AWS SageMaker 项目管理策略和 JumpStart - 亚马逊 SageMaker AI
AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicyAmazonSageMakerPartnerServiceCatalogProductsApiGatewayServiceRolePolicyAmazonSageMakerPartnerServiceCatalogProductsCloudFormationServiceRolePolicyAmazonSageMakerPartnerServiceCatalogProductsLambdaServiceRolePolicyAmazonSageMakerServiceCatalogProductsApiGatewayServiceRolePolicyAmazonSageMakerServiceCatalogProductsCloudformationServiceRole政策AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicyAmazonSageMakerServiceCatalogProductsCodePipelineServiceRolePolicyAmazonSageMakerServiceCatalogProductsEventsServiceRole政策AmazonSageMakerServiceCatalogProductsFirehoseServiceRole政策AmazonSageMakerServiceCatalogProductsGlueServiceRole政策AmazonSageMakerServiceCatalogProductsLambdaServiceRole政策AWSService Catalog 政策更新

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

AWS SageMaker 项目管理策略和 JumpStart

这些AWS托管策略增加了使用内置 Amazon A SageMaker I 项目模板和 JumpStart 解决方案的权限。这些策略可在您的AWS账户中使用,并由从 SageMaker AI 控制台创建的执行角色使用。

SageMaker 项目并 JumpStart 使用 S AWS ervice Catalog 在客户账户中配置AWS资源。一些创建的资源需要代入执行角色。例如,如果 S AWS ervice Catalog 代表客户为 SageMaker 人工智能机器学习 CI/CD 项目创建 CodePipeline 管道,则该管道需要一个 IAM 角色。

AmazonSageMakerServiceCatalogProductsLaunchRole角色具有从 S AWS ervice Catalog 中启动 SageMaker AI 产品组合所需的权限。该AmazonSageMakerServiceCatalogProductsUseRole角色拥有使用 S AWS ervice Catalog 中的 SageMaker AI 产品组合所需的权限。该AmazonSageMakerServiceCatalogProductsLaunchRole角色将角色传递给预AmazonSageMakerServiceCatalogProductsUseRole配置的 S AWS ervice Catalog 产品资源。

AWS托管策略: AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy

该服务使用此服务角色策略来配置 Amazon A SageMaker I 产品组合中的产品。AWS Service Catalog该策略向一组相关AWS服务授予权限AWS CodePipeline,包括、AWS CodeBuild、AWS CodeCommitAWS CloudFormation、AWS Glue 等。

AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy策略旨在由从 SageMaker AI 控制台创建的AmazonSageMakerServiceCatalogProductsLaunchRole角色使用。该策略为客户账户添加了为 SageMaker 项目配置AWS资源和 JumpStart 使用 Service Catalog 的权限。

权限详细信息

该策略包含以下权限。

  • apigateway - 允许角色调用标有 sagemaker:launch-source 的 API Gateway 端点。

  • cloudformation— AWS Service Catalog 允许创建、更新和删除 CloudFormation 堆栈。还允许服务目录标记和取消标记资源。

  • codebuild— 允许由担任AWS Service Catalog并传递 CloudFormation 给的角色创建、更新和删除 CodeBuild 项目。

  • codecommit— 允许由担任AWS Service Catalog并传递 CloudFormation 给的角色创建、更新和删除 CodeCommit 存储库。

  • codepipeline— 允许由担任AWS Service Catalog并传递 CloudFormation 给的角色创建、更新和删除 CodePipelines。

  • codeconnectionscodestar-connections— 还允许角色传递AWS CodeConnections和AWS CodeStar连接。

  • cognito-idp - 允许角色创建、更新和删除组和用户池。也允许标记资源。

  • ecr— 允许由担任AWS Service Catalog并传递 CloudFormation 给的角色创建和删除 Amazon ECR 存储库。也允许标记资源。

  • events— 允许由担任AWS Service Catalog并传递 CloudFormation 给的角色创建和删除 EventBridge 规则。用于连接 CICD 管道的各个组件。

  • firehose:允许角色与 Firehose 流交互。

  • glue— 允许角色与之交互AWS Glue。

  • iam - 允许角色传递前缀为 AmazonSageMakerServiceCatalog 的角色。当 Projects 预置 AWS Service Catalog 产品时,需要该权限,因为需要将角色传递给 AWS Service Catalog。

  • lambda - 允许角色与 AWS Lambda 交互。也允许标记资源。

  • logs - 允许角色创建、删除和访问日志流。

  • s3— 允许由担任AWS Service Catalog并传递 CloudFormation 给的角色访问存储项目模板代码的 Amazon S3 存储桶。

  • sagemaker— 允许角色与各种 SageMaker AI 服务进行交互。这既可以在模板配置 CloudFormation 期间完成,也可以在CICD管道执行 CodeBuild 期间完成。也允许标记以下资源:端点、端点配置、模型、管道、项目和模型包。

  • states - 允许角色创建、删除和更新前缀为 sagemaker 的 Step Functions。

要查看此策略的权限,请参阅《AWS托管策略参考》ServiceCatalogProductsServiceRolePolicy中的 AmazonSageMakerAdmin-

AWS托管策略: AmazonSageMakerPartnerServiceCatalogProductsApiGatewayServiceRolePolicy

亚马逊 API Gatew SageMaker ay 在亚马逊 AI 产品组合中的AWS Service Catalog预配置产品中使用此政策。该策略旨在附加到 IAM 角色,该角色将AmazonSageMakerServiceCatalogProductsLaunchRole传递给由 API Gateway 创建的需要角色的AWS资源。

权限详细信息

该策略包含以下权限。

  • lambda - 调用由合作伙伴模板创建的函数。

  • sagemaker - 调用由合作伙伴模板创建的端点。

JSON
{
  "Version":"2012-10-17",		 	 	 
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:*:*:function:sagemaker-*",
      "Condition": {
        "Null": {
          "aws:ResourceTag/sagemaker:project-name": "false",
          "aws:ResourceTag/sagemaker:partner": "false"
        },
        "StringEquals": {
          "aws:ResourceAccount": "${aws:PrincipalAccount}"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": "sagemaker:InvokeEndpoint",
      "Resource": "arn:aws:sagemaker:*:*:endpoint/*",
      "Condition": {
        "Null": {
          "aws:ResourceTag/sagemaker:project-name": "false",
          "aws:ResourceTag/sagemaker:partner": "false"
        },
        "StringEquals": {
          "aws:ResourceAccount": "${aws:PrincipalAccount}"
        }
      }
    }
  ]
}

AWS托管策略: AmazonSageMakerPartnerServiceCatalogProductsCloudFormationServiceRolePolicy

此政策由 Amazon A SageMaker I 产品组合AWS CloudFormation中的AWS Service Catalog预配置产品使用。该策略旨在附加到一个 IAM 角色,该角色AmazonSageMakerServiceCatalogProductsLaunchRole传递给由CloudFormation该角色创建的AWS资源需要一个角色。

权限详细信息

该策略包含以下权限。

  • iam - 传递 AmazonSageMakerServiceCatalogProductsLambdaRoleAmazonSageMakerServiceCatalogProductsApiGatewayRole 角色。

  • lambda— 创建、更新、删除和调用AWS Lambda函数;检索、发布和删除 Lambda 层的版本。

  • apigateway - 创建、更新和删除 Amazon API Gateway 资源。

  • s3 - 从 Amazon Simple Storage Service (Amazon S3) 存储桶中检索 lambda-auth-code/layer.zip 文件。

