Actions, Resources, and Condition Keys for Amazon SageMaker

Amazon SageMaker (service prefix: sagemaker) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Learn how to configure this service.
View a list of the API operations available for this service.
Learn how to secure this service and its resources by using IAM permission policies.

Topics

Actions Defined by Amazon SageMaker
Resources Defined by Amazon SageMaker
Condition Keys for Amazon SageMaker

Actions Defined by Amazon SageMaker

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see The Actions Table.

Actions	Description	Access Level	Resource Types (*required)	Condition Keys	Dependent Actions
AddTags	Adds or overwrites one or more tags for the specified Amazon SageMaker resource.	Tagging	app
			automl-job
			domain
			endpoint
			endpoint-config
			experiment
			experiment-trial
			experiment-trial-component
			flow-definition
			human-task-ui
			hyper-parameter-tuning-job
			labeling-job
			model
			monitoring-schedule
			notebook-instance
			processing-job
			training-job
			transform-job
			user-profile
			workteam
				aws:RequestTag/${TagKey} aws:TagKeys
AssociateTrialComponent	Associate a trial component with a trial.	Write	experiment-trial*
AssociateTrialComponent	Associate a trial component with a trial.	Write	experiment-trial-component*
BatchGetMetrics [permission only]	Retrieve metrics associated with SageMaker Resources such as Training Jobs. This API is not publicly exposed at this point, however admins can control this action	Read	training-job*
BatchPutMetrics [permission only]	Publish metrics associated with a SageMaker Resource such as a Training Job. This API is not publicly exposed at this point, however admins can control this action	Write	training-job*
CreateAlgorithm	Create an algorithm.	Write	algorithm*
CreateApp	Grants permission to create an App for a SageMaker Studio UserProfile	Write	app*
CreateApp		Write		aws:RequestTag/${TagKey} aws:TagKeys sagemaker:InstanceTypes
CreateAutoMLJob	Creates automl job.	Write	automl-job*		iam:PassRole
CreateAutoMLJob	Creates automl job.	Write		aws:RequestTag/${TagKey} aws:TagKeys sagemaker:InterContainerTrafficEncryption sagemaker:OutputKmsKey sagemaker:VolumeKmsKey sagemaker:VpcSecurityGroupIds sagemaker:VpcSubnets
CreateCodeRepository	Create a code repository.	Write	code-repository*
CreateCompilationJob	Create a compilation job.	Write	compilation-job*		iam:PassRole
CreateDomain	Grants permission to create a Domain for SageMaker Studio	Write	domain*		iam:CreateServiceLinkedRole iam:PassRole
CreateDomain	Grants permission to create a Domain for SageMaker Studio	Write		aws:RequestTag/${TagKey} aws:TagKeys sagemaker:AppNetworkAccess sagemaker:InstanceTypes sagemaker:VpcSecurityGroupIds sagemaker:VpcSubnets sagemaker:DomainSharingOutputKmsKey sagemaker:HomeEfsFileSystemKmsKey
CreateEndpoint	Creates an endpoint using the endpoint configuration specified in the request.	Write	endpoint*
CreateEndpoint		Write		aws:RequestTag/${TagKey} aws:TagKeys
CreateEndpointConfig	Creates an endpoint configuration that can be deployed using Amazon SageMaker hosting services.	Write	endpoint-config*
CreateEndpointConfig		Write		aws:RequestTag/${TagKey} aws:TagKeys sagemaker:AcceleratorTypes sagemaker:InstanceTypes sagemaker:ModelArn sagemaker:VolumeKmsKey
CreateExperiment	Create an experiment.	Write	experiment*
CreateExperiment	Create an experiment.	Write		aws:RequestTag/${TagKey} aws:TagKeys
CreateFlowDefinition	Creates a flow definition, which defines settings for a human workflow.	Write	flow-definition*		iam:PassRole
CreateFlowDefinition		Write		sagemaker:WorkteamArn sagemaker:WorkteamType aws:RequestTag/${TagKey} aws:TagKeys
CreateHumanTaskUi	Defines the settings you will use for the human review workflow user interface.	Write	human-task-ui*
CreateHumanTaskUi		Write		aws:RequestTag/${TagKey} aws:TagKeys
CreateHyperParameterTuningJob	Creates hyper parameter tuning job that can be deployed using Amazon SageMaker.	Write	hyper-parameter-tuning-job*		iam:PassRole
