AWS managed policy: AmazonSageMakerHyperPodObservabilityAdminAccess
This policy provides administrative privileges required for setting up Amazon SageMaker HyperPod observability. It enables access to Amazon Managed Prometheus, Amazon Managed Grafana and Amazon Elastic Kubernetes Service add-ons. The policy also includes broad access to Grafana HTTP APIs through ServiceAccountTokens across all Amazon Managed Grafana workspaces in your account.
The following is the policy JSON.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "PrometheusCreateAccess", "Effect": "Allow", "Action": [ "aps:CreateWorkspace" ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestTag/SageMaker": "true" } } }, { "Sid": "PrometheusTagsAccess", "Effect": "Allow", "Action": "aps:TagResource", "Resource": [ "arn:aws:aps:*:*:/workspaces", "arn:aws:aps:*:*:rulegroupsnamespace/*/HyperPodObservabilityNamespace" ], "Condition": { "ForAllValues:StringEquals": { "aws:TagKeys": [ "SageMaker" ] }, "StringEquals": { "aws:RequestTag/SageMaker": "true", "aws:ResourceTag/SageMaker": "true" } } }, { "Sid": "PrometheusDescribeAccess", "Effect": "Allow", "Action": [ "aps:DescribeWorkspace" ], "Resource": "arn:aws:aps:*:*:workspace/*" }, { "Sid": "PrometheusListAccess", "Effect": "Allow", "Action": [ "aps:ListWorkspaces" ], "Resource": "*" }, { "Sid": "PrometheusAlertsRuleGroupAccess", "Effect": "Allow", "Action": [ "aps:CreateAlertManagerDefinition", "aps:DescribeAlertManagerDefinition", "aps:DescribeRuleGroupsNamespace", "aps:ListRuleGroupsNamespaces" ], "Resource": [ "arn:aws:aps:*:*:workspace/*", "arn:aws:aps:*:*:rulegroupsnamespace/*/HyperPodObservabilityNamespace" ] }, { "Sid": "PrometheusCreateRuleGroupAccess", "Effect": "Allow", "Action": "aps:CreateRuleGroupsNamespace", "Resource": "arn:aws:aps:*:*:rulegroupsnamespace/*/HyperPodObservabilityNamespace", "Condition": { "StringEquals": { "aws:RequestTag/SageMaker": "true", "aws:ResourceTag/SageMaker": "true" } } }, { "Sid": "GrafanaCreateWorkspaceAccess", "Effect": "Allow", "Action": [ "grafana:CreateWorkspace" ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestTag/SageMaker": "true" } } }, { "Sid": "GrafanaTagsAccess", "Effect": "Allow", "Action": "grafana:TagResource", "Resource": "arn:aws:grafana:*:*:/workspaces", "Condition": { "ForAllValues:StringEquals": { "aws:TagKeys": [ "SageMaker" ] }, "StringEquals": { "aws:RequestTag/SageMaker": "true", "aws:ResourceTag/SageMaker": "true" } } }, { "Sid": "GrafanaListAccess", "Effect": "Allow", "Action": [ "grafana:ListWorkspaces" ], "Resource": "*" }, { "Sid": "GrafanaServiceAccountAccess", "Effect": "Allow", "Action": [ "grafana:DescribeWorkspace", "grafana:CreateWorkspaceApiKey", "grafana:CreateWorkspaceServiceAccount", "grafana:CreateWorkspaceServiceAccountToken", "grafana:ListWorkspaceServiceAccounts", "grafana:ListWorkspaceServiceAccountTokens", "grafana:DeleteWorkspaceServiceAccountToken" ], "Resource": "arn:aws:grafana:*:*:/workspaces/*" }, { "Sid": "IAMGrafanaPassRoleAccess", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::*:role/AmazonSageMakerHyperPodObservabilityGrafanaAccess-*", "Condition": { "StringLike": { "iam:PassedToService": [ "grafana.amazonaws.com" ] } } }, { "Sid": "IAMEKSPassRoleAccess", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::*:role/AmazonSageMakerHyperPodObservabilityAddonAccess-*", "Condition": { "StringLike": { "iam:PassedToService": [ "pods.eks.amazonaws.com" ] } } }, { "Sid": "IAMGetRoleAccess", "Effect": "Allow", "Action": "iam:GetRole", "Resource": [ "arn:aws:iam::*:role/AmazonSageMakerHyperPodObservabilityAddonAccess-*" ] }, { "Sid": "HyperPodClusterAccess", "Effect": "Allow", "Action": [ "sagemaker:ListClusters", "sagemaker:DescribeCluster" ], "Resource": "*" }, { "Sid": "EKSAddonAccess", "Effect": "Allow", "Action": [ "eks:DeleteAddon", "eks:UpdateAddon", "eks:DescribeAddon" ], "Resource": "arn:aws:eks:*:*:addon/*/amazon-sagemaker-hyperpod-observability/*" }, { "Sid": "EKSAddonDescribeAccess", "Effect": "Allow", "Action": [ "eks:DescribeAddonConfiguration", "eks:DescribeAddonVersions" ], "Resource": "*" }, { "Sid": "EKSAddonDescribePodIdentityAccess", "Effect": "Allow", "Action": "eks:DescribePodIdentityAssociation", "Resource": "arn:aws:eks:*:*:podidentityassociation/*/*" }, { "Sid": "EKSListDescribeAccess", "Effect": "Allow", "Action": [ "eks:ListAddons", "eks:DescribeCluster" ], "Resource": "arn:aws:eks:*:*:cluster/*" }, { "Sid": "EKSCreateAccess", "Effect": "Allow", "Action": [ "eks:CreateAddon", "eks:CreatePodIdentityAssociation" ], "Resource": "arn:aws:eks:*:*:cluster/*", "Condition": { "StringEquals": { "aws:RequestTag/SageMaker": "true" } } }, { "Sid": "EKSTagsAccess", "Effect": "Allow", "Action": "eks:TagResource", "Resource": [ "arn:aws:eks:*:*:cluster/*", "arn:aws:eks:*:*:addon/*/*/*", "arn:aws:eks:*:*:podidentityassociation/*/*" ], "Condition": { "ForAllValues:StringEquals": { "aws:TagKeys": [ "SageMaker" ] }, "StringEquals": { "aws:RequestTag/SageMaker": "true", "aws:ResourceTag/SageMaker": "true" } } }, { "Sid": "SSOAccess", "Effect": "Allow", "Action": [ "sso:DescribeRegisteredRegions", "sso:CreateManagedApplicationInstance" ], "Resource": "*" } ] }
