Managing access to Amazon Braket - Amazon Braket

Managing access to Amazon Braket

This chapter describes the permissions that are required to run Amazon Braket, or to restrict the access of specific IAM users and roles. You can grant (or deny) the required permissions to any IAM user or role in your account. To do so, attach the appropriate Amazon Braket policy to that user or role in the account, as given in this chapter.

As a prerequisite, you must enable Amazon Braket. To enable Amazon Braket, be sure to sign in as a user or role that has (1) administrator permissions or (2) is assigned the AmazonBraketFullAccess policy and has permissions to create S3 buckets.

Add the AmazonBraketFullAccess policy to a user

You can skip this sequence if you already have created a user with the AmazonBraketFullAccess role and policy attached.

Step 1. Set up a user with the correct IAM access type

  • Navigate to IAM console, select Users and choose Add User or select the user from the list of existing users.

  • Fill in details for the user and access type.

  • Choose Next:Permissions.

  • Choose Attach existing policies directly.

  • Select AmazonBraketFullAccess.

  • Proceed through the Next buttons to create the user.

Step 2. Add the permissions policy to the user

  • In the IAM console, choose Users.

  • Select the user you created in Step 1.

  • Under permissions, choose Add inline policy.

  • Select JSON and replace the JSON string in the text box with the permissions policy given in following example code:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:CreateRole", "iam:CreatePolicy", "iam:AttachRolePolicy", "iam:UpdateRolePolicy" ], "Resource": [ "arn:aws:iam::012345678901:role/service-role/AmazonBraketServiceSageMakerNotebookRole-*", "arn:aws:iam::012345678901:policy/service-role/AmazonBraketServiceSageMakerNotebookAccess-*" ] } ] }

Note: Replace the example account ID 012345678901 with the actual AWS account ID you are signed into.

Step 3. Save the permissions policy you just created

  • Choose Review Policy and save it with a descriptive name, such as AmazonBraketCreateRolePermissions.

Amazon Braket resources

Amazon Braket creates one type of resource, which is the quantum-task resource. Here is the form of the ARN for that resource type:

  • Resource Name: AWS::Service::Braket

  • ARN Regex: arn:${Partition}:braket:${Region}:${Account}:quantum-task/${RandomId}

Notebooks and roles

Noteboooks are another type of resource that Amazon Braket utilizes on your behalf. A notebook is an Amazon SageMaker resource, which Braket is able to share. The notebooks require a specific IAM role to function: a role with a name that begins with AmazonBraketServiceSageMakerNotebook.

When you are creating a notebook in the Amazon Braket console, you’ll see the option to create this new role. Your IAM user must have the AmazonBraketFullAccess role and permissions policy assigned and enabled to create the role.

To create the role, follow the steps given in Create a notebook, or have your administrator create it for you. Ensure that the AmazonBraketFullAccess policy is attached.

After you’ve created the role, you can reuse that role for all notebooks you launch in the future.

About the AmazonBraketFullAccess policy

The AmazonBraketFullAccess policy grants permissions for all Amazon Braket operations, including permissions for these tasks:

  • Store data in Amazon S3 buckets – list the S3 buckets in your account, put objects into and get objects from any bucket in your account that starts with amazon-braket- in its name. These permissions are required for Amazon Braket to put files containing results from processed tasks into the bucket, and to retrieve them from the bucket.

  • Keep AWS CloudTrail logs – all describe, get, and list actions, as well as starting and stopping queries, testing metrics filters, and filter log events. The AWS CloudTrail log file contains a record of all Amazon Braket API activity that occurs in your account.

  • Utilize roles to control resources – Create a service-linked role in your account. The service-linked role has access to AWS resources on your behalf. It can be used only by the Amazon Braket service.

  • Maintain usage log files for your account – Create, store, and view logging information about Amazon Braket usage in your account.