JSON
{
  "Version":"2012-10-17",		 	 	 
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iam:PassRole"
      ],
      "Resource": [
        "arn:aws:iam::*:role/service-role/AmazonSageMakerServiceCatalogProductsLambdaRole"
      ],
      "Condition": {
        "StringEquals": {
          "iam:PassedToService": "lambda.amazonaws.com"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "iam:PassRole"
      ],
      "Resource": [
        "arn:aws:iam::*:role/service-role/AmazonSageMakerServiceCatalogProductsApiGatewayRole"
      ],
      "Condition": {
        "StringEquals": {
          "iam:PassedToService": "apigateway.amazonaws.com"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "lambda:DeleteFunction",
        "lambda:UpdateFunctionCode",
        "lambda:ListTags",
        "lambda:InvokeFunction"
      ],
      "Resource": [
        "arn:aws:lambda:*:*:function:sagemaker-*"
      ],
      "Condition": {
        "Null": {
          "aws:ResourceTag/sagemaker:project-name": "false",
          "aws:ResourceTag/sagemaker:partner": "false"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "lambda:CreateFunction",
        "lambda:TagResource"
      ],
      "Resource": [
        "arn:aws:lambda:*:*:function:sagemaker-*"
      ],
      "Condition": {
        "Null": {
          "aws:ResourceTag/sagemaker:project-name": "false",
          "aws:ResourceTag/sagemaker:partner": "false"
        },
        "ForAnyValue:StringEquals": {
          "aws:TagKeys": [
            "sagemaker:project-name",
            "sagemaker:partner"
          ]
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "lambda:PublishLayerVersion",
        "lambda:GetLayerVersion",
        "lambda:DeleteLayerVersion",
        "lambda:GetFunction"
      ],
      "Resource": [
        "arn:aws:lambda:*:*:layer:sagemaker-*",
        "arn:aws:lambda:*:*:function:sagemaker-*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "apigateway:GET",
        "apigateway:DELETE",
        "apigateway:PATCH",
        "apigateway:POST",
        "apigateway:PUT"
      ],
      "Resource": [
        "arn:aws:apigateway:*::/restapis/*",
        "arn:aws:apigateway:*::/restapis"
      ],
      "Condition": {
        "Null": {
          "aws:ResourceTag/sagemaker:project-name": "false",
          "aws:ResourceTag/sagemaker:partner": "false"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "apigateway:POST",
        "apigateway:PUT"
      ],
      "Resource": [
        "arn:aws:apigateway:*::/restapis",
        "arn:aws:apigateway:*::/tags/*"
      ],
      "Condition": {
        "Null": {
          "aws:ResourceTag/sagemaker:project-name": "false",
          "aws:ResourceTag/sagemaker:partner": "false"
        },
        "ForAnyValue:StringEquals": {
          "aws:TagKeys": [
            "sagemaker:project-name",
            "sagemaker:partner"
          ]
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:s3:::sagemaker-*/lambda-auth-code/layer.zip"
      ],
      "Condition": {
        "StringEquals": {
          "aws:ResourceAccount": "${aws:PrincipalAccount}"
        }
      }
    }
  ]
}
显示更多显示更少

AWS托管策略: AmazonSageMakerPartnerServiceCatalogProductsLambdaServiceRolePolicy

此政策由 Amazon A SageMaker I 产品组合AWS Lambda中的AWS Service Catalog预配置产品使用。该策略旨在附加到 IAM 角色,该角色将AmazonSageMakerServiceCatalogProductsLaunchRole传递给 Lambda 创建的需要角色的AWS资源。

权限详细信息

该策略包含以下权限。

  • secretsmanager - 从合作伙伴为合作伙伴模板提供的密钥中检索数据。

JSON
{
  "Version":"2012-10-17",		 	 	 
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "secretsmanager:GetSecretValue",
      "Resource": "arn:aws:secretsmanager:*:*:secret:*",
      "Condition": {
        "Null": {
          "aws:ResourceTag/sagemaker:partner": false
        },
        "StringEquals": {
          "aws:ResourceAccount": "${aws:PrincipalAccount}"
        }
      }
    }
  ]
}
显示更多显示更少

AWS托管策略: AmazonSageMakerServiceCatalogProductsApiGatewayServiceRolePolicy

亚马逊 API Gatew SageMaker ay 在亚马逊 AI 产品组合中的AWS Service Catalog预配置产品中使用此政策。该策略旨在附加到 IAM 角色,该角色将AmazonSageMakerServiceCatalogProductsLaunchRole传递给由 API Gateway 创建的需要角色的AWS资源。

权限详细信息

该策略包含以下权限。

  • logs— 创建和读取 CloudWatch 日志组、直播和事件;更新事件;描述各种资源。

    这些权限仅限于日志组前缀以“aws/apigateway/”开头的资源。

JSON
{
  "Version":"2012-10-17",		 	 	 
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogDelivery",
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:DeleteLogDelivery",
        "logs:DescribeLogGroups",
        "logs:DescribeLogStreams",
        "logs:DescribeResourcePolicies",
        "logs:DescribeDestinations",
        "logs:DescribeExportTasks",
        "logs:DescribeMetricFilters",
        "logs:DescribeQueries",
        "logs:DescribeQueryDefinitions",
        "logs:DescribeSubscriptionFilters",
        "logs:GetLogDelivery",
        "logs:GetLogEvents",
        "logs:PutLogEvents",
        "logs:PutResourcePolicy",
        "logs:UpdateLogDelivery"
      ],
      "Resource": "arn:aws:logs:*:*:log-group:/aws/apigateway/*"
    }
  ]
}

AWS托管策略: AmazonSageMakerServiceCatalogProductsCloudformationServiceRole策略

此政策由 Amazon A SageMaker I 产品组合AWS CloudFormation中的AWS Service Catalog预配置产品使用。该策略旨在附加到一个 IAM 角色,该角色AmazonSageMakerServiceCatalogProductsLaunchRole传递给由CloudFormation该角色创建的AWS资源需要一个角色。

权限详细信息

该策略包含以下权限。

  • sagemaker— 允许访问各种 SageMaker AI 资源,但域名、用户配置文件、应用程序和流程定义除外。

  • iam - 传递 AmazonSageMakerServiceCatalogProductsCodeBuildRoleAmazonSageMakerServiceCatalogProductsExecutionRole 角色。

