AWS 模型注册管理机构的托管策略 - 亚马逊 SageMaker AI
AmazonSageMakerModelRegistryFullAccess模型注册表策略更新

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

AWS 模型注册管理机构的托管策略

这些 AWS 托管策略增加了使用模型注册表所需的权限。这些策略可在您的 AWS 账户中使用,并由从 Amazon A SageMaker I 控制台创建的执行角色使用。

AWS 托管策略: AmazonSageMakerModelRegistryFullAccess

此 AWS 托管策略授予使用 Amazon A SageMaker I 域内所有模型注册表功能所需的权限。配置模型注册表设置以启用模型注册表权限时,此策略会附加到执行角色中。

该策略包含以下权限。

  • ecr - 允许主体检索有关 Amazon Elastic Container Registry (Amazon ECR) 映像的信息,包括元数据。

  • iam— 允许委托人将执行角色传递给 Amazon A SageMaker I 服务。

  • resource-groups— 允许委托人创建、列出、标记和删除 AWS Resource Groups。

  • s3 - 允许主体从存储模型版本的 Amazon Simple Storage Service (Amazon S3) 存储桶中检索对象。可检索的对象仅限于名称(不区分大小写)包含字符串 "sagemaker" 的对象。

  • sagemaker— 允许委托人使用模型注册表对模型进行编目、管理和部署。 SageMaker

  • kms— 仅允许 SageMaker AI 服务主体添加授权、生成数据密钥、解密和读取密 AWS KMS 钥,并且仅允许标记为 “sagemaker” 使用的密钥。

JSON
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AmazonSageMakerModelRegistrySageMakerReadPermission",
      "Effect": "Allow",
      "Action": [
        "sagemaker:DescribeAction",
        "sagemaker:DescribeInferenceRecommendationsJob",
        "sagemaker:DescribeModelPackage",
        "sagemaker:DescribeModelPackageGroup",
        "sagemaker:DescribePipeline",
        "sagemaker:DescribePipelineExecution",
        "sagemaker:ListAssociations",
        "sagemaker:ListArtifacts",
        "sagemaker:ListModelMetadata",
        "sagemaker:ListModelPackages",
        "sagemaker:Search",
        "sagemaker:GetSearchSuggestions"
      ],
      "Resource": "*"
    },
    {
      "Sid": "AmazonSageMakerModelRegistrySageMakerWritePermission",
      "Effect": "Allow",
      "Action": [
        "sagemaker:AddTags",
        "sagemaker:CreateModel",
        "sagemaker:CreateModelPackage",
        "sagemaker:CreateModelPackageGroup",
        "sagemaker:CreateEndpoint",
        "sagemaker:CreateEndpointConfig",
        "sagemaker:CreateInferenceRecommendationsJob",
        "sagemaker:DeleteModelPackage",
        "sagemaker:DeleteModelPackageGroup",
        "sagemaker:DeleteTags",
        "sagemaker:UpdateModelPackage"
      ],
      "Resource": "*"
    },
    {
      "Sid": "AmazonSageMakerModelRegistryS3GetPermission",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:s3:::*SageMaker*",
        "arn:aws:s3:::*Sagemaker*",
        "arn:aws:s3:::*sagemaker*"
      ]
    },
    {
      "Sid": "AmazonSageMakerModelRegistryS3ListPermission",
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket",
        "s3:ListAllMyBuckets"
      ],
      "Resource": "*"
    },
    {
      "Sid": "AmazonSageMakerModelRegistryECRReadPermission",
      "Effect": "Allow",
      "Action": [
        "ecr:BatchGetImage",
        "ecr:DescribeImages"
      ],
      "Resource": "*"
    },
    {
      "Sid": "AmazonSageMakerModelRegistryIAMPassRolePermission",
      "Effect": "Allow",
      "Action": [
        "iam:PassRole"
      ],
      "Resource": "arn:aws:iam::*:role/*",
      "Condition": {
        "StringEquals": {
          "iam:PassedToService": "sagemaker.amazonaws.com"
        }
      }
    },
    {
      "Sid": "AmazonSageMakerModelRegistryTagReadPermission",
      "Effect": "Allow",
      "Action": [
        "tag:GetResources"
      ],
      "Resource": "*"
    },
    {
      "Sid": "AmazonSageMakerModelRegistryResourceGroupGetPermission",
      "Effect": "Allow",
      "Action": [
        "resource-groups:GetGroupQuery"
      ],
      "Resource": "arn:aws:resource-groups:*:*:group/*"
    },
    {
      "Sid": "AmazonSageMakerModelRegistryResourceGroupListPermission",
      "Effect": "Allow",
      "Action": [
        "resource-groups:ListGroupResources"
      ],
      "Resource": "*"
    },
    {
      "Sid": "AmazonSageMakerModelRegistryResourceGroupWritePermission",
      "Effect": "Allow",
      "Action": [
        "resource-groups:CreateGroup",
        "resource-groups:Tag"
      ],
      "Resource": "arn:aws:resource-groups:*:*:group/*",
      "Condition": {
        "ForAnyValue:StringEquals": {
          "aws:TagKeys": "sagemaker:collection"
        }
      }
    },
    {
      "Sid": "AmazonSageMakerModelRegistryResourceGroupDeletePermission",
      "Effect": "Allow",
      "Action": "resource-groups:DeleteGroup",
      "Resource": "arn:aws:resource-groups:*:*:group/*",
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/sagemaker:collection": "true"
        }
      }
    },
    {
      "Sid": "AmazonSageMakerModelRegistryResourceKMSPermission",
      "Effect": "Allow",
      "Action": [
        "kms:CreateGrant",
        "kms:DescribeKey",
        "kms:GenerateDataKey",
        "kms:Decrypt"
      ],
      "Resource": "arn:aws:kms:*:*:key/*",
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/sagemaker" : "true"
        },
        "StringLike": {
          "kms:ViaService": "sagemaker.*.amazonaws.com"
        }
      }
    }
  ]
}

Amazon SageMaker AI 更新了《模型注册表》托管政策

查看自该服务开始跟踪模型注册 AWS 管理机构托管策略更新以来,有关这些更新的详细信息。要获得有关此页面更改的自动提醒,请订阅 SageMaker AI 文档历史记录页面上的 RSS 提要。

策略 版本 更改 日期

AmazonSageMakerModelRegistryFullAccess – 对现有策略的更新

2

添加 kms:CreateGrantkms:DescribeKeykms:GenerateDataKeykms:Decrypt 权限。

 2024 年 6 月 6 日

AmazonSageMakerModelRegistryFullAccess -新政策

1

初始策略

 2023 年 4 月 12 日