AWS Identity and Access Management
User Guide

The AWS Documentation website is getting a new look!
Try it now and let us know what you think. Switch to the new look >>

You can return to the original look by selecting English in the language selector above.

Actions, Resources, and Condition Keys for Amazon SageMaker

Amazon SageMaker (service prefix: sagemaker) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by Amazon SageMaker

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
AddTags Adds or overwrites one or more tags for the specified Amazon SageMaker resource. Tagging

endpoint

endpoint-config

hyper-parameter-tuning-job

labeling-job

model

notebook-instance

training-job

transform-job

workteam

aws:RequestTag/${TagKey}

aws:TagKeys

CreateAlgorithm Create an algorithm. Write

algorithm*

CreateCodeRepository Create a code repository. Write

code-repository*

CreateCompilationJob Create a compilation job. Write

compilation-job*

iam:PassRole

CreateEndpoint Creates an endpoint using the endpoint configuration specified in the request. Write

endpoint*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateEndpointConfig Creates an endpoint configuration that can be deployed using Amazon SageMaker hosting services. Write

endpoint-config*

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:AcceleratorTypes

sagemaker:InstanceTypes

sagemaker:ModelArn

sagemaker:VolumeKmsKey

sagemaker:VpcSecurityGroupIds

sagemaker:VpcSubnets

CreateHyperParameterTuningJob Creates hyper parameter tuning job that can be deployed using Amazon SageMaker. Write

hyper-parameter-tuning-job*

iam:PassRole

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:FileSystemAccessMode

sagemaker:FileSystemDirectoryPath

sagemaker:FileSystemId

sagemaker:FileSystemType

sagemaker:InstanceTypes

sagemaker:InterContainerTrafficEncryption

sagemaker:MaxRuntimeInSeconds

sagemaker:NetworkIsolation

sagemaker:OutputKmsKey

sagemaker:VolumeKmsKey

sagemaker:VpcSecurityGroupIds

sagemaker:VpcSubnets

CreateLabelingJob Starts a labeling job. A labeling job takes unlabeled data in and produces labeled data as output, which can be used for training SageMaker models. Write

labeling-job*

iam:PassRole

aws:RequestTag/${TagKey}

aws:TagKeys

CreateModel Creates a model in Amazon SageMaker. In the request, you specify a name for the model and describe one or more containers. Write

model*

iam:PassRole

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:NetworkIsolation

sagemaker:VpcSecurityGroupIds

sagemaker:VpcSubnets

CreateModelPackage Create a model package. Write

model-package*

CreateNotebookInstance Creates an Amazon SageMaker notebook instance. A notebook instance is an Amazon EC2 instance running on a Jupyter Notebook. Write

notebook-instance*

iam:PassRole

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:AcceleratorTypes

sagemaker:DirectInternetAccess

sagemaker:InstanceTypes

sagemaker:RootAccess

sagemaker:VolumeKmsKey

sagemaker:VpcSecurityGroupIds

sagemaker:VpcSubnets

CreateNotebookInstanceLifecycleConfig Creates an notebook instance lifecycle configuration that can be deployed using Amazon SageMaker. Write

notebook-instance-lifecycle-config*

CreatePresignedNotebookInstanceUrl Returns a URL that you can use from your browser to connect to the Notebook Instance. Write

notebook-instance*

CreateTrainingJob Starts a model training job. After training completes, Amazon SageMaker saves the resulting model artifacts and other optional output to an Amazon S3 location that you specify. Write

training-job*

iam:PassRole

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:FileSystemAccessMode

sagemaker:FileSystemDirectoryPath

sagemaker:FileSystemId

sagemaker:FileSystemType

sagemaker:InstanceTypes

sagemaker:InterContainerTrafficEncryption

sagemaker:MaxRuntimeInSeconds

sagemaker:NetworkIsolation

sagemaker:OutputKmsKey

sagemaker:VolumeKmsKey

sagemaker:VpcSecurityGroupIds

sagemaker:VpcSubnets

CreateTransformJob Starts a transform job. After the results are obtained, Amazon SageMaker saves them to an Amazon S3 location that you specify. Write

transform-job*

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:InstanceTypes

sagemaker:ModelArn

sagemaker:OutputKmsKey

sagemaker:VolumeKmsKey

CreateWorkteam Create a workteam. Write

workteam*

aws:RequestTag/${TagKey}

aws:TagKeys

DeleteAlgorithm Deletes an algorithm. Write

algorithm*

DeleteCodeRepository Deletes a code repository. Write

code-repository*

DeleteEndpoint Deletes an endpoint. Amazon SageMaker frees up all the resources that were deployed when the endpoint was created. Write

endpoint*

DeleteEndpointConfig Deletes the endpoint configuration created using the CreateEndpointConfig API. The DeleteEndpointConfig API deletes only the specified configuration. It does not delete any endpoints created using the configuration. Write