JSON
{
  "Version":"2012-10-17",		 	 	 
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "sagemaker:AddAssociation",
        "sagemaker:AddTags",
        "sagemaker:AssociateTrialComponent",
        "sagemaker:BatchDescribeModelPackage",
        "sagemaker:BatchGetMetrics",
        "sagemaker:BatchGetRecord",
        "sagemaker:BatchPutMetrics",
        "sagemaker:CreateAction",
        "sagemaker:CreateAlgorithm",
        "sagemaker:CreateApp",
        "sagemaker:CreateAppImageConfig",
        "sagemaker:CreateArtifact",
        "sagemaker:CreateAutoMLJob",
        "sagemaker:CreateCodeRepository",
        "sagemaker:CreateCompilationJob",
        "sagemaker:CreateContext",
        "sagemaker:CreateDataQualityJobDefinition",
        "sagemaker:CreateDeviceFleet",
        "sagemaker:CreateDomain",
        "sagemaker:CreateEdgePackagingJob",
        "sagemaker:CreateEndpoint",
        "sagemaker:CreateEndpointConfig",
        "sagemaker:CreateExperiment",
        "sagemaker:CreateFeatureGroup",
        "sagemaker:CreateFlowDefinition",
        "sagemaker:CreateHumanTaskUi",
        "sagemaker:CreateHyperParameterTuningJob",
        "sagemaker:CreateImage",
        "sagemaker:CreateImageVersion",
        "sagemaker:CreateInferenceRecommendationsJob",
        "sagemaker:CreateLabelingJob",
        "sagemaker:CreateLineageGroupPolicy",
        "sagemaker:CreateModel",
        "sagemaker:CreateModelBiasJobDefinition",
        "sagemaker:CreateModelExplainabilityJobDefinition",
        "sagemaker:CreateModelPackage",
        "sagemaker:CreateModelPackageGroup",
        "sagemaker:CreateModelQualityJobDefinition",
        "sagemaker:CreateMonitoringSchedule",
        "sagemaker:CreateNotebookInstance",
        "sagemaker:CreateNotebookInstanceLifecycleConfig",
        "sagemaker:CreatePipeline",
        "sagemaker:CreatePresignedDomainUrl",
        "sagemaker:CreatePresignedNotebookInstanceUrl",
        "sagemaker:CreateProcessingJob",
        "sagemaker:CreateProject",
        "sagemaker:CreateTrainingJob",
        "sagemaker:CreateTransformJob",
        "sagemaker:CreateTrial",
        "sagemaker:CreateTrialComponent",
        "sagemaker:CreateUserProfile",
        "sagemaker:CreateWorkforce",
        "sagemaker:CreateWorkteam",
        "sagemaker:DeleteAction",
        "sagemaker:DeleteAlgorithm",
        "sagemaker:DeleteApp",
        "sagemaker:DeleteAppImageConfig",
        "sagemaker:DeleteArtifact",
        "sagemaker:DeleteAssociation",
        "sagemaker:DeleteCodeRepository",
        "sagemaker:DeleteContext",
        "sagemaker:DeleteDataQualityJobDefinition",
        "sagemaker:DeleteDeviceFleet",
        "sagemaker:DeleteDomain",
        "sagemaker:DeleteEndpoint",
        "sagemaker:DeleteEndpointConfig",
        "sagemaker:DeleteExperiment",
        "sagemaker:DeleteFeatureGroup",
        "sagemaker:DeleteFlowDefinition",
        "sagemaker:DeleteHumanLoop",
        "sagemaker:DeleteHumanTaskUi",
        "sagemaker:DeleteImage",
        "sagemaker:DeleteImageVersion",
        "sagemaker:DeleteLineageGroupPolicy",
        "sagemaker:DeleteModel",
        "sagemaker:DeleteModelBiasJobDefinition",
        "sagemaker:DeleteModelExplainabilityJobDefinition",
        "sagemaker:DeleteModelPackage",
        "sagemaker:DeleteModelPackageGroup",
        "sagemaker:DeleteModelPackageGroupPolicy",
        "sagemaker:DeleteModelQualityJobDefinition",
        "sagemaker:DeleteMonitoringSchedule",
        "sagemaker:DeleteNotebookInstance",
        "sagemaker:DeleteNotebookInstanceLifecycleConfig",
        "sagemaker:DeletePipeline",
        "sagemaker:DeleteProject",
        "sagemaker:DeleteRecord",
        "sagemaker:DeleteTags",
        "sagemaker:DeleteTrial",
        "sagemaker:DeleteTrialComponent",
        "sagemaker:DeleteUserProfile",
        "sagemaker:DeleteWorkforce",
        "sagemaker:DeleteWorkteam",
        "sagemaker:DeregisterDevices",
        "sagemaker:DescribeAction",
        "sagemaker:DescribeAlgorithm",
        "sagemaker:DescribeApp",
        "sagemaker:DescribeAppImageConfig",
        "sagemaker:DescribeArtifact",
        "sagemaker:DescribeAutoMLJob",
        "sagemaker:DescribeCodeRepository",
        "sagemaker:DescribeCompilationJob",
        "sagemaker:DescribeContext",
        "sagemaker:DescribeDataQualityJobDefinition",
        "sagemaker:DescribeDevice",
        "sagemaker:DescribeDeviceFleet",
        "sagemaker:DescribeDomain",
        "sagemaker:DescribeEdgePackagingJob",
        "sagemaker:DescribeEndpoint",
        "sagemaker:DescribeEndpointConfig",
        "sagemaker:DescribeExperiment",
        "sagemaker:DescribeFeatureGroup",
        "sagemaker:DescribeFlowDefinition",
        "sagemaker:DescribeHumanLoop",
        "sagemaker:DescribeHumanTaskUi",
        "sagemaker:DescribeHyperParameterTuningJob",
        "sagemaker:DescribeImage",
        "sagemaker:DescribeImageVersion",
        "sagemaker:DescribeInferenceRecommendationsJob",
        "sagemaker:DescribeLabelingJob",
        "sagemaker:DescribeLineageGroup",
        "sagemaker:DescribeModel",
        "sagemaker:DescribeModelBiasJobDefinition",
        "sagemaker:DescribeModelExplainabilityJobDefinition",
        "sagemaker:DescribeModelPackage",
        "sagemaker:DescribeModelPackageGroup",
        "sagemaker:DescribeModelQualityJobDefinition",
        "sagemaker:DescribeMonitoringSchedule",
        "sagemaker:DescribeNotebookInstance",
        "sagemaker:DescribeNotebookInstanceLifecycleConfig",
        "sagemaker:DescribePipeline",
        "sagemaker:DescribePipelineDefinitionForExecution",
        "sagemaker:DescribePipelineExecution",
        "sagemaker:DescribeProcessingJob",
        "sagemaker:DescribeProject",
        "sagemaker:DescribeSubscribedWorkteam",
        "sagemaker:DescribeTrainingJob",
        "sagemaker:DescribeTransformJob",
        "sagemaker:DescribeTrial",
        "sagemaker:DescribeTrialComponent",
        "sagemaker:DescribeUserProfile",
        "sagemaker:DescribeWorkforce",
        "sagemaker:DescribeWorkteam",
        "sagemaker:DisableSagemakerServicecatalogPortfolio",
        "sagemaker:DisassociateTrialComponent",
        "sagemaker:EnableSagemakerServicecatalogPortfolio",
        "sagemaker:GetDeviceFleetReport",
        "sagemaker:GetDeviceRegistration",
        "sagemaker:GetLineageGroupPolicy",
        "sagemaker:GetModelPackageGroupPolicy",
        "sagemaker:GetRecord",
        "sagemaker:GetSagemakerServicecatalogPortfolioStatus",
        "sagemaker:GetSearchSuggestions",
        "sagemaker:InvokeEndpoint",
        "sagemaker:InvokeEndpointAsync",
        "sagemaker:ListActions",
        "sagemaker:ListAlgorithms",
        "sagemaker:ListAppImageConfigs",
        "sagemaker:ListApps",
        "sagemaker:ListArtifacts",
        "sagemaker:ListAssociations",
        "sagemaker:ListAutoMLJobs",
        "sagemaker:ListCandidatesForAutoMLJob",
        "sagemaker:ListCodeRepositories",
        "sagemaker:ListCompilationJobs",
        "sagemaker:ListContexts",
        "sagemaker:ListDataQualityJobDefinitions",
        "sagemaker:ListDeviceFleets",
        "sagemaker:ListDevices",
        "sagemaker:ListDomains",
        "sagemaker:ListEdgePackagingJobs",
        "sagemaker:ListEndpointConfigs",
        "sagemaker:ListEndpoints",
        "sagemaker:ListExperiments",
        "sagemaker:ListFeatureGroups",
        "sagemaker:ListFlowDefinitions",
        "sagemaker:ListHumanLoops",
        "sagemaker:ListHumanTaskUis",
        "sagemaker:ListHyperParameterTuningJobs",
        "sagemaker:ListImageVersions",
        "sagemaker:ListImages",
        "sagemaker:ListInferenceRecommendationsJobs",
        "sagemaker:ListLabelingJobs",
        "sagemaker:ListLabelingJobsForWorkteam",
        "sagemaker:ListLineageGroups",
        "sagemaker:ListModelBiasJobDefinitions",
        "sagemaker:ListModelExplainabilityJobDefinitions",
        "sagemaker:ListModelMetadata",
        "sagemaker:ListModelPackageGroups",
        "sagemaker:ListModelPackages",
        "sagemaker:ListModelQualityJobDefinitions",
        "sagemaker:ListModels",
        "sagemaker:ListMonitoringExecutions",
        "sagemaker:ListMonitoringSchedules",
        "sagemaker:ListNotebookInstanceLifecycleConfigs",
        "sagemaker:ListNotebookInstances",
        "sagemaker:ListPipelineExecutionSteps",
        "sagemaker:ListPipelineExecutions",
        "sagemaker:ListPipelineParametersForExecution",
        "sagemaker:ListPipelines",
        "sagemaker:ListProcessingJobs",
        "sagemaker:ListProjects",
        "sagemaker:ListSubscribedWorkteams",
        "sagemaker:ListTags",
        "sagemaker:ListTrainingJobs",
        "sagemaker:ListTrainingJobsForHyperParameterTuningJob",
        "sagemaker:ListTransformJobs",
        "sagemaker:ListTrialComponents",
        "sagemaker:ListTrials",
        "sagemaker:ListUserProfiles",
        "sagemaker:ListWorkforces",
        "sagemaker:ListWorkteams",
        "sagemaker:PutLineageGroupPolicy",
        "sagemaker:PutModelPackageGroupPolicy",
        "sagemaker:PutRecord",
        "sagemaker:QueryLineage",
        "sagemaker:RegisterDevices",
        "sagemaker:RenderUiTemplate",
        "sagemaker:Search",
        "sagemaker:SendHeartbeat",
        "sagemaker:SendPipelineExecutionStepFailure",
        "sagemaker:SendPipelineExecutionStepSuccess",
        "sagemaker:StartHumanLoop",
        "sagemaker:StartMonitoringSchedule",
        "sagemaker:StartNotebookInstance",
        "sagemaker:StartPipelineExecution",
        "sagemaker:StopAutoMLJob",
        "sagemaker:StopCompilationJob",
        "sagemaker:StopEdgePackagingJob",
        "sagemaker:StopHumanLoop",
        "sagemaker:StopHyperParameterTuningJob",
        "sagemaker:StopInferenceRecommendationsJob",
        "sagemaker:StopLabelingJob",
        "sagemaker:StopMonitoringSchedule",
        "sagemaker:StopNotebookInstance",
        "sagemaker:StopPipelineExecution",
        "sagemaker:StopProcessingJob",
        "sagemaker:StopTrainingJob",
        "sagemaker:StopTransformJob",
        "sagemaker:UpdateAction",
        "sagemaker:UpdateAppImageConfig",
        "sagemaker:UpdateArtifact",
        "sagemaker:UpdateCodeRepository",
        "sagemaker:UpdateContext",
        "sagemaker:UpdateDeviceFleet",
        "sagemaker:UpdateDevices",
        "sagemaker:UpdateDomain",
        "sagemaker:UpdateEndpoint",
        "sagemaker:UpdateEndpointWeightsAndCapacities",
        "sagemaker:UpdateExperiment",
        "sagemaker:UpdateImage",
        "sagemaker:UpdateModelPackage",
        "sagemaker:UpdateMonitoringSchedule",
        "sagemaker:UpdateNotebookInstance",
        "sagemaker:UpdateNotebookInstanceLifecycleConfig",
        "sagemaker:UpdatePipeline",
        "sagemaker:UpdatePipelineExecution",
        "sagemaker:UpdateProject",
        "sagemaker:UpdateTrainingJob",
        "sagemaker:UpdateTrial",
        "sagemaker:UpdateTrialComponent",
        "sagemaker:UpdateUserProfile",
        "sagemaker:UpdateWorkforce",
        "sagemaker:UpdateWorkteam"
      ],
      "NotResource": [
        "arn:aws:sagemaker:*:*:domain/*",
        "arn:aws:sagemaker:*:*:user-profile/*",
        "arn:aws:sagemaker:*:*:app/*",
        "arn:aws:sagemaker:*:*:flow-definition/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "iam:PassRole"
      ],
      "Resource": [
        "arn:aws:iam::*:role/service-role/AmazonSageMakerServiceCatalogProductsCodeBuildRole",
        "arn:aws:iam::*:role/service-role/AmazonSageMakerServiceCatalogProductsExecutionRole"
      ]
    }
  ]
}
显示更多显示更少

