Actions, Resources, and Condition Keys for Amazon SageMaker
Amazon SageMaker (service prefix: sagemaker) provides the following service-specific resources, actions, and condition context
keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
Topics
Actions Defined by Amazon SageMaker
You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform
an operation in AWS. When you use an action in a policy, you usually allow or
deny access to the API operation or CLI command with the same name. However,
in some cases, a single action controls access to more than one operation. Alternatively,
some operations require several different actions.
The Resource Types column indicates whether each action supports resource-level permissions. If
there is no value for this column, you must specify all resources ("*") in the
Resource element of your policy statement. If the column includes a resource type, then
you can specify an ARN of that type in a statement with that action. Required
resources are indicated in the table with an asterisk (*). If you specify a resource-level
permission ARN in a statement using this action, then it must be of this type.
Some actions support multiple resource types. If the resource type is optional (not
indicated as required), then you can choose to use one but not the other.
For details about the columns in the following table, see The Actions Table.
| Actions | Description | Access Level | Resource Types (*required) | Condition Keys | Dependent Actions |
|---|---|---|---|---|---|
| AddTags | Adds or overwrites one or more tags for the specified Amazon SageMaker resource. | Tagging | |||
| AssociateTrialComponent | Associate a trial component with a trial. | Write | |||
| BatchGetMetrics [permission only] | Retrieve metrics associated with SageMaker Resources such as Training Jobs. This API is not publicly exposed at this point, however admins can control this action | Read | |||
| BatchPutMetrics [permission only] | Publish metrics associated with a SageMaker Resource such as a Training Job. This API is not publicly exposed at this point, however admins can control this action | Write | |||
| CreateAlgorithm | Create an algorithm. | Write | |||
| CreateApp | Grants permission to create an App for a SageMaker Studio UserProfile | Write | |||
| CreateAutoMLJob | Creates automl job. | Write |
iam:PassRole |
||
| CreateCodeRepository | Create a code repository. | Write | |||
| CreateCompilationJob | Create a compilation job. | Write |
iam:PassRole |
||
| CreateDomain | Grants permission to create a Domain for SageMaker Studio | Write |
iam:CreateServiceLinkedRole iam:PassRole |
||
| CreateEndpoint | Creates an endpoint using the endpoint configuration specified in the request. | Write | |||
| CreateEndpointConfig | Creates an endpoint configuration that can be deployed using Amazon SageMaker hosting services. | Write | |||
| CreateExperiment | Create an experiment. | Write | |||
| CreateFlowDefinition | Creates a flow definition, which defines settings for a human workflow. | Write |
iam:PassRole |
||
| CreateHumanTaskUi | Defines the settings you will use for the human review workflow user interface. | Write | |||
| CreateHyperParameterTuningJob | Creates hyper parameter tuning job that can be deployed using Amazon SageMaker. | Write |
iam:PassRole |
||
|
sagemaker:FileSystemAccessMode sagemaker:FileSystemDirectoryPath |
|||||
| CreateLabelingJob | Starts a labeling job. A labeling job takes unlabeled data in and produces labeled data as output, which can be used for training SageMaker models. | Write |
iam:PassRole |
||
| CreateModel | Creates a model in Amazon SageMaker. In the request, you specify a name for the model and describe one or more containers. | Write |
iam:PassRole |
||
| CreateModelPackage | Create a model package. | Write | |||
| CreateMonitoringSchedule | Creates a monitoring schedule. | Write |
iam:PassRole |
||
| CreateNotebookInstance | Creates an Amazon SageMaker notebook instance. A notebook instance is an Amazon EC2 instance running on a Jupyter Notebook. | Write |
iam:PassRole |
||
| CreateNotebookInstanceLifecycleConfig | Creates an notebook instance lifecycle configuration that can be deployed using Amazon SageMaker. | Write | |||
| CreatePresignedDomainUrl | Grants permission to return a URL that you can use from your browser to connect to the Domain as a specified UserProfile when AuthMode is 'IAM' | Write | |||
| CreatePresignedNotebookInstanceUrl | Returns a URL that you can use from your browser to connect to the Notebook Instance. | Write | |||
| CreateProcessingJob | Starts a processing job. After processing completes, Amazon SageMaker saves the resulting artifacts and other optional output to an Amazon S3 location that you specify. | Write |
iam:PassRole |
||
| CreateTrainingJob | Starts a model training job. After training completes, Amazon SageMaker saves the resulting model artifacts and other optional output to an Amazon S3 location that you specify. | Write |
iam:PassRole |
||
|
sagemaker:FileSystemAccessMode sagemaker:FileSystemDirectoryPath |