CreateHyperParameterTuningJob		Write		aws:RequestTag/${TagKey} aws:TagKeys sagemaker:FileSystemAccessMode sagemaker:FileSystemDirectoryPath sagemaker:FileSystemId sagemaker:FileSystemType sagemaker:InstanceTypes sagemaker:InterContainerTrafficEncryption sagemaker:MaxRuntimeInSeconds sagemaker:NetworkIsolation sagemaker:OutputKmsKey sagemaker:VolumeKmsKey sagemaker:VpcSecurityGroupIds sagemaker:VpcSubnets
CreateLabelingJob	Starts a labeling job. A labeling job takes unlabeled data in and produces labeled data as output, which can be used for training SageMaker models.	Write	labeling-job*		iam:PassRole
CreateLabelingJob		Write		sagemaker:WorkteamArn sagemaker:WorkteamType sagemaker:VolumeKmsKey sagemaker:OutputKmsKey aws:RequestTag/${TagKey} aws:TagKeys
CreateModel	Creates a model in Amazon SageMaker. In the request, you specify a name for the model and describe one or more containers.	Write	model*		iam:PassRole
CreateModel		Write		aws:RequestTag/${TagKey} aws:TagKeys sagemaker:NetworkIsolation sagemaker:VpcSecurityGroupIds sagemaker:VpcSubnets
CreateModelPackage	Create a model package.	Write	model-package*
CreateMonitoringSchedule	Creates a monitoring schedule.	Write	monitoring-schedule*		iam:PassRole
CreateMonitoringSchedule	Creates a monitoring schedule.	Write		aws:RequestTag/${TagKey} aws:TagKeys sagemaker:InstanceTypes sagemaker:MaxRuntimeInSeconds sagemaker:NetworkIsolation sagemaker:OutputKmsKey sagemaker:VolumeKmsKey sagemaker:VpcSecurityGroupIds sagemaker:VpcSubnets
CreateNotebookInstance	Creates an Amazon SageMaker notebook instance. A notebook instance is an Amazon EC2 instance running on a Jupyter Notebook.	Write	notebook-instance*		iam:PassRole
CreateNotebookInstance		Write		aws:RequestTag/${TagKey} aws:TagKeys sagemaker:AcceleratorTypes sagemaker:DirectInternetAccess sagemaker:InstanceTypes sagemaker:RootAccess sagemaker:VolumeKmsKey sagemaker:VpcSecurityGroupIds sagemaker:VpcSubnets
CreateNotebookInstanceLifecycleConfig	Creates an notebook instance lifecycle configuration that can be deployed using Amazon SageMaker.	Write	notebook-instance-lifecycle-config*
CreatePresignedDomainUrl	Grants permission to return a URL that you can use from your browser to connect to the Domain as a specified UserProfile when AuthMode is 'IAM'	Write	user-profile*
CreatePresignedNotebookInstanceUrl	Returns a URL that you can use from your browser to connect to the Notebook Instance.	Write	notebook-instance*
CreateProcessingJob	Starts a processing job. After processing completes, Amazon SageMaker saves the resulting artifacts and other optional output to an Amazon S3 location that you specify.	Write	processing-job*		iam:PassRole
CreateProcessingJob		Write		aws:RequestTag/${TagKey} aws:TagKeys sagemaker:InstanceTypes sagemaker:MaxRuntimeInSeconds sagemaker:NetworkIsolation sagemaker:OutputKmsKey sagemaker:VolumeKmsKey sagemaker:VpcSecurityGroupIds sagemaker:VpcSubnets
CreateTrainingJob	Starts a model training job. After training completes, Amazon SageMaker saves the resulting model artifacts and other optional output to an Amazon S3 location that you specify.	Write	training-job*		iam:PassRole
CreateTrainingJob		Write		aws:RequestTag/${TagKey} aws:TagKeys sagemaker:FileSystemAccessMode sagemaker:FileSystemDirectoryPath sagemaker:FileSystemId sagemaker:FileSystemType sagemaker:InstanceTypes sagemaker:InterContainerTrafficEncryption sagemaker:MaxRuntimeInSeconds sagemaker:NetworkIsolation sagemaker:OutputKmsKey sagemaker:VolumeKmsKey sagemaker:VpcSecurityGroupIds sagemaker:VpcSubnets
CreateTransformJob	Starts a transform job. After the results are obtained, Amazon SageMaker saves them to an Amazon S3 location that you specify.	Write	transform-job*
CreateTransformJob		Write		aws:RequestTag/${TagKey} aws:TagKeys sagemaker:InstanceTypes sagemaker:ModelArn sagemaker:OutputKmsKey sagemaker:VolumeKmsKey
CreateTrial	Create a trial.	Write	experiment-trial*
CreateTrial	Create a trial.	Write		aws:RequestTag/${TagKey} aws:TagKeys
CreateTrialComponent	Create a trial component.	Write	experiment-trial-component*
CreateTrialComponent	Create a trial component.	Write		aws:RequestTag/${TagKey} aws:TagKeys