AWS托管策略: AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy

此政策由 Amazon A SageMaker I 产品组合AWS CodeBuild中的AWS Service Catalog预配置产品使用。该策略旨在附加到一个 IAM 角色,该角色AmazonSageMakerServiceCatalogProductsLaunchRole传递给由 CodeBuild 该角色创建的AWS资源需要一个角色。

权限详细信息

该策略包含以下权限。

  • sagemaker— 允许访问各种 SageMaker AI 资源。

  • codecommit— 将 CodeCommit 档案上传到 CodeBuild 管道,获取上传状态并取消上传;获取分支和提交信息。这些权限仅限于名称以“sagemaker-”开头的资源。

  • ecr - 创建 Amazon ECR 存储库和容器映像;上传映像层。这些权限仅限于名称以“sagemaker-”开头的存储库。

    ecr - 阅读所有资源。

  • iam - 传递以下角色:

    • AmazonSageMakerServiceCatalogProductsCloudformationRole到AWS CloudFormation。

    • AmazonSageMakerServiceCatalogProductsCodeBuildRole到AWS CodeBuild。

    • AmazonSageMakerServiceCatalogProductsCodePipelineRole到AWS CodePipeline。

    • AmazonSageMakerServiceCatalogProductsEventsRole到亚马逊 EventBridge。

    • AmazonSageMakerServiceCatalogProductsExecutionRole到 Amazon SageMaker AI。

  • logs— 创建和读取 CloudWatch 日志组、直播和事件;更新事件;描述各种资源。

    这些权限仅限于名称前缀以“aws/codebuild/”开头的资源。

  • s3 - 创建、读取和列出 Amazon S3 存储桶。这些权限仅限于名称以“sagemaker-”开头的存储桶。

  • codeconnectionscodestar-connections— 使用AWS CodeConnections和AWS CodeStar连接。

要查看此策略的权限,请参阅AWS托管策略参考AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy中的。

AWS托管策略: AmazonSageMakerServiceCatalogProductsCodePipelineServiceRolePolicy

此政策由 Amazon A SageMaker I 产品组合AWS CodePipeline中的AWS Service Catalog预配置产品使用。该策略旨在附加到一个 IAM 角色,该角色AmazonSageMakerServiceCatalogProductsLaunchRole传递给由 CodePipeline 该角色创建的AWS资源需要一个角色。

权限详细信息

该策略包含以下权限。

  • cloudformation— 创建、读取、删除和更新 CloudFormation堆栈;创建、读取、删除和执行更改集;设置堆栈策略;标记和取消标记资源。这些权限仅限于名称以“sagemaker-”开头的资源。

  • s3 - 创建、读取、列出和删除 Amazon S3 存储桶;在存储桶中添加、读取和删除对象;读取和设置 CORS 配置;读取访问控制列表 (ACL);以及读取存储桶所在的 AWS 区域。

    这些权限仅限于名称以“sagemaker-”或“aws-glue-”开头的存储桶。

  • iam - 传递 AmazonSageMakerServiceCatalogProductsCloudformationRole 角色。

  • codebuild— 获取 CodeBuild 构建信息并开始构建。这些权限仅限于名称以“sagemaker-”开头的项目和构建资源。

  • codecommit— 将 CodeCommit 档案上传到 CodeBuild 管道,获取上传状态并取消上传;获取分支和提交信息。

  • codeconnectionscodestar-connections— 使用AWS CodeConnections和AWS CodeStar连接。

要查看此策略的权限,请参阅AWS托管策略参考AmazonSageMakerServiceCatalogProductsCodePipelineServiceRolePolicy中的。

