Managing access to Amazon Braket - Amazon Braket

Managing access to Amazon Braket

This chapter describes the permissions that are required to run Amazon Braket, or to restrict the access of specific IAM users and roles. You can grant (or deny) the required permissions to any IAM user or role in your account. To do so, attach the appropriate Amazon Braket policy to that user or role in the account, as given in this chapter.

As a prerequisite, you must enable Amazon Braket. To enable Amazon Braket, be sure to sign in as a user or role that has (1) administrator permissions or (2) is assigned the AmazonBraketFullAccess policy and has permissions to create S3 buckets.

AmazonBraket resources

Amazon Braket creates one type of resource, which is the quantum-task resource. Here is the form of the ARN for that resource type:

  • Resource Name: AWS::Service::Braket

  • ARN Regex: arn:${Partition}:braket:${Region}:${Account}:quantum-task/${RandomId}

Notebooks and roles

Noteboooks are another type of resource that Amazon Braket utilizes on your behalf. A notebook is an Amazon SageMaker resource, which Braket is able to share. The notebooks require a specific IAM role to function: a role with a name that begins with AmazonBraketServiceSageMakerNotebook.

To create a notebook, you must use a role with Admin permissions or that has the following inline policy attached to it.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iam:CreateRole", "Resource": "arn:aws:iam::*:role/service-role/AmazonBraketServiceSageMakerNotebookRole-*" }, { "Effect": "Allow", "Action": "iam:CreatePolicy", "Resource": "arn:aws:iam::*:policy/service-role/AmazonBraketServiceSageMakerNotebookAccess-*" }, { "Effect": "Allow", "Action": "iam:AttachRolePolicy", "Resource": "arn:aws:iam::*:role/service-role/AmazonBraketServiceSageMakerNotebookRole-*", "Condition": { "StringLike": { "iam:PolicyARN": [ "arn:aws:iam::aws:policy/AmazonBraketFullAccess", "arn:aws:iam::*:policy/service-role/AmazonBraketServiceSageMakerNotebookAccess-*" ] } } } ] }

To create the role, follow the steps given in Create a notebook, or have your administrator create it for you. Ensure that the AmazonBraketFullAccess policy is attached.

After you’ve created the role, you can reuse that role for all notebooks you launch in the future.

About the AmazonBraketFullAccess policy

The AmazonBraketFullAccess policy grants permissions for Amazon Braket operations, including permissions for these tasks:

  • Amazon Elastic Container Registry – to read and download container images to be used for Amazon Braket Hybrid Jobs feature. The containers must conform to the format "arn:aws:ecr:::repository/amazon-braket"

  • Keep AWS CloudTrail logs – for all describe, get, and list actions, as well as starting and stopping queries, testing metrics filters, and filtering log events. The AWS CloudTrail log file contains a record of all Amazon Braket API activity that occurs in your account.

  • Utilize roles to control resources – to create a service-linked role in your account. The service-linked role has access to AWS resources on your behalf. It can be used only by the Amazon Braket service. Also to pass in IAM roles to the Amazon Braket CreateJob API and to create a role and attach a policy scoped to AmazonBraketFullAccess to the role.

  • Create log groups, log events, and query log groups. Maintain usage log files for your account – to create, store, and view logging information about Amazon Braket usage in your account. Query metrics on jobs log groups. Encompass the proper Braket path and allowing putting log data. Put metric data in CloudWatch.

  • Create and Store data in Amazon S3 buckets, and list all buckets – to create S3 buckets, list the S3 buckets in your account, and to put objects into and get objects from any bucket in your account whose name begins with amazon-braket-. These permissions are required for Amazon Braket to put files containing results from processed tasks into the bucket and to retrieve them from the bucket.

  • Pass IAM roles – to pass in IAM roles to the CreateJob API.

  • Amazon SageMaker Notebook – to create and manage SageMaker Notebook instances scoped to the resource from "arn:aws:sagemaker:::notebook-instance/amazon-braket-"