CreateUserProfile	Grants permission to create a UserProfile for a SageMaker Studio Domain	Write	user-profile*		iam:PassRole
CreateUserProfile		Write		aws:RequestTag/${TagKey} aws:TagKeys sagemaker:VpcSecurityGroupIds sagemaker:InstanceTypes sagemaker:DomainSharingOutputKmsKey
CreateWorkteam	Create a workteam.	Write	workteam*
CreateWorkteam	Create a workteam.	Write		aws:RequestTag/${TagKey} aws:TagKeys
DeleteAlgorithm	Deletes an algorithm.	Write	algorithm*
DeleteApp	Grants permission to delete an App	Write	app*
DeleteCodeRepository	Deletes a code repository.	Write	code-repository*
DeleteDomain	Grants permission to delete a Domain	Write	domain*
DeleteEndpoint	Deletes an endpoint. Amazon SageMaker frees up all the resources that were deployed when the endpoint was created.	Write	endpoint*
DeleteEndpointConfig	Deletes the endpoint configuration created using the CreateEndpointConfig API. The DeleteEndpointConfig API deletes only the specified configuration. It does not delete any endpoints created using the configuration.	Write	endpoint-config*
DeleteExperiment	Deletes an experiment.	Write	experiment*
DeleteFlowDefinition	Deltes the specified flow definition.	Write	flow-definition*
DeleteHumanLoop	Deletes the specified human loop.	Write	human-loop*
DeleteModel	Deletes a model created using the CreateModel API. The DeleteModel API deletes only the model entry in Amazon SageMaker that you created by calling the CreateModel API. It does not delete model artifacts, inference code, or the IAM role that you specified when creating the model.	Write	model*
DeleteModelPackage	Deletes a model package.	Write	model-package*
DeleteMonitoringSchedule	Deletes a monitoring schedule. Amazon SageMaker will no longer run the scheduled monitoring.	Write	monitoring-schedule*
DeleteNotebookInstance	Deletes an Amazon SageMaker notebook instance. Before you can delete a notebook instance, you must call the StopNotebookInstance API.	Write	notebook-instance*
DeleteNotebookInstanceLifecycleConfig	Deletes an notebook instance lifecycle configuration that can be deployed using Amazon SageMaker.	Write	notebook-instance-lifecycle-config*
DeleteTags	Deletes the specified set of tags from an Amazon SageMaker resource.	Tagging	app
			automl-job
			compilation-job
			domain
			endpoint
			endpoint-config
			experiment
			experiment-trial
			experiment-trial-component
			flow-definition
			human-task-ui
			hyper-parameter-tuning-job
			labeling-job
			model
			monitoring-schedule
			notebook-instance
			processing-job
			training-job
			transform-job
			user-profile
			workteam
				aws:TagKeys
DeleteTrial	Deletes a trial.	Write	experiment-trial*
DeleteTrialComponent	Deletes a trial component.	Write	experiment-trial-component*
DeleteUserProfile	Grants permission to delete a UserProfile	Write	user-profile*
DeleteWorkteam	Deletes a workteam.	Write	workteam*
DescribeAlgorithm	Returns information about an algorithm.	Read	algorithm*
DescribeApp	Grants permission to describe an App	Read	app*
DescribeAutoMLJob	Describes an automl job that was created via CreateAutoMLJob API.	Read	automl-job*
DescribeCodeRepository	Returns information about a code repository.	Read	code-repository*
DescribeCompilationJob	Returns information about a compilation job.	Read	compilation-job*
DescribeDomain	Grants permission to describe a Domain	Read	domain*
DescribeEndpoint	Returns the description of an endpoint.	Read	endpoint*
DescribeEndpointConfig	Returns the description of an endpoint configuration, which was created using the CreateEndpointConfig API.	Read	endpoint-config*
DescribeExperiment	Returns information about an experiment.	Read	experiment*
DescribeFlowDefinition	Returns detailed information about the specified flow definition.	Read	flow-definition*
DescribeHumanLoop	Returns detailed information about the specified human loop.	Read	human-loop*
DescribeHumanTaskUi	Returns detailed information about the specified human review workflow user interface.	Read	human-task-ui*
DescribeHyperParameterTuningJob	Describes a hyper parameter tuning job that was created via CreateHyperParameterTuningJob API.	Read	hyper-parameter-tuning-job*