|||||
| CreateTransformJob | Starts a transform job. After the results are obtained, Amazon SageMaker saves them to an Amazon S3 location that you specify. | Write | |||
| CreateTrial | Create a trial. | Write | |||
| CreateTrialComponent | Create a trial component. | Write | |||
| CreateUserProfile | Grants permission to create a UserProfile for a SageMaker Studio Domain | Write |
iam:PassRole |
||
| CreateWorkforce | Create a workforce. | Write | |||
| CreateWorkteam | Create a workteam. | Write | |||
| DeleteAlgorithm | Deletes an algorithm. | Write | |||
| DeleteApp | Grants permission to delete an App | Write | |||
| DeleteCodeRepository | Deletes a code repository. | Write | |||
| DeleteDomain | Grants permission to delete a Domain | Write | |||
| DeleteEndpoint | Deletes an endpoint. Amazon SageMaker frees up all the resources that were deployed when the endpoint was created. | Write | |||
| DeleteEndpointConfig | Deletes the endpoint configuration created using the CreateEndpointConfig API. The DeleteEndpointConfig API deletes only the specified configuration. It does not delete any endpoints created using the configuration. | Write | |||
| DeleteExperiment | Deletes an experiment. | Write | |||
| DeleteFlowDefinition | Deltes the specified flow definition. | Write | |||
| DeleteHumanLoop | Deletes the specified human loop. | Write | |||
| DeleteModel | Deletes a model created using the CreateModel API. The DeleteModel API deletes only the model entry in Amazon SageMaker that you created by calling the CreateModel API. It does not delete model artifacts, inference code, or the IAM role that you specified when creating the model. | Write | |||
| DeleteModelPackage | Deletes a model package. | Write | |||
| DeleteMonitoringSchedule | Deletes a monitoring schedule. Amazon SageMaker will no longer run the scheduled monitoring. | Write | |||
| DeleteNotebookInstance | Deletes an Amazon SageMaker notebook instance. Before you can delete a notebook instance, you must call the StopNotebookInstance API. | Write | |||
| DeleteNotebookInstanceLifecycleConfig | Deletes an notebook instance lifecycle configuration that can be deployed using Amazon SageMaker. | Write | |||
| DeleteTags | Deletes the specified set of tags from an Amazon SageMaker resource. | Tagging | |||
| DeleteTrial | Deletes a trial. | Write | |||
| DeleteTrialComponent | Deletes a trial component. | Write | |||
| DeleteUserProfile | Grants permission to delete a UserProfile | Write | |||
| DeleteWorkforce | Deletes a workforce. | Write | |||
| DeleteWorkteam | Deletes a workteam. | Write | |||
| DescribeAlgorithm | Returns information about an algorithm. | Read | |||
| DescribeApp | Grants permission to describe an App | Read | |||
| DescribeAutoMLJob | Describes an automl job that was created via CreateAutoMLJob API. | Read | |||
| DescribeCodeRepository | Returns information about a code repository. | Read | |||
| DescribeCompilationJob | Returns information about a compilation job. | Read | |||
| DescribeDomain | Grants permission to describe a Domain | Read | |||
| DescribeEndpoint | Returns the description of an endpoint. | Read | |||
| DescribeEndpointConfig | Returns the description of an endpoint configuration, which was created using the CreateEndpointConfig API. | Read | |||
| DescribeExperiment | Returns information about an experiment. | Read | |||
| DescribeFlowDefinition | Returns detailed information about the specified flow definition. | Read | |||
| DescribeHumanLoop | Returns detailed information about the specified human loop. | Read | |||
| DescribeHumanTaskUi | Returns detailed information about the specified human review workflow user interface. | Read | |||
| DescribeHyperParameterTuningJob | Describes a hyper parameter tuning job that was created via CreateHyperParameterTuningJob API. | Read | |||
| DescribeLabelingJob | Returns information about a labeling job. | Read | |||
| DescribeModel | Describes a model that you created using the CreateModel API. | Read | |||
| DescribeModelPackage | Returns information about a model package. | Read | |||
| DescribeMonitoringSchedule | Returns information about a monitoring schedule. | Read | |||
| DescribeNotebookInstance | Returns information about a notebook instance. | Read | |||
| DescribeNotebookInstanceLifecycleConfig | Describes an notebook instance lifecycle configuration that was created via CreateNotebookInstanceLifecycleConfig API. | Read | |||
| DescribeProcessingJob | Returns information about a processing job. | Read | |||
| DescribeSubscribedWorkteam | Returns information about a subscribed workteam. | Read | |||
| DescribeTrainingJob | Returns information about a training job. | Read | |||
| DescribeTransformJob | Returns information about a transform job. | Read | |||
| DescribeTrial | Returns information about a trial. | Read | |||
| DescribeTrialComponent | Returns information about a trial component. | Read | |||
| DescribeUserProfile | Grants permission to describe a UserProfile | Read | |||