AWS托管策略: AmazonSageMakerServiceCatalogProductsEventsServiceRole策略

亚马逊 EventBridge 在 Amazon A SageMaker I 产品组合中的AWS Service Catalog预配置产品中使用此政策。该策略旨在附加到一个 IAM 角色,该角色AmazonSageMakerServiceCatalogProductsLaunchRole传递给由 EventBridge 该角色创建的AWS资源需要一个角色。

权限详细信息

该策略包含以下权限。

  • codepipeline— 开始 CodeBuild 执行。这些权限仅限于名称以“sagemaker-”开头的管道。

JSON
{
  "Version":"2012-10-17",		 	 	 
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "codepipeline:StartPipelineExecution",
      "Resource": "arn:aws:codepipeline:*:*:sagemaker-*"
    }
  ]
}

AWS托管策略: AmazonSageMakerServiceCatalogProductsFirehoseServiceRole策略

亚马逊 Data Firehose 在亚马逊 AI 产品组合中的AWS Service Catalog预配置产品中使用此政策。 SageMaker 该策略旨在附加到 IAM 角色,该角色将AmazonSageMakerServiceCatalogProductsLaunchRole传递给 Firehose 创建的需要角色的AWS资源。

权限详细信息

该策略包含以下权限。

  • firehose:发送 Firehose 记录。这些权限仅限于传输流名称以“sagemaker-”开头的资源。

JSON
{
  "Version":"2012-10-17",		 	 	 
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "firehose:PutRecord",
        "firehose:PutRecordBatch"
      ],
      "Resource": "arn:aws:firehose:*:*:deliverystream/sagemaker-*"
    }
  ]
}

AWS托管策略: AmazonSageMakerServiceCatalogProductsGlueServiceRole策略

AWSGlue 在 S AWS ervice Catalog 配置的亚马逊 SageMaker 人工智能产品组合中使用此政策。该策略旨在附加到 IAM 角色,该角色将AmazonSageMakerServiceCatalogProductsLaunchRole传递给 Glue 创建的需要角色的AWS资源。

权限详细信息

该策略包含以下权限。

  • glue— 创建、读取和删除 AWS Glue 分区、表和表版本。这些权限仅限于名称以“sagemaker-”开头的资源。创建和读取 AWS Glue 数据库。这些权限仅限于名称为“default”、“global_temp”或以“sagemaker-”开头的数据库。获取用户定义的函数。

  • s3 - 创建、读取、列出和删除 Amazon S3 存储桶;在存储桶中添加、读取和删除对象;读取和设置 CORS 配置;读取访问控制列表 (ACL);以及读取存储桶所在的 AWS 区域。

    这些权限仅限于名称以“sagemaker-”或“aws-glue-”开头的存储桶。

  • logs— 创建、读取和删除 CloudWatch 日志组、流和传输;并创建资源策略。

    这些权限仅限于名称前缀以“aws/glue/”开头的资源。

JSON
{
  "Version":"2012-10-17",		 	 	 
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "glue:BatchCreatePartition",
        "glue:BatchDeletePartition",
        "glue:BatchDeleteTable",
        "glue:BatchDeleteTableVersion",
        "glue:BatchGetPartition",
        "glue:CreateDatabase",
        "glue:CreatePartition",
        "glue:CreateTable",
        "glue:DeletePartition",
        "glue:DeleteTable",
        "glue:DeleteTableVersion",
        "glue:GetDatabase",
        "glue:GetPartition",
        "glue:GetPartitions",
        "glue:GetTable",
        "glue:GetTables",
        "glue:GetTableVersion",
        "glue:GetTableVersions",
        "glue:SearchTables",
        "glue:UpdatePartition",
        "glue:UpdateTable",
        "glue:GetUserDefinedFunctions"
      ],
      "Resource": [
        "arn:aws:glue:*:*:catalog",
        "arn:aws:glue:*:*:database/default",
        "arn:aws:glue:*:*:database/global_temp",
        "arn:aws:glue:*:*:database/sagemaker-*",
        "arn:aws:glue:*:*:table/sagemaker-*",
        "arn:aws:glue:*:*:tableVersion/sagemaker-*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:CreateBucket",
        "s3:DeleteBucket",
        "s3:GetBucketAcl",
        "s3:GetBucketCors",
        "s3:GetBucketLocation",
        "s3:ListAllMyBuckets",
        "s3:ListBucket",
        "s3:ListBucketMultipartUploads",
        "s3:PutBucketCors"
      ],
      "Resource": [
        "arn:aws:s3:::aws-glue-*",
        "arn:aws:s3:::sagemaker-*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:AbortMultipartUpload",
        "s3:DeleteObject",
        "s3:GetObject",
        "s3:GetObjectVersion",
        "s3:PutObject"
      ],
      "Resource": [
        "arn:aws:s3:::aws-glue-*",
        "arn:aws:s3:::sagemaker-*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogDelivery",
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:DeleteLogDelivery",
        "logs:Describe*",
        "logs:GetLogDelivery",
        "logs:GetLogEvents",
        "logs:ListLogDeliveries",
        "logs:PutLogEvents",
        "logs:PutResourcePolicy",
        "logs:UpdateLogDelivery"
      ],
      "Resource": "arn:aws:logs:*:*:log-group:/aws/glue/*"
    }
  ]
}

AWS托管策略: AmazonSageMakerServiceCatalogProductsLambdaServiceRole策略

此政策由 Amazon A SageMaker I 产品组合AWS Lambda中的AWS Service Catalog预配置产品使用。该策略旨在附加到 IAM 角色,该角色将AmazonSageMakerServiceCatalogProductsLaunchRole传递给 Lambda 创建的需要角色的AWS资源。

权限详细信息

该策略包含以下权限。

  • sagemaker— 允许访问各种 SageMaker AI 资源。

  • ecr - 创建和删除 Amazon ECR 存储库;创建、读取和删除容器映像;上传映像层。这些权限仅限于名称以“sagemaker-”开头的存储库。

  • events— 创建、读取和删除 Amazon EventBridge 规则;以及创建和删除目标。这些权限仅限于名称以“sagemaker-”开头的规则。

  • s3 - 创建、读取、列出和删除 Amazon S3 存储桶;在存储桶中添加、读取和删除对象;读取和设置 CORS 配置;读取访问控制列表 (ACL);以及读取存储桶所在的 AWS 区域。