Policy contents

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:ListBucket",
                "s3:CreateBucket",
                "s3:PutBucketPublicAccessBlock",
                "s3:PutBucketPolicy"
            ],
            "Resource": "arn:aws:s3:::amazon-braket-*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability"
            ],
            "Resource": "arn:aws:ecr:*:*:repository/amazon-braket*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ecr:GetAuthorizationToken"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:Describe*",
                "logs:Get*",
                "logs:List*",
                "logs:StartQuery",
                "logs:StopQuery",
                "logs:TestMetricFilter",
                "logs:FilterLogEvents"
            ],
            "Resource": "arn:aws:logs:*:*:log-group:/aws/braket*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:ListRoles",
                "iam:ListRolePolicies",
                "iam:GetRole",
                "iam:GetRolePolicy",
                "iam:ListAttachedRolePolicies"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "sagemaker:ListNotebookInstances"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "sagemaker:CreatePresignedNotebookInstanceUrl",
                "sagemaker:CreateNotebookInstance",
                "sagemaker:DeleteNotebookInstance",
                "sagemaker:DescribeNotebookInstance",
                "sagemaker:StartNotebookInstance",
                "sagemaker:StopNotebookInstance",
                "sagemaker:UpdateNotebookInstance",
                "sagemaker:ListTags",
                "sagemaker:AddTags",
                "sagemaker:DeleteTags"
            ],
            "Resource": "arn:aws:sagemaker:*:*:notebook-instance/amazon-braket-*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "sagemaker:DescribeNotebookInstanceLifecycleConfig",
                "sagemaker:CreateNotebookInstanceLifecycleConfig",
                "sagemaker:DeleteNotebookInstanceLifecycleConfig",
                "sagemaker:ListNotebookInstanceLifecycleConfigs",
                "sagemaker:UpdateNotebookInstanceLifecycleConfig"
            ],
            "Resource": "arn:aws:sagemaker:*:*:notebook-instance-lifecycle-config/amazon-braket-*"
        },
        {
            "Effect": "Allow",
            "Action": "braket:*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "iam:CreateServiceLinkedRole",
            "Resource": "arn:aws:iam::*:role/aws-service-role/braket.amazonaws.com/AWSServiceRoleForAmazonBraket*",
            "Condition": {
                "StringEquals": {
                    "iam:AWSServiceName": "braket.amazonaws.com"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:PassRole"
            ],
            "Resource": "arn:aws:iam::*:role/service-role/AmazonBraketServiceSageMakerNotebookRole*",
            "Condition": {
                "StringLike": {
                    "iam:PassedToService": [
                        "sagemaker.amazonaws.com"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:PassRole"
            ],
            "Resource": "arn:aws:iam::*:role/service-role/AmazonBraketJobsExecutionRole*",
            "Condition": {
                "StringLike": {
                    "iam:PassedToService": [
                        "braket.amazonaws.com"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:GetQueryResults"
            ],
            "Resource": [
                "arn:aws:logs:*:*:log-group:*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:PutLogEvents",
                "logs:CreateLogStream",
                "logs:CreateLogGroup"
            ],
            "Resource": "arn:aws:logs:*:*:log-group:/aws/braket*"
        },
        {
            "Effect": "Allow",
            "Action": "cloudwatch:PutMetricData",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "cloudwatch:namespace": "/aws/braket"
                }
            }
        }
    ]
}

About the AmazonBraketJobsExecutionPolicy policy

The AmazonBraketJobsExecutionPolicy policy grants permissions for execution roles used in Amazon Braket Hybrid Jobs

  • Amazon Elastic Container Registry - permissions to read and download container images to be used for Amazon Braket Hybrid Jobs feature. Containers must conform to the format "arn:aws:ecr:*:*:repository/amazon-braket*"

  • Create log groups and log events and query log groups. Maintain usage log files for your account – Create, store, and view logging information about Amazon Braket usage in your account. Query metrics on jobs log groups. Encompass the proper Braket path and allowing putting log data. Put metric data in CloudWatch.

  • Store data in Amazon S3 buckets – list the S3 buckets in your account, put objects into and get objects from any bucket in your account that starts with amazon-braket- in its name. These permissions are required for Amazon Braket to put files containing results from processed tasks into the bucket, and to retrieve them from the bucket.

  • Pass IAM roles passing in IAM roles to the CreateJob API. Roles must conform to the format arn:aws:iam::*:role/service-role/AmazonBraketJobsExecutionRole*.

