Actions, Resources, and Condition Keys for Amazon SageMaker
Amazon SageMaker (service prefix: sagemaker) provides the following service-specific resources, actions, and condition context
keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to protect this service and its resources by using IAM permission policies.
Topics
Actions Defined by Amazon SageMaker
You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform
an operation in AWS. When you use an action in a policy, you usually allow or
deny access to the API operation or CLI command with the same name. However,
in some cases, a single action controls access to more than one operation. Alternatively,
some operations require several different actions.
The Resource column indicates whether each action supports resource-level permissions. If
there is no value for this column, you must specify all resources ("*") in the
Resource element of your policy statement. If the column includes a resource type, then
you can specify an ARN of that type in a statement with that action. Required
resources are indicated in the table with an asterisk (*). If you specify a resource-level
permission ARN in a statement using this action, then it must be of this type.
Some actions support multiple resource types. If the resource type is optional (not
indicated as required), then you can choose to use one but not the other.
For details about the columns in the following table, see The Actions Table.
| Actions | Description | Access Level | Resource Types (*required) | Condition Keys | Dependent Actions |
|---|---|---|---|---|---|
| AddTags | Adds or overwrites one or more tags for the specified Amazon SageMaker resource. | Tagging | |||
| CreateAlgorithm | Create an algorithm. | Write | |||
| CreateCodeRepository | Create a code repository. | Write | |||
| CreateCompilationJob | Create a compilation job. | Write |
iam:PassRole |
||
| CreateEndpoint | Creates an endpoint using the endpoint configuration specified in the request. | Write | |||
| CreateEndpointConfig | Creates an endpoint configuration that can be deployed using Amazon SageMaker hosting services. | Write | |||
| CreateHyperParameterTuningJob | Creates hyper parameter tuning job that can be deployed using Amazon SageMaker. | Write |
iam:PassRole |
||
| CreateLabelingJob | Starts a labeling job. A labeling job takes unlabeled data in and produces labeled data as output, which can be used for training SageMaker models. | Write |
iam:PassRole |
||
| CreateModel | Creates a model in Amazon SageMaker. In the request, you specify a name for the model and describe one or more containers. | Write |
iam:PassRole |
||
| CreateModelPackage | Create a model package. | Write | |||
| CreateNotebookInstance | Creates an Amazon SageMaker notebook instance. A notebook instance is an Amazon EC2 instance running on a Jupyter Notebook. | Write |
iam:PassRole |
||
| CreateNotebookInstanceLifecycleConfig | Creates an notebook instance lifecycle configuration that can be deployed using Amazon SageMaker. | Write | |||
| CreatePresignedNotebookInstanceUrl | Returns a URL that you can use from your browser to connect to the Notebook Instance. | Write | |||
| CreateTrainingJob | Starts a model training job. After training completes, Amazon SageMaker saves the resulting model artifacts and other optional output to an Amazon S3 location that you specify. | Write |
iam:PassRole |
||
| CreateTransformJob | Starts a transform job. After the results are obtained, Amazon SageMaker saves them to an Amazon S3 location that you specify. | Write | |||
| CreateWorkteam | Create a workteam. | Write | |||
| DeleteAlgorithm | Deletes an algorithm. | Write | |||
| DeleteCodeRepository | Deletes a code repository. | Write | |||
| DeleteEndpoint | Deletes an endpoint. Amazon SageMaker frees up all the resources that were deployed when the endpoint was created. | Write | |||
| DeleteEndpointConfig | Deletes the endpoint configuration created using the CreateEndpointConfig API. The DeleteEndpointConfig API deletes only the specified configuration. It does not delete any endpoints created using the configuration. | Write | |||
| DeleteModel | Deletes a model created using the CreateModel API. The DeleteModel API deletes only the model entry in Amazon SageMaker that you created by calling the CreateModel API. It does not delete model artifacts, inference code, or the IAM role that you specified when creating the model. | Write | |||
| DeleteModelPackage | Deletes a model package. | Write | |||
| DeleteNotebookInstance | Deletes an Amazon SageMaker notebook instance. Before you can delete a notebook instance, you must call the StopNotebookInstance API. | Write | |||
| DeleteNotebookInstanceLifecycleConfig | Deletes an notebook instance lifecycle configuration that can be deployed using Amazon SageMaker. | Write | |||
| DeleteTags | Deletes the specified set of tags from an Amazon SageMaker resource. | Tagging | |||
| DeleteWorkteam | Deletes a workteam. | Write | |||
| DescribeAlgorithm | Returns information about an algorithm. | Read | |||
| DescribeCodeRepository | Returns information about a code repository. | Read | |||
| DescribeCompilationJob | Returns information about a compilation job. | Read | |||
| DescribeEndpoint | Returns the description of an endpoint. | Read | |||
| DescribeEndpointConfig | Returns the description of an endpoint configuration, which was created using the CreateEndpointConfig API. | Read | |||
| DescribeHyperParameterTuningJob | Describes a hyper parameter tuning job that was created via CreateHyperParameterTuningJob API. | Read | |||
| DescribeLabelingJob | Returns information about a labeling job. | Read | |||
| DescribeModel | Describes a model that you created using the CreateModel API. | Read | |||