    这些权限仅限于名称以“sagemaker-”或“aws-glue-”开头的存储桶。

  • iam - 传递 AmazonSageMakerServiceCatalogProductsExecutionRole 角色。

  • logs— 创建、读取和删除 CloudWatch 日志组、流和传输;并创建资源策略。

    这些权限仅限于名称前缀以“aws/lambda/”开头的资源。

  • codebuild— 开始并获取有关AWS CodeBuild版本的信息。

JSON
{
  "Version":"2012-10-17",		 	 	 
  "Statement": [
    {
      "Sid" : "AmazonSageMakerLambdaECRPermission",
      "Effect": "Allow",
      "Action": [
        "ecr:DescribeImages",
        "ecr:BatchDeleteImage",
        "ecr:CompleteLayerUpload",
        "ecr:CreateRepository",
        "ecr:DeleteRepository",
        "ecr:InitiateLayerUpload",
        "ecr:PutImage",
        "ecr:UploadLayerPart"
      ],
      "Resource": [
        "arn:aws:ecr:*:*:repository/sagemaker-*"
      ]
    },
    {
      "Sid" : "AmazonSageMakerLambdaEventBridgePermission",
      "Effect": "Allow",
      "Action": [
        "events:DeleteRule",
        "events:DescribeRule",
        "events:PutRule",
        "events:PutTargets",
        "events:RemoveTargets"
      ],
      "Resource": [
        "arn:aws:events:*:*:rule/sagemaker-*"
      ]
    },
    {
      "Sid" : "AmazonSageMakerLambdaS3BucketPermission",
      "Effect": "Allow",
      "Action": [
        "s3:CreateBucket",
        "s3:DeleteBucket",
        "s3:GetBucketAcl",
        "s3:GetBucketCors",
        "s3:GetBucketLocation",
        "s3:ListAllMyBuckets",
        "s3:ListBucket",
        "s3:ListBucketMultipartUploads",
        "s3:PutBucketCors"
      ],
      "Resource": [
        "arn:aws:s3:::aws-glue-*",
        "arn:aws:s3:::sagemaker-*"
      ]
    },
    {
      "Sid" : "AmazonSageMakerLambdaS3ObjectPermission",
      "Effect": "Allow",
      "Action": [
        "s3:AbortMultipartUpload",
        "s3:DeleteObject",
        "s3:GetObject",
        "s3:GetObjectVersion",
        "s3:PutObject"
      ],
      "Resource": [
        "arn:aws:s3:::aws-glue-*",
        "arn:aws:s3:::sagemaker-*"
      ]
    },
    {
      "Sid" : "AmazonSageMakerLambdaSageMakerPermission",
      "Effect": "Allow",
      "Action": [
        "sagemaker:AddAssociation",
        "sagemaker:AddTags",
        "sagemaker:AssociateTrialComponent",
        "sagemaker:BatchDescribeModelPackage",
        "sagemaker:BatchGetMetrics",
        "sagemaker:BatchGetRecord",
        "sagemaker:BatchPutMetrics",
        "sagemaker:CreateAction",
        "sagemaker:CreateAlgorithm",
        "sagemaker:CreateApp",
        "sagemaker:CreateAppImageConfig",
        "sagemaker:CreateArtifact",
        "sagemaker:CreateAutoMLJob",
        "sagemaker:CreateCodeRepository",
        "sagemaker:CreateCompilationJob",
        "sagemaker:CreateContext",
        "sagemaker:CreateDataQualityJobDefinition",
        "sagemaker:CreateDeviceFleet",
        "sagemaker:CreateDomain",
        "sagemaker:CreateEdgePackagingJob",
        "sagemaker:CreateEndpoint",
        "sagemaker:CreateEndpointConfig",
        "sagemaker:CreateExperiment",
        "sagemaker:CreateFeatureGroup",
        "sagemaker:CreateFlowDefinition",
        "sagemaker:CreateHumanTaskUi",
        "sagemaker:CreateHyperParameterTuningJob",
        "sagemaker:CreateImage",
        "sagemaker:CreateImageVersion",
        "sagemaker:CreateInferenceRecommendationsJob",
        "sagemaker:CreateLabelingJob",
        "sagemaker:CreateLineageGroupPolicy",
        "sagemaker:CreateModel",
        "sagemaker:CreateModelBiasJobDefinition",
        "sagemaker:CreateModelExplainabilityJobDefinition",
        "sagemaker:CreateModelPackage",
        "sagemaker:CreateModelPackageGroup",
        "sagemaker:CreateModelQualityJobDefinition",
        "sagemaker:CreateMonitoringSchedule",
        "sagemaker:CreateNotebookInstance",
        "sagemaker:CreateNotebookInstanceLifecycleConfig",
        "sagemaker:CreatePipeline",
        "sagemaker:CreatePresignedDomainUrl",
        "sagemaker:CreatePresignedNotebookInstanceUrl",
        "sagemaker:CreateProcessingJob",
        "sagemaker:CreateProject",
        "sagemaker:CreateTrainingJob",
        "sagemaker:CreateTransformJob",
        "sagemaker:CreateTrial",
        "sagemaker:CreateTrialComponent",
        "sagemaker:CreateUserProfile",
        "sagemaker:CreateWorkforce",
        "sagemaker:CreateWorkteam",
        "sagemaker:DeleteAction",
        "sagemaker:DeleteAlgorithm",
        "sagemaker:DeleteApp",
        "sagemaker:DeleteAppImageConfig",
        "sagemaker:DeleteArtifact",
        "sagemaker:DeleteAssociation",
        "sagemaker:DeleteCodeRepository",
        "sagemaker:DeleteContext",
        "sagemaker:DeleteDataQualityJobDefinition",
        "sagemaker:DeleteDeviceFleet",
        "sagemaker:DeleteDomain",
        "sagemaker:DeleteEndpoint",
        "sagemaker:DeleteEndpointConfig",
        "sagemaker:DeleteExperiment",
        "sagemaker:DeleteFeatureGroup",
        "sagemaker:DeleteFlowDefinition",
        "sagemaker:DeleteHumanLoop",
        "sagemaker:DeleteHumanTaskUi",
        "sagemaker:DeleteImage",
        "sagemaker:DeleteImageVersion",
        "sagemaker:DeleteLineageGroupPolicy",
        "sagemaker:DeleteModel",
        "sagemaker:DeleteModelBiasJobDefinition",
        "sagemaker:DeleteModelExplainabilityJobDefinition",
        "sagemaker:DeleteModelPackage",
        "sagemaker:DeleteModelPackageGroup",
        "sagemaker:DeleteModelPackageGroupPolicy",
        "sagemaker:DeleteModelQualityJobDefinition",
        "sagemaker:DeleteMonitoringSchedule",
        "sagemaker:DeleteNotebookInstance",
        "sagemaker:DeleteNotebookInstanceLifecycleConfig",
        "sagemaker:DeletePipeline",
        "sagemaker:DeleteProject",
        "sagemaker:DeleteRecord",
        "sagemaker:DeleteTags",
        "sagemaker:DeleteTrial",
        "sagemaker:DeleteTrialComponent",
        "sagemaker:DeleteUserProfile",
        "sagemaker:DeleteWorkforce",
        "sagemaker:DeleteWorkteam",
        "sagemaker:DeregisterDevices",
        "sagemaker:DescribeAction",
        "sagemaker:DescribeAlgorithm",
        "sagemaker:DescribeApp",
        "sagemaker:DescribeAppImageConfig",
        "sagemaker:DescribeArtifact",
        "sagemaker:DescribeAutoMLJob",
        "sagemaker:DescribeCodeRepository",
        "sagemaker:DescribeCompilationJob",
        "sagemaker:DescribeContext",
        "sagemaker:DescribeDataQualityJobDefinition",
        "sagemaker:DescribeDevice",
        "sagemaker:DescribeDeviceFleet",
        "sagemaker:DescribeDomain",
        "sagemaker:DescribeEdgePackagingJob",
        "sagemaker:DescribeEndpoint",
        "sagemaker:DescribeEndpointConfig",
        "sagemaker:DescribeExperiment",
        "sagemaker:DescribeFeatureGroup",
        "sagemaker:DescribeFlowDefinition",
        "sagemaker:DescribeHumanLoop",
        "sagemaker:DescribeHumanTaskUi",
        "sagemaker:DescribeHyperParameterTuningJob",
        "sagemaker:DescribeImage",
        "sagemaker:DescribeImageVersion",
        "sagemaker:DescribeInferenceRecommendationsJob",
        "sagemaker:DescribeLabelingJob",
        "sagemaker:DescribeLineageGroup",
        "sagemaker:DescribeModel",
        "sagemaker:DescribeModelBiasJobDefinition",
        "sagemaker:DescribeModelExplainabilityJobDefinition",
        "sagemaker:DescribeModelPackage",
        "sagemaker:DescribeModelPackageGroup",
        "sagemaker:DescribeModelQualityJobDefinition",
        "sagemaker:DescribeMonitoringSchedule",
        "sagemaker:DescribeNotebookInstance",
        "sagemaker:DescribeNotebookInstanceLifecycleConfig",
        "sagemaker:DescribePipeline",
        "sagemaker:DescribePipelineDefinitionForExecution",
        "sagemaker:DescribePipelineExecution",
        "sagemaker:DescribeProcessingJob",
        "sagemaker:DescribeProject",
        "sagemaker:DescribeSubscribedWorkteam",
        "sagemaker:DescribeTrainingJob",
        "sagemaker:DescribeTransformJob",
        "sagemaker:DescribeTrial",
        "sagemaker:DescribeTrialComponent",
        "sagemaker:DescribeUserProfile",
        "sagemaker:DescribeWorkforce",
        "sagemaker:DescribeWorkteam",
        "sagemaker:DisableSagemakerServicecatalogPortfolio",
        "sagemaker:DisassociateTrialComponent",
        "sagemaker:EnableSagemakerServicecatalogPortfolio",
        "sagemaker:GetDeviceFleetReport",
        "sagemaker:GetDeviceRegistration",
        "sagemaker:GetLineageGroupPolicy",
        "sagemaker:GetModelPackageGroupPolicy",