DescribeLabelingJob	Returns information about a labeling job.	Read	labeling-job*
DescribeModel	Describes a model that you created using the CreateModel API.	Read	model*
DescribeModelPackage	Returns information about a model package.	Read	model-package*
DescribeMonitoringSchedule	Returns information about a monitoring schedule.	Read	monitoring-schedule*
DescribeNotebookInstance	Returns information about a notebook instance.	Read	notebook-instance*
DescribeNotebookInstanceLifecycleConfig	Describes an notebook instance lifecycle configuration that was created via CreateNotebookInstanceLifecycleConfig API.	Read	notebook-instance-lifecycle-config*
DescribeProcessingJob	Returns information about a processing job.	Read	processing-job*
DescribeSubscribedWorkteam	Returns information about a subscribed workteam.	Read	workteam*
DescribeTrainingJob	Returns information about a training job.	Read	training-job*
DescribeTransformJob	Returns information about a transform job.	Read	transform-job*
DescribeTrial	Returns information about a trial.	Read	experiment-trial*
DescribeTrialComponent	Returns information about a trial component.	Read	experiment-trial-component*
DescribeUserProfile	Grants permission to describe a UserProfile	Read	user-profile*
DescribeWorkteam	Returns information about a workteam.	Read	workteam*
DisassociateTrialComponent	Disassociate a trial component with a trial.	Write	experiment-trial*
			experiment-trial-component*
			processing-job*
GetSearchSuggestions	Get search suggestions when provided with keyword.	Read	training-job*
InvokeEndpoint	After you deploy a model into production using Amazon SageMaker hosting services, your client applications use this API to get inferences from the model hosted at the specified endpoint.	Read	endpoint*
ListAlgorithms	Lists algorithms.	List
ListApps	Grants permission to list the Apps in your account	List
ListAutoMLJobs	Lists automl jobs created via the CreateAutoMLJob.	List
ListCandidatesForAutoMLJob	Lists candidates for automl job created via the CreateAutoMLJob.	List
ListCodeRepositories	Lists code repositories.	List
ListCompilationJobs	Lists compilation jobs.	List
ListDomains	Grants permission to list the Domains in your account	List
ListEndpointConfigs	Lists endpoint configurations.	List
ListEndpoints	Lists endpoints.	List
ListExperiments	Lists experiments.	List
ListFlowDefinitions	Returns summary information about flow definitions, given the specified parameters.	List
ListHumanLoops	Returns summary information about human loops, given the specified parameters.	List
ListHumanTaskUis	Returns summary information about human review workflow user interfaces, given the specified parameters.	List
ListHyperParameterTuningJobs	Lists hyper parameter tuning jobs that was created using Amazon SageMaker.	List
ListLabelingJobs	Lists labeling jobs.	List
ListLabelingJobsForWorkteam	Lists labeling jobs for workteam.	List	workteam*
ListModelPackages	Lists model packages.	List
ListModels	Lists the models created with the CreateModel API.	List
ListMonitoringExecutions	Lists monitoring executions.	List
ListMonitoringSchedules	Lists monitoring schedules.	List
ListNotebookInstanceLifecycleConfigs	Lists notebook instance lifecycle configurations that can be deployed using Amazon SageMaker.	List
ListNotebookInstances	Returns a list of the Amazon SageMaker notebook instances in the requester's account in an AWS Region.	List
ListProcessingJobs	Lists processing jobs.	List
ListSubscribedWorkteams	Lists subscribed workteams.	List
ListTags	Returns the tag set associated with the specified resource.	List	app
			automl-job
			domain
			endpoint
			endpoint-config
			experiment
			experiment-trial
			experiment-trial-component
			flow-definition
			human-task-ui
			hyper-parameter-tuning-job
			labeling-job
			model
			monitoring-schedule
			notebook-instance
			training-job
			transform-job
			user-profile
			workteam
ListTrainingJobs	Lists training jobs.	List
ListTrainingJobsForHyperParameterTuningJob	Lists training jobs for a hyper parameter tuning job that was created using Amazon SageMaker.	List	hyper-parameter-tuning-job*
