本文為英文版的機器翻譯版本，如內容有任何歧義或不一致之處，概以英文版為準。

IAM 角色設定

設定指示中的 CloudFormation 堆疊會為您自動設定 IAM 角色。如果您想要手動執行，請遵循下列指示：

MCP 伺服器的 IAM 角色設定

若要存取 SMUS Managed MCP 伺服器，需要具有下列內嵌政策的 IAM 角色：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowUseSagemakerUnifiedStudioMcpServer",
            "Effect": "Allow",
            "Action": [
                "sagemaker-unified-studio-mcp:InvokeMcp",
                "sagemaker-unified-studio-mcp:CallReadOnlyTool",
                "sagemaker-unified-studio-mcp:CallPrivilegedTool"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

在後續步驟中，我們將為此角色建立設定檔。無論哪個帳戶擔任此角色以取得登入資料，都應新增至擔任角色政策。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowAccountToAssumeRole",
      "Effect": "Allow",
      "Principal": { "AWS": "arn:aws:iam::<accountId>:root" },
      "Action": "sts:AssumeRole"
    }
  ]
}

依部署模式的其他許可 (EMR-EC2/EMR-S/Glue)

EMR-EC2 應用程式

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "EMREC2ReadAccess",
            "Effect": "Allow",
            "Action": [
                "elasticmapreduce:DescribeCluster",
                "elasticmapreduce:DescribeStep",
                "elasticmapreduce:ListSteps",
                "elasticmapreduce:ListClusters",
                "elasticmapreduce:DescribeJobFlows"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "EMRS3LogAccess",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": "*"
        },
        {
            "Sid": "EMRPersistentApp",
            "Effect": "Allow",
            "Action": [
                "elasticmapreduce:CreatePersistentAppUI",
                "elasticmapreduce:DescribePersistentAppUI",
                "elasticmapreduce:GetPersistentAppUIPresignedURL"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Glue 任務

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "GlueReadAccess",
            "Effect": "Allow",
            "Action": [
                "glue:GetJob",
                "glue:GetJobRun",
                "glue:GetJobRuns",
                "glue:GetJobs",
                "glue:BatchGetJobs"
            ],
            "Resource": [
                "arn:aws:glue:*:<account id>:job/*"
            ]
        },
        {
            "Sid": "GlueCloudWatchLogsAccess",
            "Effect": "Allow",
            "Action": [
                "logs:GetLogEvents",
                "logs:FilterLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:*:<account id>:log-group:/aws/glue/*"
            ]
        },
        {
            "Sid": "GlueSparkWebUI",
            "Effect": "Allow",
            "Action": [
                "glue:RequestLogParsing",
                "glue:GetLogParsingStatus",
                "glue:GetEnvironment",
                "glue:GetStage",
                "glue:GetStages",
                "glue:GetStageFiles",
                "glue:BatchGetStageFiles",
                "glue:GetStageAttempt",
                "glue:GetStageAttemptTaskList",
                "glue:GetStageAttemptTaskSummary",
                "glue:GetExecutors",
                "glue:GetExecutorsThreads",
                "glue:GetStorage",
                "glue:GetStorageUnit",
                "glue:GetQueries",
                "glue:GetQuery",
                "glue:GetDashboardUrl"
            ],
            "Resource": [
                "arn:aws:glue:*:<account id>:job/*"
            ]
        },
        {
            "Sid": "GluePassRoleAccess",
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "iam:PassedToService": "glue.amazonaws.com"
                }
            }
        }
    ]
}

EMR Serverless 應用程式

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "EMRServerlessReadAccess",
            "Effect": "Allow",
            "Action": [
                "emr-serverless:GetJobRun",
                "emr-serverless:GetApplication",
                "emr-serverless:ListApplications",
                "emr-serverless:ListJobRuns",
                "emr-serverless:ListJobRunAttempts",
                "emr-serverless:GetDashboardForJobRun",
                "emr-serverless:ListTagsForResource"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "EMRServerlessCloudWatchLogsAccess",
            "Effect": "Allow",
            "Action": [
                "logs:GetLogEvents",
                "logs:FilterLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:*:<account id>:log-group:/aws/emr-serverless/*"
            ]
        },
        {
            "Sid": "EMRServerlessS3LogsAccess",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": "*"
        }
    ]
}

KMS 許可 - CloudWatch Logs

如果 CloudWatch Logs 使用 CMK 加密，請新增下列政策，讓服務可以讀取 EMR-Serverless 應用程式日誌。

{
    "Effect": "Allow",
    "Action": [
        "kms:Decrypt",
        "kms:DescribeKey"
    ],
    "Resource": "arn:aws:kms:<region>:<account-id>:key/<cw-logs-cmk-id>"
}

即將變更的許可 (2026 年 5 月 29 日）

從 2026 年 AWS 5 月 29 日開始，SMUS MCP 伺服器將不再需要單獨的 IAM 許可來授權 MCP 伺服器操作。反之，授權將使用您現有的 IAM 角色和政策在 AWS 服務層級進行。

兩個條件索引鍵會自動新增至透過 SMUS MCP 伺服器提出的所有請求：

如果您目前使用 sagemaker-unified-studio-mcp 許可來拒絕存取 SMUS MCP 伺服器，或者您不想允許帳戶上任何 AWS 受管 MCP 伺服器起始的動作，您必須在 2026 年 5 月 29 日之前更新您的政策。請改用新的條件索引鍵。

透過任何 AWS 受管 MCP 伺服器拒絕所有操作：

{
  "Effect": "Deny",
  "Action": "*",
  "Resource": "*",
  "Condition": {
    "Bool": {
      "aws:ViaAWSMCPService": "true"
    }
  }
}

透過特定 AWS 受管 MCP 伺服器拒絕特定操作：

{
  "Effect": "Deny",
  "Action": ["glue:GetJobRun", "glue:StartJobRun"],
  "Resource": "*",
  "Condition": {
    "StringEquals": {
      "aws:CalledViaAWSMCP": "sagemaker-unified-studio-mcp.amazonaws.com"
    }
  }
}

如需條件索引鍵的詳細資訊，請參閱《IAM 使用者指南》中的AWS 全域條件內容索引鍵。