        "sagemaker:GetRecord",
        "sagemaker:GetSagemakerServicecatalogPortfolioStatus",
        "sagemaker:GetSearchSuggestions",
        "sagemaker:InvokeEndpoint",
        "sagemaker:InvokeEndpointAsync",
        "sagemaker:ListActions",
        "sagemaker:ListAlgorithms",
        "sagemaker:ListAppImageConfigs",
        "sagemaker:ListApps",
        "sagemaker:ListArtifacts",
        "sagemaker:ListAssociations",
        "sagemaker:ListAutoMLJobs",
        "sagemaker:ListCandidatesForAutoMLJob",
        "sagemaker:ListCodeRepositories",
        "sagemaker:ListCompilationJobs",
        "sagemaker:ListContexts",
        "sagemaker:ListDataQualityJobDefinitions",
        "sagemaker:ListDeviceFleets",
        "sagemaker:ListDevices",
        "sagemaker:ListDomains",
        "sagemaker:ListEdgePackagingJobs",
        "sagemaker:ListEndpointConfigs",
        "sagemaker:ListEndpoints",
        "sagemaker:ListExperiments",
        "sagemaker:ListFeatureGroups",
        "sagemaker:ListFlowDefinitions",
        "sagemaker:ListHumanLoops",
        "sagemaker:ListHumanTaskUis",
        "sagemaker:ListHyperParameterTuningJobs",
        "sagemaker:ListImageVersions",
        "sagemaker:ListImages",
        "sagemaker:ListInferenceRecommendationsJobs",
        "sagemaker:ListLabelingJobs",
        "sagemaker:ListLabelingJobsForWorkteam",
        "sagemaker:ListLineageGroups",
        "sagemaker:ListModelBiasJobDefinitions",
        "sagemaker:ListModelExplainabilityJobDefinitions",
        "sagemaker:ListModelMetadata",
        "sagemaker:ListModelPackageGroups",
        "sagemaker:ListModelPackages",
        "sagemaker:ListModelQualityJobDefinitions",
        "sagemaker:ListModels",
        "sagemaker:ListMonitoringExecutions",
        "sagemaker:ListMonitoringSchedules",
        "sagemaker:ListNotebookInstanceLifecycleConfigs",
        "sagemaker:ListNotebookInstances",
        "sagemaker:ListPipelineExecutionSteps",
        "sagemaker:ListPipelineExecutions",
        "sagemaker:ListPipelineParametersForExecution",
        "sagemaker:ListPipelines",
        "sagemaker:ListProcessingJobs",
        "sagemaker:ListProjects",
        "sagemaker:ListSubscribedWorkteams",
        "sagemaker:ListTags",
        "sagemaker:ListTrainingJobs",
        "sagemaker:ListTrainingJobsForHyperParameterTuningJob",
        "sagemaker:ListTransformJobs",
        "sagemaker:ListTrialComponents",
        "sagemaker:ListTrials",
        "sagemaker:ListUserProfiles",
        "sagemaker:ListWorkforces",
        "sagemaker:ListWorkteams",
        "sagemaker:PutLineageGroupPolicy",
        "sagemaker:PutModelPackageGroupPolicy",
        "sagemaker:PutRecord",
        "sagemaker:QueryLineage",
        "sagemaker:RegisterDevices",
        "sagemaker:RenderUiTemplate",
        "sagemaker:Search",
        "sagemaker:SendHeartbeat",
        "sagemaker:SendPipelineExecutionStepFailure",
        "sagemaker:SendPipelineExecutionStepSuccess",
        "sagemaker:StartHumanLoop",
        "sagemaker:StartMonitoringSchedule",
        "sagemaker:StartNotebookInstance",
        "sagemaker:StartPipelineExecution",
        "sagemaker:StopAutoMLJob",
        "sagemaker:StopCompilationJob",
        "sagemaker:StopEdgePackagingJob",
        "sagemaker:StopHumanLoop",
        "sagemaker:StopHyperParameterTuningJob",
        "sagemaker:StopInferenceRecommendationsJob",
        "sagemaker:StopLabelingJob",
        "sagemaker:StopMonitoringSchedule",
        "sagemaker:StopNotebookInstance",
        "sagemaker:StopPipelineExecution",
        "sagemaker:StopProcessingJob",
        "sagemaker:StopTrainingJob",
        "sagemaker:StopTransformJob",
        "sagemaker:UpdateAction",
        "sagemaker:UpdateAppImageConfig",
        "sagemaker:UpdateArtifact",
        "sagemaker:UpdateCodeRepository",
        "sagemaker:UpdateContext",
        "sagemaker:UpdateDeviceFleet",
        "sagemaker:UpdateDevices",
        "sagemaker:UpdateDomain",
        "sagemaker:UpdateEndpoint",
        "sagemaker:UpdateEndpointWeightsAndCapacities",
        "sagemaker:UpdateExperiment",
        "sagemaker:UpdateImage",
        "sagemaker:UpdateModelPackage",
        "sagemaker:UpdateMonitoringSchedule",
        "sagemaker:UpdateNotebookInstance",
        "sagemaker:UpdateNotebookInstanceLifecycleConfig",
        "sagemaker:UpdatePipeline",
        "sagemaker:UpdatePipelineExecution",
        "sagemaker:UpdateProject",
        "sagemaker:UpdateTrainingJob",
        "sagemaker:UpdateTrial",
        "sagemaker:UpdateTrialComponent",
        "sagemaker:UpdateUserProfile",
        "sagemaker:UpdateWorkforce",
        "sagemaker:UpdateWorkteam"
      ],
      "Resource": [
        "arn:aws:sagemaker:*:*:action/*",
        "arn:aws:sagemaker:*:*:algorithm/*",
        "arn:aws:sagemaker:*:*:app-image-config/*",
        "arn:aws:sagemaker:*:*:artifact/*",
        "arn:aws:sagemaker:*:*:automl-job/*",
        "arn:aws:sagemaker:*:*:code-repository/*",
        "arn:aws:sagemaker:*:*:compilation-job/*",
        "arn:aws:sagemaker:*:*:context/*",
        "arn:aws:sagemaker:*:*:data-quality-job-definition/*",
        "arn:aws:sagemaker:*:*:device-fleet/*/device/*",
        "arn:aws:sagemaker:*:*:device-fleet/*",
        "arn:aws:sagemaker:*:*:edge-packaging-job/*",
        "arn:aws:sagemaker:*:*:endpoint/*",
        "arn:aws:sagemaker:*:*:endpoint-config/*",
        "arn:aws:sagemaker:*:*:experiment/*",
        "arn:aws:sagemaker:*:*:experiment-trial/*",
        "arn:aws:sagemaker:*:*:experiment-trial-component/*",
        "arn:aws:sagemaker:*:*:feature-group/*",
        "arn:aws:sagemaker:*:*:human-loop/*",
        "arn:aws:sagemaker:*:*:human-task-ui/*",
        "arn:aws:sagemaker:*:*:hyper-parameter-tuning-job/*",
        "arn:aws:sagemaker:*:*:image/*",
        "arn:aws:sagemaker:*:*:image-version/*/*",
        "arn:aws:sagemaker:*:*:inference-recommendations-job/*",
        "arn:aws:sagemaker:*:*:labeling-job/*",
        "arn:aws:sagemaker:*:*:model/*",
        "arn:aws:sagemaker:*:*:model-bias-job-definition/*",
        "arn:aws:sagemaker:*:*:model-explainability-job-definition/*",
        "arn:aws:sagemaker:*:*:model-package/*",
        "arn:aws:sagemaker:*:*:model-package-group/*",
        "arn:aws:sagemaker:*:*:model-quality-job-definition/*",
        "arn:aws:sagemaker:*:*:monitoring-schedule/*",
        "arn:aws:sagemaker:*:*:notebook-instance/*",
        "arn:aws:sagemaker:*:*:notebook-instance-lifecycle-config/*",
        "arn:aws:sagemaker:*:*:pipeline/*",
        "arn:aws:sagemaker:*:*:pipeline/*/execution/*",
        "arn:aws:sagemaker:*:*:processing-job/*",
        "arn:aws:sagemaker:*:*:project/*",
        "arn:aws:sagemaker:*:*:training-job/*",
        "arn:aws:sagemaker:*:*:transform-job/*",
        "arn:aws:sagemaker:*:*:workforce/*",
        "arn:aws:sagemaker:*:*:workteam/*"
      ]
    },
    {
      "Sid" : "AmazonSageMakerLambdaPassRolePermission",
      "Effect": "Allow",
      "Action": [
        "iam:PassRole"
      ],
      "Resource": [
        "arn:aws:iam::*:role/service-role/AmazonSageMakerServiceCatalogProductsExecutionRole"
      ]
    },
    {
      "Sid" : "AmazonSageMakerLambdaLogPermission",
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogDelivery",
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:DeleteLogDelivery",
        "logs:DescribeLogGroups",
        "logs:DescribeLogStreams",
        "logs:DescribeResourcePolicies",
        "logs:DescribeDestinations",
        "logs:DescribeExportTasks",
        "logs:DescribeMetricFilters",
        "logs:DescribeQueries",
        "logs:DescribeQueryDefinitions",
        "logs:DescribeSubscriptionFilters",
        "logs:GetLogDelivery",
        "logs:GetLogEvents",
        "logs:ListLogDeliveries",
        "logs:PutLogEvents",
        "logs:PutResourcePolicy",
        "logs:UpdateLogDelivery"
      ],
      "Resource": "arn:aws:logs:*:*:log-group:/aws/lambda/*"
    },
    {
      "Sid" : "AmazonSageMakerLambdaCodeBuildPermission",
      "Effect": "Allow",
      "Action": [
        "codebuild:StartBuild",
        "codebuild:BatchGetBuilds"
      ],
      "Resource": "arn:aws:codebuild:*:*:project/sagemaker-*",
      "Condition": {
        "StringLike": {
          "aws:ResourceTag/sagemaker:project-name": "*"
        }
      }
    }
  ]
}
显示更多显示更少