ListTransformJobs	Lists transform jobs.	List
ListTrialComponents	Lists trial components.	List
ListTrials	Lists trials.	List
ListUserProfiles	Grants permission to list the UserProfiles in your account	List
ListWorkteams	Lists workteams.	List
RenderUiTemplate	Render a UI template used for a human annotation task.	Read			iam:PassRole
Search	Search for a training job.	Read	training-job*
StartHumanLoop	Starts a human loop.	Write	flow-definition*
StartMonitoringSchedule	Starts a monitoring schedule.	Write	monitoring-schedule*
StartNotebookInstance	Launches an EC2 instance with the latest version of the libraries and attaches your EBS volume.	Write	notebook-instance*
StopAutoMLJob	Stops a running automl job created via the CreateAutoMLJob.	Write	automl-job*
StopCompilationJob	Stops a compilation job.	Write	compilation-job*
StopHumanLoop	Stops the specified human loop.	Write	human-loop*
StopHyperParameterTuningJob	Stops a running hyper parameter tuning job create via the CreateHyperParameterTuningJob.	Write	hyper-parameter-tuning-job*
StopLabelingJob	Stops a labeling job. Any labels already generated will be exported before stopping.	Write	labeling-job*
StopMonitoringSchedule	Stops a monitoring schedule.	Write	monitoring-schedule*
StopNotebookInstance	Terminates the EC2 instance. Before terminating the instance, Amazon SageMaker disconnects the EBS volume from it. Amazon SageMaker preserves the EBS volume.	Write	notebook-instance*
StopProcessingJob	Stops a processing job. To stop a job, Amazon SageMaker sends the algorithm the SIGTERM signal, which delays job termination for 120 seconds.	Write	processing-job*
StopTrainingJob	Stops a training job. To stop a job, Amazon SageMaker sends the algorithm the SIGTERM signal, which delays job termination for 120 seconds.	Write	training-job*
StopTransformJob	Stops a transform job. When Amazon SageMaker receives a StopTransformJob request, the status of the job changes to Stopping. After Amazon SageMaker stops the job, the status is set to Stopped	Write	transform-job*
UpdateCodeRepository	Updates a code repository.	Write	code-repository*
UpdateDomain	Grants permission to update a Domain	Write	domain*
UpdateDomain	Grants permission to update a Domain	Write		sagemaker:VpcSecurityGroupIds sagemaker:InstanceTypes sagemaker:DomainSharingOutputKmsKey
UpdateEndpoint	Updates an endpoint to use the endpoint configuration specified in the request.	Write	endpoint*
UpdateEndpointWeightsAndCapacities	Updates variant weight, capacity, or both of one or more variants associated with an endpoint.	Write	endpoint*
UpdateExperiment	Updates an experiment.	Write	experiment*
UpdateMonitoringSchedule	Updates a monitoring schedule.	Write	monitoring-schedule*		iam:PassRole
UpdateMonitoringSchedule	Updates a monitoring schedule.	Write		aws:RequestTag/${TagKey} aws:TagKeys sagemaker:InstanceTypes sagemaker:MaxRuntimeInSeconds sagemaker:NetworkIsolation sagemaker:OutputKmsKey sagemaker:VolumeKmsKey sagemaker:VpcSecurityGroupIds sagemaker:VpcSubnets
UpdateNotebookInstance	Updates a notebook instance. Notebook instance updates include upgrading or downgrading the EC2 instance used for your notebook instance to accommodate changes in your workload requirements. You can also update the VPC security groups.	Write	notebook-instance*
UpdateNotebookInstance		Write		sagemaker:AcceleratorTypes sagemaker:InstanceTypes sagemaker:RootAccess
UpdateNotebookInstanceLifecycleConfig	Updates a notebook instance lifecycle configuration created with the CreateNotebookInstanceLifecycleConfig API.	Write	notebook-instance-lifecycle-config*
UpdateTrial	Updates a trial.	Write	experiment-trial*
UpdateTrialComponent	Updates a trial component.	Write	experiment-trial-component*
UpdateUserProfile	Grants permission to update a UserProfile	Write	user-profile*
UpdateUserProfile	Grants permission to update a UserProfile	Write		sagemaker:InstanceTypes sagemaker:VpcSecurityGroupIds sagemaker:InstanceTypes sagemaker:DomainSharingOutputKmsKey
UpdateWorkteam	Updates a workteam.	Write	workteam*