	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"s3:GetObject",
				"s3:PutObject",
				"s3:ListBucket",
				"s3:CreateBucket",
				"s3:PutBucketPublicAccessBlock",
				"s3:PutBucketPolicy"
			],
			"Resource": "arn:aws:s3:::amazon-braket-*"
		},
		{
			"Effect": "Allow",
			"Action": [
				"ecr:GetDownloadUrlForLayer",
				"ecr:BatchGetImage",
				"ecr:BatchCheckLayerAvailability"
			],
			"Resource": "arn:aws:ecr:*:*:repository/amazon-braket*"
		},
		{
			"Effect": "Allow",
			"Action": [
				"ecr:GetAuthorizationToken"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": [
				"braket:CancelJob",
				"braket:CancelQuantumTask",
				"braket:CreateJob",
				"braket:CreateQuantumTask",
				"braket:GetDevice",
				"braket:GetJob",
				"braket:GetQuantumTask",
				"braket:SearchDevices",
				"braket:SearchJobs",
				"braket:SearchQuantumTasks",
				"braket:ListTagsForResource",
				"braket:TagResource",
				"braket:UntagResource"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": [
				"iam:PassRole"
			],
			"Resource": "arn:aws:iam::*:role/service-role/AmazonBraketJobsExecutionRole*",
			"Condition": {
				"StringLike": {
					"iam:PassedToService": [
						"braket.amazonaws.com"
					]
				}
			}
		},
		{
			"Effect": "Allow",
			"Action": [
				"iam:ListRoles"
			],
			"Resource": "arn:aws:iam::*:role/*"
		},
		{
			"Effect": "Allow",
			"Action": [
				"logs:GetQueryResults"
			],
			"Resource": [
				"arn:aws:logs:*:*:log-group:*"
			]
		},
		{
			"Effect": "Allow",
			"Action": [
				"logs:PutLogEvents",
				"logs:CreateLogStream",
				"logs:CreateLogGroup",
				"logs:GetLogEvents",
				"logs:DescribeLogStreams",
				"logs:StartQuery",
				"logs:StopQuery"
			],
			"Resource": "arn:aws:logs:*:*:log-group:/aws/braket*"
		},
		{
			"Effect": "Allow",
			"Action": "cloudwatch:PutMetricData",
			"Resource": "*",
			"Condition": {
				"StringEquals": {
					"cloudwatch:namespace": "/aws/braket"
				}
			}
		}
	]
}

Restrict user access to certain devices

To restrict access for certain users to certain Amazon Braket devices, you can add a deny permissions policy to a specific IAM role.

The following example restricts access to all QPUs for the AWS account 012345678901.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "braket:CreateQuantumTask", "braket:CancelQuantumTask", "braket:GetQuantumTask", "braket:SearchQuantumTasks", "braket:GetDevice", "braket:SearchDevices" ], "Resource": [ "arn:aws:braket:*:*:device/qpu/*" ] } ] }

To adapt this code, substitute the Amazon Resource Number (ARN) of the restricted device for the string shown in the previous example. This string provides the Resource value. In Amazon Braket, a device represents a QPU or simulator that you can call to run quantum tasks. The devices available are listed on the Devices page. There are two schemas used to specify access to these devices:

  • arn:aws:braket:<region>:<account id>:device/qpu/<provider>/<device_id>

  • arn:aws:braket:<region>:<account id>:device/quantum-simulator/<provider>/<device_id>

Here are examples for various types of device access

  • To select all QPUs across all regions: arn:aws:braket:*:*:device/qpu/*

  • To select all QPUs in the us-west-2 region ONLY: arn:aws:braket:us-west-2:012345678901:device/qpu/*

  • Equivalently, to select all QPUs in the us-west-2 region ONLY, because devices are a service resource, not a customer resource: arn:aws:braket:us-west-2:* :device/qpu/*` `

  • To restrict access to all on-demand simulator devices: arn:aws:braket:* :012345678901:device/quantum-simulator/*` `

  • To restric access to the IonQ device in us-east-1 region: arn:aws:braket:us-east-1:012345678901:device/ionq/ionQdevice

  • To restrict access to devices from a certain provider, for example, to D-Wave QPU devices: arn:aws:braket:* :012345678901:device/qpu/d-wave/*`

  • To restrict access to TN1 device: arn:aws:braket:* :012345678901:device/quantum-simulator/amazon/tn1`

AmazonBraket updates to AWS managed policies

The following table provides details about updates to AWS managed policies for Amazon Braket since this service began tracking these changes.

Change

Description

Date

AmazonBraketFullAccess - Full access policy for Amazon Braket

Added s3:ListAllMyBuckets permissions to allow users to view and inspect the buckets created and used for Amazon Braket.

March 31, 2022

AmazonBraketFullAccess - Full access policy for Amazon Braket

Amazon Braket adjusted iam:PassRole permissions for AmazonBraketFullAccess to include the service-role/ path.

November 29, 2021

AmazonBraketJobsExecutionPolicy - Jobs execution policy for Amazon Braket Hybrid Jobs

Amazon Bracket updated the jobs execution role ARN to include the service-role/ path.

November 29, 2021

Amazon Braket started tracking changes

Amazon Braket started tracking changes for its AWS managed policies.

November 29, 2021