Actions, Resources, and Condition Keys for Amazon SageMaker
Amazon SageMaker (service prefix: sagemaker) provides the following service-specific resources,
actions, and condition context keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to protect this service and its resources by using IAM permission policies.
Topics
Actions Defined by Amazon SageMaker
You can specify the following actions in the Action element of an IAM
policy statement. By using policies, you define the permissions for anyone performing
an
operation in AWS. When you use an action in a policy, you usually allow or deny access
to
the API operation or CLI command with the same name. However, in some cases, a single
action
controls access to more than one operation. Alternatively, some operations require
several
different actions. For details about the columns in the following table, see The Actions Table.
| Actions | Description | Access Level | Resource Types (*required) | Condition Keys | Dependent Actions |
|---|---|---|---|---|---|
| AddTags | Adds or overwrites one or more tags for the specified Amazon SageMaker resource. |
Tagging |
|||
| CreateEndpoint | Creates an endpoint using the endpoint configuration specified in the request. |
Write |
|||
| CreateEndpointConfig | Creates an endpoint configuration that can be deployed using Amazon SageMaker hosting services. |
Write |
|||
| CreateModel | Creates a model in Amazon SageMaker. In the request, you specify a name for the model and describe one or more containers. |
Write |
|||
| CreateNotebookInstance | Creates an Amazon SageMaker notebook instance. A notebook instance is an Amazon EC2 instance running on a Jupyter Notebook. |
Write |
|||
| CreatePresignedNotebookInstanceUrl | Returns a URL that you can use from your browser to connect to the Notebook Instance. |
Read |
|||
| CreateTrainingJob | Starts a model training job. After training completes, Amazon SageMaker saves the resulting model artifacts and other optional output to an Amazon S3 location that you specify. |
Write |
|||
| DeleteEndpoint | Deletes an endpoint. Amazon SageMaker frees up all the resources that were deployed when the endpoint was created. |
Write |
|||
| DeleteEndpointConfig | Deletes the endpoint configuration created using the CreateEndpointConfig API. The DeleteEndpointConfig API deletes only the specified configuration. It does not delete any endpoints created using the configuration. |
Write |
|||
| DeleteModel | Deletes a model created using the CreateModel API. The DeleteModel API deletes only the model entry in Amazon SageMaker that you created by calling the CreateModel API. It does not delete model artifacts, inference code, or the IAM role that you specified when creating the model. |
Write |
|||
| DeleteNotebookInstance | Deletes an Amazon SageMaker notebook instance. Before you can delete a notebook instance, you must call the StopNotebookInstance API. |
Write |
|||
| DeleteTags | Deletes the specified set of tags from an Amazon SageMaker resource. |
Tagging |
|||
| DescribeEndpoint | Returns the description of an endpoint. |
Read |
|||
| DescribeEndpointConfig | Returns the description of an endpoint configuration, which was created using the CreateEndpointConfig API. |
Read |
|||
| DescribeModel | Describes a model that you created using the CreateModel API. |
Read |
|||
| DescribeNotebookInstance | Returns information about a notebook instance. |
Read |
|||
| DescribeTrainingJob | Returns information about a training job. |
Read |
|||
| InvokeEndpoint | After you deploy a model into production using Amazon SageMaker hosting services, your client applications use this API to get inferences from the model hosted at the specified endpoint. |
Read |
|||
| ListEndpointConfigs | Lists endpoint configurations. |
List |
|||
| ListEndpoints | Lists endpoints. |
List |
|||
| ListModels | Lists the models created with the CreateModel API. |
List |
|||
| ListNotebookInstances | Returns a list of the Amazon SageMaker notebook instances in the requester's account in an AWS Region. |
List |
|||
| ListTags | Returns the tag set associated with the specified resource. |
List |
|||
| ListTrainingJobs | Lists training jobs. |
List |
|||
| StartNotebookInstance | Launches an EC2 instance with the latest version of the libraries and attaches your EBS volume. |
Write |
|||
| StopNotebookInstance | Terminates the EC2 instance. Before terminating the instance, Amazon SageMaker disconnects the EBS volume from it. Amazon SageMaker preserves the EBS volume. |
Write |
|||
| StopTrainingJob | Stops a training job. To stop a job, Amazon SageMaker sends the algorithm the SIGTERM signal, which delays job termination for 120 seconds. |
Write |
|||
| UpdateEndpoint | Updates an endpoint to use the endpoint configuration specified in the request. |
Write |
|||
| UpdateEndpointWeightsAndCapacities | Updates variant weight, capacity, or both of one or more variants associated with an endpoint. |
Write |
|||
| UpdateNotebookInstance | Updates a notebook instance. Notebook instance updates include upgrading or downgrading the EC2 instance used for your notebook instance to accommodate changes in your workload requirements. You can also update the VPC security groups. |
Write |
Resources Defined by SageMaker
The following resource types are defined by this service and can be used in the
Resource element of IAM permission policy statements. Each action in
the Actions table identifies
the resource types that can be specified with that action. A resource type can also
define which condition keys you can include in a policy. These keys are displayed
in the
last column of the table. For details about the columns in the following table, see
The Resource Types Table.
Condition Keys for Amazon SageMaker
SageMaker has no service-specific context keys that can be used in the
Condition element of policy statements. For the list of the global context keys
that are available to all services, see Available Keys for
Conditions in the IAM Policy Reference.