| DescribeWorkforce | Returns information about a workforce. | Read | |||
| DescribeWorkteam | Returns information about a workteam. | Read | |||
| DisassociateTrialComponent | Disassociate a trial component with a trial. | Write | |||
| GetSearchSuggestions | Get search suggestions when provided with keyword. | Read | |||
| InvokeEndpoint | After you deploy a model into production using Amazon SageMaker hosting services, your client applications use this API to get inferences from the model hosted at the specified endpoint. | Read | |||
| ListAlgorithms | Lists algorithms. | List | |||
| ListApps | Grants permission to list the Apps in your account | List | |||
| ListAutoMLJobs | Lists automl jobs created via the CreateAutoMLJob. | List | |||
| ListCandidatesForAutoMLJob | Lists candidates for automl job created via the CreateAutoMLJob. | List | |||
| ListCodeRepositories | Lists code repositories. | List | |||
| ListCompilationJobs | Lists compilation jobs. | List | |||
| ListDomains | Grants permission to list the Domains in your account | List | |||
| ListEndpointConfigs | Lists endpoint configurations. | List | |||
| ListEndpoints | Lists endpoints. | List | |||
| ListExperiments | Lists experiments. | List | |||
| ListFlowDefinitions | Returns summary information about flow definitions, given the specified parameters. | List | |||
| ListHumanLoops | Returns summary information about human loops, given the specified parameters. | List | |||
| ListHumanTaskUis | Returns summary information about human review workflow user interfaces, given the specified parameters. | List | |||
| ListHyperParameterTuningJobs | Lists hyper parameter tuning jobs that was created using Amazon SageMaker. | List | |||
| ListLabelingJobs | Lists labeling jobs. | List | |||
| ListLabelingJobsForWorkteam | Lists labeling jobs for workteam. | List | |||
| ListModelPackages | Lists model packages. | List | |||
| ListModels | Lists the models created with the CreateModel API. | List | |||
| ListMonitoringExecutions | Lists monitoring executions. | List | |||
| ListMonitoringSchedules | Lists monitoring schedules. | List | |||
| ListNotebookInstanceLifecycleConfigs | Lists notebook instance lifecycle configurations that can be deployed using Amazon SageMaker. | List | |||
| ListNotebookInstances | Returns a list of the Amazon SageMaker notebook instances in the requester's account in an AWS Region. | List | |||
| ListProcessingJobs | Lists processing jobs. | List | |||
| ListSubscribedWorkteams | Lists subscribed workteams. | List | |||
| ListTags | Returns the tag set associated with the specified resource. | List | |||
| ListTrainingJobs | Lists training jobs. | List | |||
| ListTrainingJobsForHyperParameterTuningJob | Lists training jobs for a hyper parameter tuning job that was created using Amazon SageMaker. | List | |||
| ListTransformJobs | Lists transform jobs. | List | |||
| ListTrialComponents | Lists trial components. | List | |||
| ListTrials | Lists trials. | List | |||
| ListUserProfiles | Grants permission to list the UserProfiles in your account | List | |||
| ListWorkforces | Lists workforces. | List | |||
| ListWorkteams | Lists workteams. | List | |||
| RenderUiTemplate | Render a UI template used for a human annotation task. | Read |
iam:PassRole |
||
| Search | Search for a training job. | Read | |||
| StartHumanLoop | Starts a human loop. | Write | |||
| StartMonitoringSchedule | Starts a monitoring schedule. | Write | |||
| StartNotebookInstance | Launches an EC2 instance with the latest version of the libraries and attaches your EBS volume. | Write | |||
| StopAutoMLJob | Stops a running automl job created via the CreateAutoMLJob. | Write | |||
| StopCompilationJob | Stops a compilation job. | Write | |||
| StopHumanLoop | Stops the specified human loop. | Write | |||
| StopHyperParameterTuningJob | Stops a running hyper parameter tuning job create via the CreateHyperParameterTuningJob. | Write | |||
| StopLabelingJob | Stops a labeling job. Any labels already generated will be exported before stopping. | Write | |||
| StopMonitoringSchedule | Stops a monitoring schedule. | Write | |||
| StopNotebookInstance | Terminates the EC2 instance. Before terminating the instance, Amazon SageMaker disconnects the EBS volume from it. Amazon SageMaker preserves the EBS volume. | Write | |||
| StopProcessingJob | Stops a processing job. To stop a job, Amazon SageMaker sends the algorithm the SIGTERM signal, which delays job termination for 120 seconds. | Write | |||
| StopTrainingJob | Stops a training job. To stop a job, Amazon SageMaker sends the algorithm the SIGTERM signal, which delays job termination for 120 seconds. | Write | |||
| StopTransformJob | Stops a transform job. When Amazon SageMaker receives a StopTransformJob request, the status of the job changes to Stopping. After Amazon SageMaker stops the job, the status is set to Stopped | Write | |||
| UpdateCodeRepository | Updates a code repository. | Write | |||
| UpdateDomain | Grants permission to update a Domain | Write | |||
