The AmazonBraketFullAccess policy grants permissions for Amazon Braket operations, including permissions for these tasks:
-
Download containers from Amazon Elastic Container Registry – To read and download container images that are used for the Amazon Braket Hybrid Jobs feature. The containers must conform to the format "arn:aws:ecr:::repository/amazon-braket".
-
Keep AWS CloudTrail logs – For all describe, get, and list actions in addition to starting and stopping queries, testing metrics filters, and filtering log events. The AWS CloudTrail log file contains a record of all Amazon Braket API activity that occurs in your account.
-
Utilize roles to control resources – To create a service-linked role in your account. The service-linked role has access to AWS resources on your behalf. It can be used only by the Amazon Braket service. Also, to pass in IAM roles to the Amazon Braket
CreateJobAPI and to create a role and attach a policy scoped to AmazonBraketFullAccess to the role. -
Create log groups, log events, and query log groups in order to maintain usage log files for your account – To create, store, and view logging information about Amazon Braket usage in your account. Query metrics on hybrid jobs log groups. Encompass the proper Braket path and allow putting log data. Put metric data in CloudWatch.
-
Create and store data in Amazon S3 buckets, and list all buckets – To create S3 buckets, list the S3 buckets in your account, and put objects into and get objects from any bucket in your account whose name begins with amazon-braket-. These permissions are required for Braket to put files containing results from processed quantum tasks into the bucket and to retrieve them from the bucket.
-
Pass IAM roles – To pass in IAM roles to the
CreateJobAPI. -
Amazon SageMaker AI Notebook – To create and manage SageMaker notebook instances scoped to the resource from "arn:aws:sagemaker:::notebook-instance/amazon-braket-".
-
Validate service quotas – To create SageMaker AI notebooks and Amazon Braket Hybrid jobs, your resource counts cannot exceed quotas for your account.
Policy contents
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:ListBucket", "s3:CreateBucket", "s3:PutBucketPublicAccessBlock", "s3:PutBucketPolicy" ], "Resource": "arn:aws:s3:::amazon-braket-*" }, { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "servicequotas:GetServiceQuota", "cloudwatch:GetMetricData" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "ecr:BatchCheckLayerAvailability" ], "Resource": "arn:aws:ecr:*:*:repository/amazon-braket*" }, { "Effect": "Allow", "Action": [ "ecr:GetAuthorizationToken" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "logs:Describe*", "logs:Get*", "logs:List*", "logs:StartQuery", "logs:StopQuery", "logs:TestMetricFilter", "logs:FilterLogEvents" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/braket*" }, { "Effect": "Allow", "Action": [ "iam:ListRoles", "iam:ListRolePolicies", "iam:GetRole", "iam:GetRolePolicy", "iam:ListAttachedRolePolicies" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "sagemaker:ListNotebookInstances" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "sagemaker:CreatePresignedNotebookInstanceUrl", "sagemaker:CreateNotebookInstance", "sagemaker:DeleteNotebookInstance", "sagemaker:DescribeNotebookInstance", "sagemaker:StartNotebookInstance", "sagemaker:StopNotebookInstance", "sagemaker:UpdateNotebookInstance", "sagemaker:ListTags", "sagemaker:AddTags", "sagemaker:DeleteTags" ], "Resource": "arn:aws:sagemaker:*:*:notebook-instance/amazon-braket-*" }, { "Effect": "Allow", "Action": [ "sagemaker:DescribeNotebookInstanceLifecycleConfig", "sagemaker:CreateNotebookInstanceLifecycleConfig", "sagemaker:DeleteNotebookInstanceLifecycleConfig", "sagemaker:ListNotebookInstanceLifecycleConfigs", "sagemaker:UpdateNotebookInstanceLifecycleConfig" ], "Resource": "arn:aws:sagemaker:*:*:notebook-instance-lifecycle-config/amazon-braket-*" }, { "Effect": "Allow", "Action": "braket:*", "Resource": "*" }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/braket.amazonaws.com/AWSServiceRoleForAmazonBraket*", "Condition": { "StringEquals": { "iam:AWSServiceName": "braket.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::*:role/service-role/AmazonBraketServiceSageMakerNotebookRole*", "Condition": { "StringLike": { "iam:PassedToService": [ "sagemaker.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::*:role/service-role/AmazonBraketJobsExecutionRole*", "Condition": { "StringLike": { "iam:PassedToService": [ "braket.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "logs:GetQueryResults" ], "Resource": [ "arn:aws:logs:*:*:log-group:*" ] }, { "Effect": "Allow", "Action": [ "logs:PutLogEvents", "logs:CreateLogStream", "logs:CreateLogGroup" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/braket*" }, { "Effect": "Allow", "Action": "cloudwatch:PutMetricData", "Resource": "*", "Condition": { "StringEquals": { "cloudwatch:namespace": "/aws/braket" } } } ] }
