本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
IAM 角色设置
设置说明中的 CloudFormation 堆栈可自动为您设置 IAM 角色。如果您想手动执行它,请按照以下说明进行操作:
MCP 服务器的 IAM 角色设置
即将进行的变更将于 2026 年 5 月 29 日生效
2026 年 5 月 29 日之后,将不再需要以下所示的sagemaker-unified-studio-mcp权限。相反,授权将使用您现有的 IAM 策略在 AWS
服务级别进行。如果您使用这些权限拒绝访问,请参阅即将进行的权限变更(2026 年 5 月 29 日)在此日期之前更新您的政策。
要访问 SMUS 托管 MCP 服务器,需要使用以下内联策略的 IAM 角色:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowUseSagemakerUnifiedStudioMcpServer", "Effect": "Allow", "Action": [ "sagemaker-unified-studio-mcp:InvokeMcp", "sagemaker-unified-studio-mcp:CallReadOnlyTool", "sagemaker-unified-studio-mcp:CallPrivilegedTool" ], "Resource": [ "*" ] } ] }
在接下来的步骤中,我们将为此角色创建个人资料。无论哪个账户担任此角色以获取证书,都应添加到代入角色策略中。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowAccountToAssumeRole", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<accountId>:root" }, "Action": "sts:AssumeRole" } ] }
按部署模式划分的其他权限 (EMR-EC2/EMR-S/Glue)
EMR-EC2 应用程序
{ "Version": "2012-10-17", "Statement": [ { "Sid": "EMREC2ReadAccess", "Effect": "Allow", "Action": [ "elasticmapreduce:DescribeCluster", "elasticmapreduce:DescribeStep", "elasticmapreduce:ListSteps", "elasticmapreduce:ListClusters", "elasticmapreduce:DescribeJobFlows" ], "Resource": [ "*" ] }, { "Sid": "EMRS3LogAccess", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket" ], "Resource": "*" }, { "Sid": "EMRPersistentApp", "Effect": "Allow", "Action": [ "elasticmapreduce:CreatePersistentAppUI", "elasticmapreduce:DescribePersistentAppUI", "elasticmapreduce:GetPersistentAppUIPresignedURL" ], "Resource": [ "*" ] } ] }
Glue Jobs
{ "Version": "2012-10-17", "Statement": [ { "Sid": "GlueReadAccess", "Effect": "Allow", "Action": [ "glue:GetJob", "glue:GetJobRun", "glue:GetJobRuns", "glue:GetJobs", "glue:BatchGetJobs" ], "Resource": [ "arn:aws:glue:*:<account id>:job/*" ] }, { "Sid": "GlueCloudWatchLogsAccess", "Effect": "Allow", "Action": [ "logs:GetLogEvents", "logs:FilterLogEvents" ], "Resource": [ "arn:aws:logs:*:<account id>:log-group:/aws/glue/*" ] }, { "Sid": "GlueSparkWebUI", "Effect": "Allow", "Action": [ "glue:RequestLogParsing", "glue:GetLogParsingStatus", "glue:GetEnvironment", "glue:GetStage", "glue:GetStages", "glue:GetStageFiles", "glue:BatchGetStageFiles", "glue:GetStageAttempt", "glue:GetStageAttemptTaskList", "glue:GetStageAttemptTaskSummary", "glue:GetExecutors", "glue:GetExecutorsThreads", "glue:GetStorage", "glue:GetStorageUnit", "glue:GetQueries", "glue:GetQuery", "glue:GetDashboardUrl" ], "Resource": [ "arn:aws:glue:*:<account id>:job/*" ] }, { "Sid": "GluePassRoleAccess", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "*", "Condition": { "StringLike": { "iam:PassedToService": "glue.amazonaws.com" } } } ] }
EMR 无服务器应用程序
{ "Version": "2012-10-17", "Statement": [ { "Sid": "EMRServerlessReadAccess", "Effect": "Allow", "Action": [ "emr-serverless:GetJobRun", "emr-serverless:GetApplication", "emr-serverless:ListApplications", "emr-serverless:ListJobRuns", "emr-serverless:ListJobRunAttempts", "emr-serverless:GetDashboardForJobRun", "emr-serverless:ListTagsForResource" ], "Resource": [ "*" ] }, { "Sid": "EMRServerlessCloudWatchLogsAccess", "Effect": "Allow", "Action": [ "logs:GetLogEvents", "logs:FilterLogEvents" ], "Resource": [ "arn:aws:logs:*:<account id>:log-group:/aws/emr-serverless/*" ] }, { "Sid": "EMRServerlessS3LogsAccess", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket" ], "Resource": "*" } ] }
KMS 权限- CloudWatch 日志
如果 CloudWatch 日志是使用 CMK 加密的,请添加以下策略,以便服务可以读取 EMR-Serverless 应用程序日志。
{ "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:DescribeKey" ], "Resource": "arn:aws:kms:<region>:<account-id>:key/<cw-logs-cmk-id>" }
即将进行的权限变更(2026 年 5 月 29 日)
从 2026 年 5 月 29 日起, AWS SMUS MCP 服务器将不再需要单独的 IAM 权限来授权 MCP 服务器的操作。相反,将在 AWS 服务级别使用您现有的 IAM 角色和策略进行授权。
两个条件键将自动添加到通过 SMUS MCP 服务器发出的所有请求中:
aws:ViaAWSMCPService—true对于通过 AWS 托管 MCP 服务器发出的任何请求,设置为。aws:CalledViaAWSMCP— 设置为 MCP 服务器服务主体(例如,sagemaker-unified-studio-mcp.amazonaws.com)。
如果您当前使用这些sagemaker-unified-studio-mcp权限拒绝访问 SMUS MCP 服务器,或者您不想允许对您的账户执行任何 AWS 托管 MCP 服务器启动的操作,则必须在 2026 年 5 月 29 日之前更新您的政策。改用新的条件键。
拒绝通过任何 AWS 托管 MCP 服务器进行的所有操作:
{ "Effect": "Deny", "Action": "*", "Resource": "*", "Condition": { "Bool": { "aws:ViaAWSMCPService": "true" } } }
通过特定的 AWS 托管 MCP 服务器拒绝特定操作:
{ "Effect": "Deny", "Action": ["glue:GetJobRun", "glue:StartJobRun"], "Resource": "*", "Condition": { "StringEquals": { "aws:CalledViaAWSMCP": "sagemaker-unified-studio-mcp.amazonaws.com" } } }
有关条件键的更多信息,请参阅 IAM 用户指南中的AWS 全局条件上下文密钥。