The AmazonBraketFullAccess policy artifact is shown in this example code:

{
  "Version": "2012-10-17",
  "Statement": [
    {
    "Effect": "Allow",
    "Action": [
      "s3:GetObject",
      "s3:PutObject",
      "s3:ListBucket"
      ],
    "Resource": "arn:aws:s3:::amazon-braket-*"
    },
    {
    "Effect": "Allow",
    "Action": [
      "logs:Describe*",
      "logs:Get*",
      "logs:List*",
      "logs:StartQuery",
      "logs:StopQuery",
      "logs:TestMetricFilter",
      "logs:FilterLogEvents"
      ],
    "Resource": "arn:aws:logs:*:*:log-group:/aws/braket:*"
    },
    {
    "Effect": "Allow",
    "Action": [
      "iam:ListRoles",
      "iam:ListRolePolicies",
      "iam:GetRole",
      "iam:GetRolePolicy",
      "iam:ListAttachedRolePolicies"
      ],
    "Resource": "*"
    },
    {
    "Effect": "Allow",
    "Action": [
      "sagemaker:ListNotebookInstances"
      ],
    "Resource": "*"
    },
    {
    "Effect": "Allow",
    "Action": [
      "sagemaker:CreateNotebookInstance",
      "sagemaker:CreatePresignedNotebookInstanceUrl",
      "sagemaker:DescribeNotebookInstance",
      "sagemaker:StartNotebookInstance",
      "sagemaker:StopNotebookInstance",
      "sagemaker:UpdateNotebookInstance",
      "sagemaker:DeleteNotebookInstance"
      ],
    "Resource": "arn:aws:sagemaker:*:*:notebook-instance/amazon-braket-*"
    },
    {
    "Effect": "Allow",
    "Action": [
      "sagemaker:CreateNotebookInstanceLifecycleConfig",
      "sagemaker:DeleteNotebookInstanceLifecycleConfig"
      ],
    "Resource": "arn:aws:sagemaker:*:*:notebook-instance-lifecycle-config/amazon-braket-*"
    },
    {
    "Effect": "Allow",
    "Action": "braket:*",
    "Resource": "*"
    },
    {
    "Effect": "Allow",
    "Action": "iam:CreateServiceLinkedRole",
    "Resource": "arn:aws:iam::*:role/aws-service-role/braket.amazonaws.com/AWSServiceRoleForAmazonBraket*",
    "Condition": {
      "StringEquals": {
      "iam:AWSServiceName": "braket.amazonaws.com"
      }
     }
    },
    {
    "Action": [
      "iam:PassRole"
      ],
    "Effect": "Allow",
    "Resource": "arn:aws:iam::*:role/service-role/AmazonBraketServiceSageMakerNotebookRole*",
    "Condition": {
      "StringLike": {
        "iam:PassedToService": [
        "sagemaker.amazonaws.com"
         ]
       }
      }
     }
  ]
}

Restrict user access to certain devices

To restrict access for certain users to certain Amazon Braket devices, you can add a deny permissions policy to a specific IAM role.

The following example actually restricts access to all devices, for AWS account 012345678901.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "braket:CreateQuantumTask", "braket:CancelQuantumTask", "braket:GetQuantumTask", "braket:SearchQuantumTasks", "braket:GetDevice", "braket:SearchDevices" ], "Resource": [ "arn:aws:braket::012345678901:device/*" ] } ] }

To adapt this code, substitute the Amazon Resource Number (ARN) of the restricted device instead of the string shown in the previous example, which is called the Resource value, and substitute the actual AWS account identifier for 012345678901:

arn:aws:braket::012345678901:device/*

Tips for managing device access

  • To restrict access to all QPU devices, substitute this Resource value: arn:aws:braket::012345678901:device/qpu/*

  • To restrict access to all managed simulator devices, substitute this Resource value: arn:aws:braket::012345678901:device/quantum-simulator/*

  • You can restrict access to devices from a certain provider. For instance, to restrict access to D-Wave QPU devices, substitute this Resource value: arn:aws:braket::012345678901:device/qpu/d-wave/*

  • To restrict access to a specific device, change the Resource value to the corresponding device ARN, which you can find on the Devices page. For example, to restrict access to TN1, substitute this Resource value: arn:aws:braket::012345678901:device/quantum-simulator/amazon/tn1