resource": "arn:aws:ecr:*:*:repository/amazon-braket*" }, { "Effect": "Allow", "Action": [ "ecr:GetAuthorizationToken" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "logs:Describe*", "logs:Get*", "logs:List*", "logs:StartQuery", "logs:StopQuery", "logs:TestMetricFilter", "logs:FilterLogEvents" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/braket*" }, { "Effect": "Allow", "Action": [ "iam:ListRoles", "iam:ListRolePolicies", "iam:GetRole", "iam:GetRolePolicy", "iam:ListAttachedRolePolicies" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "sagemaker:ListNotebookInstances" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "sagemaker:CreatePresignedNotebookInstanceUrl", "sagemaker:CreateNotebookInstance", "sagemaker:DeleteNotebookInstance", "sagemaker:DescribeNotebookInstance", "sagemaker:StartNotebookInstance", "sagemaker:StopNotebookInstance", "sagemaker:UpdateNotebookInstance", "sagemaker:ListTags", "sagemaker:AddTags", "sagemaker:DeleteTags" ], "Resource": "arn:aws:sagemaker:*:*:notebook-instance/amazon-braket-*" }, { "Effect": "Allow", "Action": [ "sagemaker:DescribeNotebookInstanceLifecycleConfig", "sagemaker:CreateNotebookInstanceLifecycleConfig", "sagemaker:DeleteNotebookInstanceLifecycleConfig", "sagemaker:ListNotebookInstanceLifecycleConfigs", "sagemaker:UpdateNotebookInstanceLifecycleConfig" ], "Resource": "arn:aws:sagemaker:*:*:notebook-instance-lifecycle-config/amazon-braket-*" }, { "Effect": "Allow", "Action": "braket:*", "Resource": "*" }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/braket.amazonaws.com/AWSServiceRoleForAmazonBraket*", "Condition": { "StringEquals": { "iam:AWSServiceName": "braket.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::*:role/service-role/AmazonBraketServiceSageMakerNotebookRole*", "Condition": { "StringLike": { "iam:PassedToService": [ "sagemaker.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::*:role/service-role/AmazonBraketJobsExecutionRole*", "Condition": { "StringLike": { "iam:PassedToService": [ "braket.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "logs:GetQueryResults" ], "Resource": [ "arn:aws:logs:*:*:log-group:*" ] }, { "Effect": "Allow", "Action": [ "logs:PutLogEvents", "logs:CreateLogStream", "logs:CreateLogGroup" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/braket*" }, { "Effect": "Allow", "Action": "cloudwatch:PutMetricData", "Resource": "*", "Condition": { "StringEquals": { "cloudwatch:namespace": "/aws/braket" } } } ] }