Resources Defined by Amazon SageMaker

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The Resource Types Table.

Resource Types	ARN	Condition Keys
human-loop	`arn:${Partition}:sagemaker:${Region}:${Account}:human-loop/${HumanLoopName}`
flow-definition	`arn:${Partition}:sagemaker:${Region}:${Account}:flow-definition/${FlowDefinitionName}`	aws:ResourceTag/${TagKey} sagemaker:ResourceTag/${TagKey}
human-task-ui	`arn:${Partition}:sagemaker:${Region}:${Account}:human-task-ui/${HumanTaskUiName}`	aws:ResourceTag/${TagKey} sagemaker:ResourceTag/${TagKey}
labeling-job	`arn:${Partition}:sagemaker:${Region}:${Account}:labeling-job/${LabelingJobName}`	aws:ResourceTag/${TagKey} sagemaker:ResourceTag/${TagKey}
workteam	`arn:${Partition}:sagemaker:${Region}:${Account}:workteam/${WorkteamName}`	aws:ResourceTag/${TagKey} sagemaker:ResourceTag/${TagKey}
domain	`arn:${Partition}:sagemaker:${Region}:${Account}:domain/${DomainId}`	aws:ResourceTag/${TagKey} sagemaker:ResourceTag/${TagKey}
user-profile	`arn:${Partition}:sagemaker:${Region}:${Account}:user-profile/${DomainId}/${UserProfileName}`	aws:ResourceTag/${TagKey} sagemaker:ResourceTag/${TagKey}
app	`arn:${Partition}:sagemaker:${Region}:${Account}:app/${DomainId}/${UserProfileName}/${AppType}/${AppName}`	aws:ResourceTag/${TagKey} sagemaker:ResourceTag/${TagKey}
notebook-instance	`arn:${Partition}:sagemaker:${Region}:${Account}:notebook-instance/${NotebookInstanceName}`	aws:ResourceTag/${TagKey} sagemaker:ResourceTag/${TagKey}
notebook-instance-lifecycle-config	`arn:${Partition}:sagemaker:${Region}:${Account}:notebook-instance-lifecycle-config/${NotebookInstanceLifecycleConfigName}`
code-repository	`arn:${Partition}:sagemaker:${Region}:${Account}:code-repository/${CodeRepositoryName}`
algorithm	`arn:${Partition}:sagemaker:${Region}:${Account}:algorithm/${AlgorithmName}`
training-job	`arn:${Partition}:sagemaker:${Region}:${Account}:training-job/${TrainingJobName}`	aws:ResourceTag/${TagKey} sagemaker:ResourceTag/${TagKey}
processing-job	`arn:${Partition}:sagemaker:${Region}:${Account}:processing-job/${ProcessingJobName}`	aws:ResourceTag/${TagKey} sagemaker:ResourceTag/${TagKey}
hyper-parameter-tuning-job	`arn:${Partition}:sagemaker:${Region}:${Account}:hyper-parameter-tuning-job/${HyperParameterTuningJobName}`	aws:ResourceTag/${TagKey} sagemaker:ResourceTag/${TagKey}
model-package	`arn:${Partition}:sagemaker:${Region}:${Account}:model-package/${ModelPackageName}`
model	`arn:${Partition}:sagemaker:${Region}:${Account}:model/${ModelName}`	aws:ResourceTag/${TagKey} sagemaker:ResourceTag/${TagKey}
endpoint-config	`arn:${Partition}:sagemaker:${Region}:${Account}:endpoint-config/${EndpointConfigName}`	aws:ResourceTag/${TagKey} sagemaker:ResourceTag/${TagKey}
endpoint	`arn:${Partition}:sagemaker:${Region}:${Account}:endpoint/${EndpointName}`	aws:ResourceTag/${TagKey} sagemaker:ResourceTag/${TagKey}
transform-job	`arn:${Partition}:sagemaker:${Region}:${Account}:transform-job/${TransformJobName}`	aws:ResourceTag/${TagKey} sagemaker:ResourceTag/${TagKey}
compilation-job	`arn:${Partition}:sagemaker:${Region}:${Account}:compilation-job/${CompilationJobName}`
automl-job	`arn:${Partition}:sagemaker:${Region}:${Account}:automl-job/${AutoMLJobJobName}`	aws:ResourceTag/${TagKey} sagemaker:ResourceTag/${TagKey}
monitoring-schedule	`arn:${Partition}:sagemaker:${Region}:${Account}:monitoring-schedule/${MonitoringScheduleName}`	aws:ResourceTag/${TagKey} sagemaker:ResourceTag/${TagKey}
experiment	`arn:${Partition}:sagemaker:${Region}:${Account}:experiment/${ExperimentName}`	aws:ResourceTag/${TagKey} sagemaker:ResourceTag/${TagKey}
experiment-trial	`arn:${Partition}:sagemaker:${Region}:${Account}:experiment-trial/${TrialName}`	aws:ResourceTag/${TagKey} sagemaker:ResourceTag/${TagKey}
experiment-trial-component	`arn:${Partition}:sagemaker:${Region}:${Account}:experiment-trial-component/${TrialComponentName}`	aws:ResourceTag/${TagKey} sagemaker:ResourceTag/${TagKey}