endpoint-config*

DeleteModel Deletes a model created using the CreateModel API. The DeleteModel API deletes only the model entry in Amazon SageMaker that you created by calling the CreateModel API. It does not delete model artifacts, inference code, or the IAM role that you specified when creating the model. Write

model*

DeleteModelPackage Deletes a model package. Write

model-package*

DeleteNotebookInstance Deletes an Amazon SageMaker notebook instance. Before you can delete a notebook instance, you must call the StopNotebookInstance API. Write

notebook-instance*

DeleteNotebookInstanceLifecycleConfig Deletes an notebook instance lifecycle configuration that can be deployed using Amazon SageMaker. Write

notebook-instance-lifecycle-config*

DeleteTags Deletes the specified set of tags from an Amazon SageMaker resource. Tagging

compilation-job

endpoint

endpoint-config

hyper-parameter-tuning-job

labeling-job

model

notebook-instance

training-job

transform-job

workteam

aws:TagKeys

DeleteWorkteam Deletes a workteam. Write

workteam*

DescribeAlgorithm Returns information about an algorithm. Read

algorithm*

DescribeCodeRepository Returns information about a code repository. Read

code-repository*

DescribeCompilationJob Returns information about a compilation job. Read

compilation-job*

DescribeEndpoint Returns the description of an endpoint. Read

endpoint*

DescribeEndpointConfig Returns the description of an endpoint configuration, which was created using the CreateEndpointConfig API. Read

endpoint-config*

DescribeHyperParameterTuningJob Describes a hyper parameter tuning job that was created via CreateHyperParameterTuningJob API. Read

hyper-parameter-tuning-job*

DescribeLabelingJob Returns information about a labeling job. Read

labeling-job*

DescribeModel Describes a model that you created using the CreateModel API. Read

model*

DescribeModelPackage Returns information about a model package. Read

model-package*

DescribeNotebookInstance Returns information about a notebook instance. Read

notebook-instance*

DescribeNotebookInstanceLifecycleConfig Describes an notebook instance lifecycle configuration that was created via CreateNotebookInstanceLifecycleConfig API. Read

notebook-instance-lifecycle-config*

DescribeSubscribedWorkteam Returns information about a subscribed workteam. Read

workteam*

DescribeTrainingJob Returns information about a training job. Read

training-job*

DescribeTransformJob Returns information about a transform job. Read

transform-job*

DescribeWorkteam Returns information about a workteam. Read

workteam*

GetSearchSuggestions Get search suggestions when provided with keyword. Read

training-job*

InvokeEndpoint After you deploy a model into production using Amazon SageMaker hosting services, your client applications use this API to get inferences from the model hosted at the specified endpoint. Read

endpoint*

ListAlgorithms Lists algorithms. List
ListCodeRepositories Lists code repositories. List
ListCompilationJobs Lists compilation jobs. List
ListEndpointConfigs Lists endpoint configurations. List
ListEndpoints Lists endpoints. List
ListHyperParameterTuningJobs Lists hyper parameter tuning jobs that was created using Amazon SageMaker. List
ListLabelingJobs Lists labeling jobs. List
ListLabelingJobsForWorkteam Lists labeling jobs for workteam. List

workteam*

ListModelPackages Lists model packages. List
ListModels Lists the models created with the CreateModel API. List
ListNotebookInstanceLifecycleConfigs Lists notebook instance lifecycle configurations that can be deployed using Amazon SageMaker. List
ListNotebookInstances Returns a list of the Amazon SageMaker notebook instances in the requester's account in an AWS Region. List
ListSubscribedWorkteams Lists subscribed workteams. List
ListTags Returns the tag set associated with the specified resource. List

endpoint

endpoint-config

hyper-parameter-tuning-job

labeling-job

model

notebook-instance

training-job

transform-job

workteam

ListTrainingJobs Lists training jobs. List
ListTrainingJobsForHyperParameterTuningJob Lists training jobs for a hyper parameter tuning job that was created using Amazon SageMaker. List

hyper-parameter-tuning-job*

ListTransformJobs Lists transform jobs. List
ListWorkteams Lists workteams. List
RenderUiTemplate Render a UI template used for a human annotation task. Read

iam:PassRole

Search Search for a training job. Read

training-job*

StartNotebookInstance Launches an EC2 instance with the latest version of the libraries and attaches your EBS volume. Write

notebook-instance*

StopCompilationJob Stops a compilation job. Write

compilation-job*

StopHyperParameterTuningJob Stops a running hyper parameter tuning job create via the CreateHyperParameterTuningJob. Write

hyper-parameter-tuning-job*

StopLabelingJob Stops a labeling job. Any labels already generated will be exported before stopping. Write

labeling-job*

StopNotebookInstance Terminates the EC2 instance. Before terminating the instance, Amazon SageMaker disconnects the EBS volume from it. Amazon SageMaker preserves the EBS volume. Write

notebook-instance*

StopTrainingJob Stops a training job. To stop a job, Amazon SageMaker sends the algorithm the SIGTERM signal, which delays job termination for 120 seconds. Write