Amazon SageMaker AI 更新了 S AWS ervice Catalog AWS 托管策略

查看自该服务开始跟踪这些更改以来,Amazon SageMaker AI AWS 托管策略更新的详细信息。

Policy 版本 更改 日期

AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy:更新策略

 10

更新codestar-connections:PassConnectioncodeconnections:PassConnection权限。

 2025年9月27日

AmazonSageMakerServiceCatalogProductsCodePipelineServiceRolePolicy:更新策略

 3

更新codestar-connections:UseConnectioncodeconnections:UseConnection权限。

 2025年9月27日

AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy:更新策略

 3

更新codestar-connections:UseConnectioncodeconnections:UseConnection权限。

 2025年9月27日

AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy:更新策略

 9

添加 cloudformation:TagResourcecloudformation:UntagResourcecodeconnections:PassConnection 权限。

 2024 年 7 月 1 日

AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy -更新政策

 7

将策略回滚到版本 7 (v7)。删除 cloudformation:TagResourcecloudformation:UntagResourcecodeconnections:PassConnection 权限。

 2024 年 6 月 12 日

AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy -更新政策

 8

添加 cloudformation:TagResourcecloudformation:UntagResourcecodeconnections:PassConnection 权限。

 2024 年 6 月 11 日

AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy:更新策略

 2

添加 codestar-connections:UseConnectioncodeconnections:UseConnection 权限。

 2024 年 6 月 11 日

AmazonSageMakerServiceCatalogProductsCodePipelineServiceRolePolicy:更新策略

 2

添加 cloudformation:TagResourcecloudformation:UntagResourcecodestar-connections:UseConnectioncodeconnections:UseConnection 权限。

 2024 年 6 月 11 日

AmazonSageMakerServiceCatalogProductsLambdaServiceRole政策:更新策略

 2

添加 codebuild:StartBuildcodebuild:BatchGetBuilds 权限。

 2024 年 6 月 11 日

AmazonSageMakerPartnerServiceCatalogProductsApiGatewayServiceRolePolicy

 1

初始策略

 2023 年 8 月 1 日

AmazonSageMakerPartnerServiceCatalogProductsCloudFormationServiceRolePolicy

 1

初始策略

 2023 年 8 月 1 日

AmazonSageMakerPartnerServiceCatalogProductsLambdaServiceRolePolicy

 1

初始策略

 2023 年 8 月 1 日

AmazonSageMakerServiceCatalogProductsGlueServiceRole政策:更新策略

 2

glue:GetUserDefinedFunctions 添加权限。

 2022 年 8 月 26 日

AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy -更新政策

 7

sagemaker:AddTags 添加权限。

 2022 年 8 月 2 日
AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy -更新政策 6

lambda:TagResource 添加权限。

 2022 年 7 月 14 日

AmazonSageMakerServiceCatalogProductsLambdaServiceRole政策

 1

初始策略

 2022 年 4 月 22 日

AmazonSageMakerServiceCatalogProductsApiGatewayServiceRolePolicy

 1

初始策略

 2022 年 3 月 24 日

AmazonSageMakerServiceCatalogProductsCloudformationServiceRole政策

 1

初始策略

 2022 年 3 月 24 日

AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy

 1

初始策略

 2022 年 3 月 24 日
AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy -更新政策 5

ecr-idp:TagResource 添加权限。

 2022 年 3 月 21 日

AmazonSageMakerServiceCatalogProductsCodePipelineServiceRolePolicy

 1

初始策略

 2022 年 2 月 22 日

AmazonSageMakerServiceCatalogProductsEventsServiceRole政策

 1

初始策略

 2022 年 2 月 22 日

AmazonSageMakerServiceCatalogProductsFirehoseServiceRole政策

 1

初始策略

 2022 年 2 月 22 日
AmazonSageMakerServiceCatalogProductsGlueServiceRole政策 1

初始策略

 2022 年 2 月 22 日
AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy -更新政策 4

cognito-idp:TagResources3:PutBucketCORS 添加权限。

 2022 年 2 月 16 日
AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy -更新政策 3

sagemaker 添加新权限。

创建、读取、更新和删除 SageMaker 图片。

 2021 年 9 月 15 日
AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy -更新政策 2

sagemakercodestar-connections 添加权限。

创建、读取、更新和删除代码存储库。

将AWS CodeStar连接传递给AWS CodePipeline。

 2021 年 7 月 1 日
AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy 1

初始策略

 2020 年 11 月 27 日