| DescribeModelPackage | Returns information about a model package. | Read | |||
| DescribeNotebookInstance | Returns information about a notebook instance. | Read | |||
| DescribeNotebookInstanceLifecycleConfig | Describes an notebook instance lifecycle configuration that was created via CreateNotebookInstanceLifecycleConfig API. | Read | |||
| DescribeSubscribedWorkteam | Returns information about a subscribed workteam. | Read | |||
| DescribeTrainingJob | Returns information about a training job. | Read | |||
| DescribeTransformJob | Returns information about a transform job. | Read | |||
| DescribeWorkteam | Returns information about a workteam. | Read | |||
| GetSearchSuggestions | Get search suggestions when provided with keyword. | Read | |||
| InvokeEndpoint | After you deploy a model into production using Amazon SageMaker hosting services, your client applications use this API to get inferences from the model hosted at the specified endpoint. | Read | |||
| ListAlgorithms | Lists algorithms. | List | |||
| ListCodeRepositories | Lists code repositories. | List | |||
| ListCompilationJobs | Lists compilation jobs. | List | |||
| ListEndpointConfigs | Lists endpoint configurations. | List | |||
| ListEndpoints | Lists endpoints. | List | |||
| ListHyperParameterTuningJobs | Lists hyper parameter tuning jobs that was created using Amazon SageMaker. | List | |||
| ListLabelingJobs | Lists labeling jobs. | List | |||
| ListLabelingJobsForWorkteam | Lists labeling jobs for workteam. | List | |||
| ListModelPackages | Lists model packages. | List | |||
| ListModels | Lists the models created with the CreateModel API. | List | |||
| ListNotebookInstanceLifecycleConfigs | Lists notebook instance lifecycle configurations that can be deployed using Amazon SageMaker. | List | |||
| ListNotebookInstances | Returns a list of the Amazon SageMaker notebook instances in the requester's account in an AWS Region. | List | |||
| ListSubscribedWorkteams | Lists subscribed workteams. | List | |||
| ListTags | Returns the tag set associated with the specified resource. | List | |||
| ListTrainingJobs | Lists training jobs. | List | |||
| ListTrainingJobsForHyperParameterTuningJob | Lists training jobs for a hyper parameter tuning job that was created using Amazon SageMaker. | List | |||
| ListTransformJobs | Lists transform jobs. | List | |||
| ListWorkteams | Lists workteams. | List | |||
| RenderUiTemplate | Render a UI template used for a human annotation task. | Read |
iam:PassRole |
||
| Search | Search for a training job. | Read | |||
| StartNotebookInstance | Launches an EC2 instance with the latest version of the libraries and attaches your EBS volume. | Write | |||
| StopCompilationJob | Stops a compilation job. | Write | |||
| StopHyperParameterTuningJob | Stops a running hyper parameter tuning job create via the CreateHyperParameterTuningJob. | Write | |||
| StopLabelingJob | Stops a labeling job. Any labels already generated will be exported before stopping. | Write | |||
| StopNotebookInstance | Terminates the EC2 instance. Before terminating the instance, Amazon SageMaker disconnects the EBS volume from it. Amazon SageMaker preserves the EBS volume. | Write | |||
| StopTrainingJob | Stops a training job. To stop a job, Amazon SageMaker sends the algorithm the SIGTERM signal, which delays job termination for 120 seconds. | Write | |||
| StopTransformJob | Stops a transform job. When Amazon SageMaker receives a StopTransformJob request, the status of the job changes to Stopping. After Amazon SageMaker stops the job, the status is set to Stopped | Write | |||
| UpdateCodeRepository | Updates a code repository. | Write | |||
| UpdateEndpoint | Updates an endpoint to use the endpoint configuration specified in the request. | Write | |||
| UpdateEndpointWeightsAndCapacities | Updates variant weight, capacity, or both of one or more variants associated with an endpoint. | Write | |||
| UpdateNotebookInstance | Updates a notebook instance. Notebook instance updates include upgrading or downgrading the EC2 instance used for your notebook instance to accommodate changes in your workload requirements. You can also update the VPC security groups. | Write | |||
| UpdateNotebookInstanceLifecycleConfig | Updates a notebook instance lifecycle configuration created with the CreateNotebookInstanceLifecycleConfig API. | Write | |||
| UpdateWorkteam | Updates a workteam. | Write | |||
Resources Defined by Amazon SageMaker
The following resource types are defined by this service and can be used in the
Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource
type can also define which condition keys you can include in a policy. These
keys are displayed in the last column of the table. For details about the columns
in the following table, see The Resource Types Table.
Condition Keys for Amazon SageMaker
Amazon SageMaker defines the following condition keys that can be used in the
Condition element of an IAM policy. You can use these keys to further refine the conditions
under which the policy statement applies. For details about the columns in the
following table, see The Condition Keys Table.
To view the global condition keys that are available to all services, see Available Global Condition Keys in the IAM Policy Reference.
| Condition Keys | Description | Type |
|---|---|---|
| aws:RequestTag/${TagKey} | A key that is present in the request the user makes to the SageMaker service. | String |
| aws:ResourceTag/${TagKey} | A tag key and value pair. | String |
| aws:TagKeys | The list of all the tag key names associated with the resource in the request. | String |
| sagemaker:ResourceTag/ | The preface string for a tag key and value pair attached to a resource. | String |
| sagemaker:ResourceTag/${TagKey} | A tag key and value pair. | String |