Condition Keys for Amazon SageMaker

Amazon SageMaker defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The Condition Keys Table.

To view the global condition keys that are available to all services, see Available Global Condition Keys in the IAM Policy Reference.

Condition Keys	Description	Type
aws:RequestTag/${TagKey}	A key that is present in the request the user makes to the SageMaker service.	String
aws:ResourceTag/${TagKey}	A tag key and value pair.	String
aws:TagKeys	The list of all the tag key names associated with the resource in the request.	String
sagemaker:AcceleratorTypes	The list of all accelerator types associated with the resource in the request.	ArrayOfString
sagemaker:AppNetworkAccess	App network access associated with the resource in the request.	String
sagemaker:DirectInternetAccess	The direct internet access associated with the resource in the request.	String
sagemaker:DomainSharingOutputKmsKey	The Domain sharing output KMS key associated with the resource in the request.	ARN
sagemaker:FileSystemAccessMode	File system access mode associated with the resource in the request.	String
sagemaker:FileSystemDirectoryPath	File system directory path associated with the resource in the request.	String
sagemaker:FileSystemId	A file system ID associated with the resource in the request.	String
sagemaker:FileSystemType	File system type associated with the resource in the request.	String
sagemaker:HomeEfsFileSystemKmsKey	The KMS Key Id of the EFS File System used for UserProfile home directories, which is associated with the resource in the request.	ARN
sagemaker:InstanceTypes	The list of all instance types associated with the resource in the request.	ArrayOfString
sagemaker:InterContainerTrafficEncryption	The inter container traffic encryption associated with the resource in the request.	Bool
sagemaker:MaxRuntimeInSeconds	The max runtime in seconds associated with the resource in the request.	Numeric
sagemaker:ModelArn	The model arn associated with the resource in the request.	ARN
sagemaker:NetworkIsolation	The network isolation associated with the resource in the request.	Bool
sagemaker:OutputKmsKey	The output kms key associated with the resource in the request.	ARN
sagemaker:ResourceTag/	The preface string for a tag key and value pair attached to a resource.	String
sagemaker:ResourceTag/${TagKey}	A tag key and value pair.	String
sagemaker:RootAccess	The root access associated with the resource in the request.	String
sagemaker:VolumeKmsKey	The volume kms key associated with the resource in the request.	ARN
sagemaker:VpcSecurityGroupIds	The list of all vpc security group ids associated with the resource in the request.	ArrayOfString
sagemaker:VpcSubnets	The list of all vpc subnets associated with the resource in the request.	ArrayOfString
sagemaker:WorkteamArn	The workteam arn associated to the request.	ARN
sagemaker:WorkteamType	The workteam type associated to the request. This can be public-crowd, private-crowd or vendor-crowd.	String

Warning Javascript is disabled or is unavailable in your browser.

To use the AWS Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

« Previous Next »