| UpdateEndpoint | Updates an endpoint to use the endpoint configuration specified in the request. | Write | |||
| UpdateEndpointWeightsAndCapacities | Updates variant weight, capacity, or both of one or more variants associated with an endpoint. | Write | |||
| UpdateExperiment | Updates an experiment. | Write | |||
| UpdateMonitoringSchedule | Updates a monitoring schedule. | Write |
iam:PassRole |
||
| UpdateNotebookInstance | Updates a notebook instance. Notebook instance updates include upgrading or downgrading the EC2 instance used for your notebook instance to accommodate changes in your workload requirements. You can also update the VPC security groups. | Write | |||
| UpdateNotebookInstanceLifecycleConfig | Updates a notebook instance lifecycle configuration created with the CreateNotebookInstanceLifecycleConfig API. | Write | |||
| UpdateTrial | Updates a trial. | Write | |||
| UpdateTrialComponent | Updates a trial component. | Write | |||
| UpdateUserProfile | Grants permission to update a UserProfile | Write | |||
| UpdateWorkforce | Updates a workforce. | Write | |||
| UpdateWorkteam | Updates a workteam. | Write |
Resource Types Defined by Amazon SageMaker
The following resource types are defined by this service and can be used in the
Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource
type can also define which condition keys you can include in a policy. These
keys are displayed in the last column of the table. For details about the columns
in the following table, see The Resource Types Table.
Condition Keys for Amazon SageMaker
Amazon SageMaker defines the following condition keys that can be used in the
Condition element of an IAM policy. You can use these keys to further refine the conditions
under which the policy statement applies. For details about the columns in the
following table, see The Condition Keys Table.
To view the global condition keys that are available to all services, see Available Global Condition Keys in the IAM Policy Reference.
| Condition Keys | Description | Type |
|---|---|---|
| aws:RequestTag/${TagKey} | A key that is present in the request the user makes to the SageMaker service. | String |
| aws:ResourceTag/${TagKey} | A tag key and value pair. | String |
| aws:TagKeys | The list of all the tag key names associated with the resource in the request. | String |
| sagemaker:AcceleratorTypes | The list of all accelerator types associated with the resource in the request. | ArrayOfString |
| sagemaker:AppNetworkAccess | App network access associated with the resource in the request. | String |
| sagemaker:DirectInternetAccess | The direct internet access associated with the resource in the request. | String |
| sagemaker:DomainSharingOutputKmsKey | The Domain sharing output KMS key associated with the resource in the request. | ARN |
| sagemaker:FileSystemAccessMode | File system access mode associated with the resource in the request. | String |
| sagemaker:FileSystemDirectoryPath | File system directory path associated with the resource in the request. | String |
| sagemaker:FileSystemId | A file system ID associated with the resource in the request. | String |
| sagemaker:FileSystemType | File system type associated with the resource in the request. | String |
| sagemaker:HomeEfsFileSystemKmsKey | The KMS Key Id of the EFS File System used for UserProfile home directories, which is associated with the resource in the request. | ARN |
| sagemaker:InstanceTypes | The list of all instance types associated with the resource in the request. | ArrayOfString |
| sagemaker:InterContainerTrafficEncryption | The inter container traffic encryption associated with the resource in the request. | Bool |
| sagemaker:MaxRuntimeInSeconds | The max runtime in seconds associated with the resource in the request. | Numeric |
| sagemaker:ModelArn | The model arn associated with the resource in the request. | ARN |
| sagemaker:NetworkIsolation | The network isolation associated with the resource in the request. | Bool |
| sagemaker:OutputKmsKey | The output kms key associated with the resource in the request. | ARN |
| sagemaker:ResourceTag/ | The preface string for a tag key and value pair attached to a resource. | String |
| sagemaker:ResourceTag/${TagKey} | A tag key and value pair. | String |
| sagemaker:RootAccess | The root access associated with the resource in the request. | String |
| sagemaker:TargetModel | The target model associated with the Multi-Model Endpoint in the request. | String |
| sagemaker:VolumeKmsKey | The volume kms key associated with the resource in the request. | ARN |
| sagemaker:VpcSecurityGroupIds | The list of all vpc security group ids associated with the resource in the request. | ArrayOfString |
| sagemaker:VpcSubnets | The list of all vpc subnets associated with the resource in the request. | ArrayOfString |
| sagemaker:WorkteamArn | The workteam arn associated to the request. | ARN |
| sagemaker:WorkteamType | The workteam type associated to the request. This can be public-crowd, private-crowd or vendor-crowd. | String |