training-job*

StopTransformJob Stops a transform job. When Amazon SageMaker receives a StopTransformJob request, the status of the job changes to Stopping. After Amazon SageMaker stops the job, the status is set to Stopped Write

transform-job*

UpdateCodeRepository Updates a code repository. Write

code-repository*

UpdateEndpoint Updates an endpoint to use the endpoint configuration specified in the request. Write

endpoint*

UpdateEndpointWeightsAndCapacities Updates variant weight, capacity, or both of one or more variants associated with an endpoint. Write

endpoint*

UpdateNotebookInstance Updates a notebook instance. Notebook instance updates include upgrading or downgrading the EC2 instance used for your notebook instance to accommodate changes in your workload requirements. You can also update the VPC security groups. Write

notebook-instance*

sagemaker:AcceleratorTypes

sagemaker:InstanceTypes

sagemaker:RootAccess

UpdateNotebookInstanceLifecycleConfig Updates a notebook instance lifecycle configuration created with the CreateNotebookInstanceLifecycleConfig API. Write

notebook-instance-lifecycle-config*

UpdateWorkteam Updates a workteam. Write

workteam*

Resources Defined by Amazon SageMaker

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The Resource Types Table.

Resource Types ARN Condition Keys
labeling-job arn:${Partition}:sagemaker:${Region}:${Account}:labeling-job/${LabelingJobName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

workteam arn:${Partition}:sagemaker:${Region}:${Account}:workteam/${WorkteamName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

notebook-instance arn:${Partition}:sagemaker:${Region}:${Account}:notebook-instance/${NotebookInstanceName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

notebook-instance-lifecycle-config arn:${Partition}:sagemaker:${Region}:${Account}:notebook-instance-lifecycle-config/${NotebookInstanceLifecycleConfigName}
code-repository arn:${Partition}:sagemaker:${Region}:${Account}:code-repository/${CodeRepositoryName}
algorithm arn:${Partition}:sagemaker:${Region}:${Account}:algorithm/${AlgorithmName}
training-job arn:${Partition}:sagemaker:${Region}:${Account}:training-job/${TrainingJobName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

hyper-parameter-tuning-job arn:${Partition}:sagemaker:${Region}:${Account}:hyper-parameter-tuning-job/${HyperParameterTuningJobName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

model-package arn:${Partition}:sagemaker:${Region}:${Account}:model-package/${ModelPackageName}
model arn:${Partition}:sagemaker:${Region}:${Account}:model/${ModelName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

endpoint-config arn:${Partition}:sagemaker:${Region}:${Account}:endpoint-config/${EndpointConfigName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

endpoint arn:${Partition}:sagemaker:${Region}:${Account}:endpoint/${EndpointName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

transform-job arn:${Partition}:sagemaker:${Region}:${Account}:transform-job/${TransformJobName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

compilation-job arn:${Partition}:sagemaker:${Region}:${Account}:compilation-job/${CompilationJobName}

Condition Keys for Amazon SageMaker

Amazon SageMaker defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The Condition Keys Table.

To view the global condition keys that are available to all services, see Available Global Condition Keys in the IAM Policy Reference.

Condition Keys Description Type
aws:RequestTag/${TagKey} A key that is present in the request the user makes to the SageMaker service. String
aws:ResourceTag/${TagKey} A tag key and value pair. String
aws:TagKeys The list of all the tag key names associated with the resource in the request. String
sagemaker:AcceleratorTypes The list of all accelerator types associated with the resource in the request. ArrayOfString
sagemaker:DirectInternetAccess The direct internet access associated with the resource in the request. String
sagemaker:FileSystemAccessMode File system access mode associated with the resource in the request. String
sagemaker:FileSystemDirectoryPath File system directory path associated with the resource in the request. String
sagemaker:FileSystemId A file system ID associated with the resource in the request. String
sagemaker:FileSystemType File system type associated with the resource in the request. String
sagemaker:InstanceTypes The list of all instance types associated with the resource in the request. ArrayOfString
sagemaker:InterContainerTrafficEncryption The inter container traffic encryption associated with the resource in the request. Bool
sagemaker:MaxRuntimeInSeconds The max runtime in seconds associated with the resource in the request. Numeric
sagemaker:ModelArn The model arn associated with the resource in the request. ARN
sagemaker:NetworkIsolation The network isolation associated with the resource in the request. Bool
sagemaker:OutputKmsKey The output kms key associated with the resource in the request. ARN
sagemaker:ResourceTag/ The preface string for a tag key and value pair attached to a resource. String
sagemaker:ResourceTag/${TagKey} A tag key and value pair. String
sagemaker:RootAccess The root access associated with the resource in the request. String
sagemaker:VolumeKmsKey The volume kms key associated with the resource in the request. ARN
sagemaker:VpcSecurityGroupIds The list of all vpc security group ids associated with the resource in the request. ArrayOfString
sagemaker:VpcSubnets The list of all vpc subnets associated with the resource in the request. ArrayOfString