Learn the foundations of quantum computing with AWS!
Enroll in the Amazon Braket Digital Learning Plan
Managing access to Amazon Braket
This chapter describes the permissions that are required to run Amazon Braket, or to restrict the access of specific users and roles. You can grant (or deny) the required permissions to any user or role in your account. To do so, attach the appropriate Amazon Braket policy to that user or role in your account as described in the following sections.
As a prerequisite, you must enable Amazon Braket. To enable Braket, be sure to sign in as a user or role that has (1) administrator permissions or (2) is assigned the AmazonBraketFullAccess policy and has permissions to create Amazon Simple Storage Service (Amazon S3) buckets.
In this section:
- Amazon Braket resources
- Notebooks and roles
- About the AmazonBraketFullAccess policy
- About the AmazonBraketJobsExecutionPolicy policy
- Restrict user access to certain devices
- Amazon Braket updates to AWS managed policies
- Restrict user access to certain notebook instances
- Restrict user access to certain S3 buckets
Amazon Braket resources
Braket creates one type of resource: the quantum-task resource. The Amazon Resource Name (ARN) for this resource type is as follows:
-
Resource Name: AWS::Service::Braket
-
ARN Regex: arn:${Partition}:braket:${Region}:${Account}:quantum-task/${RandomId}
Notebooks and roles
You can use the noteboook resource type in Braket. A notebook is an Amazon SageMaker
resource that Braket is able to share. To use a notebook with Braket, you must
specify an IAM role with a name that begins with
AmazonBraketServiceSageMakerNotebook.
To create a notebook, you must use a role with admin permissions or that has the following inline policy attached to it.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iam:CreateRole", "Resource": "arn:aws:iam::*:role/service-role/AmazonBraketServiceSageMakerNotebookRole*" }, { "Effect": "Allow", "Action": "iam:CreatePolicy", "Resource": [ "arn:aws:iam::*:policy/service-role/AmazonBraketServiceSageMakerNotebookAccess*", "arn:aws:iam::*:policy/service-role/AmazonBraketServiceSageMakerNotebookRole*" ] }, { "Effect": "Allow", "Action": "iam:AttachRolePolicy", "Resource": "arn:aws:iam::*:role/service-role/AmazonBraketServiceSageMakerNotebookRole*", "Condition": { "StringLike": { "iam:PolicyARN": [ "arn:aws:iam::aws:policy/AmazonBraketFullAccess", "arn:aws:iam::*:policy/service-role/AmazonBraketServiceSageMakerNotebookAccess*", "arn:aws:iam::*:policy/service-role/AmazonBraketServiceSageMakerNotebookRole*" ] } } } ] }
To create the role, follow the steps given in the Create a notebook page or have your administrator create it for you. Ensure that the AmazonBraketFullAccess policy is attached.
After you’ve created the role, you can reuse that role for all notebooks you launch in the future.
About the AmazonBraketFullAccess policy
The AmazonBraketFullAccess policy grants permissions for Amazon Braket operations, including permissions for these tasks:
-
Download containers from Amazon Elastic Container Registry – To read and download container images that are used for the Amazon Braket Hybrid Jobs feature. The containers must conform to the format "arn:aws:ecr:::repository/amazon-braket".
-
Keep AWS CloudTrail logs – For all describe, get, and list actions in addition to starting and stopping queries, testing metrics filters, and filtering log events. The AWS CloudTrail log file contains a record of all Amazon Braket API activity that occurs in your account.
-
Utilize roles to control resources – To create a service-linked role in your account. The service-linked role has access to AWS resources on your behalf. It can be used only by the Amazon Braket service. Also, to pass in IAM roles to the Amazon Braket
CreateJobAPI and to create a role and attach a policy scoped to AmazonBraketFullAccess to the role. -
Create log groups, log events, and query log groups in order to maintain usage log files for your account – To create, store, and view logging information about Amazon Braket usage in your account. Query metrics on hybrid jobs log groups. Encompass the proper Braket path and allow putting log data. Put metric data in CloudWatch.
-
Create and store data in Amazon S3 buckets, and list all buckets – To create S3 buckets, list the S3 buckets in your account, and put objects into and get objects from any bucket in your account whose name begins with amazon-braket-. These permissions are required for Braket to put files containing results from processed quantum tasks into the bucket and to retrieve them from the bucket.
-
Pass IAM roles – To pass in IAM roles to the
CreateJobAPI. -
Amazon SageMaker Notebook – To create and manage SageMaker notebook instances scoped to the resource from "arn:aws:sagemaker:::notebook-instance/amazon-braket-".
-
Validate service quotas – To create SageMaker notebooks and Amazon Braket Hybrid jobs, your resource counts cannot exceed quotas for your account.
Policy contents
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:ListBucket", "s3:CreateBucket", "s3:PutBucketPublicAccessBlock", "s3:PutBucketPolicy" ], "Resource": "arn:aws:s3:::amazon-braket-*" }, { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "servicequotas:GetServiceQuota", "cloudwatch:GetMetricData" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "ecr:BatchCheckLayerAvailability" ], "Resource": "arn:aws:ecr:*:*:repository/amazon-braket*" }, { "Effect": "Allow", "Action": [ "ecr:GetAuthorizationToken" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "logs:Describe*", "logs:Get*", "logs:List*", "logs:StartQuery", "logs:StopQuery", "logs:TestMetricFilter", "logs:FilterLogEvents" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/braket*" }, { "Effect": "Allow", "Action": [ "iam:ListRoles", "iam:ListRolePolicies", "iam:GetRole", "iam:GetRolePolicy", "iam:ListAttachedRolePolicies" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "sagemaker:ListNotebookInstances" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "sagemaker:CreatePresignedNotebookInstanceUrl", "sagemaker:CreateNotebookInstance", "sagemaker:DeleteNotebookInstance", "sagemaker:DescribeNotebookInstance", "sagemaker:StartNotebookInstance", "sagemaker:StopNotebookInstance", "sagemaker:UpdateNotebookInstance", "sagemaker:ListTags", "sagemaker:AddTags", "sagemaker:DeleteTags" ], "Resource": "arn:aws:sagemaker:*:*:notebook-instance/amazon-braket-*" }, { "Effect": "Allow", "Action": [ "sagemaker:DescribeNotebookInstanceLifecycleConfig", "sagemaker:CreateNotebookInstanceLifecycleConfig", "sagemaker:DeleteNotebookInstanceLifecycleConfig", "sagemaker:ListNotebookInstanceLifecycleConfigs", "sagemaker:UpdateNotebookInstanceLifecycleConfig" ], "Resource": "arn:aws:sagemaker:*:*:notebook-instance-lifecycle-config/amazon-braket-*" }, { "Effect": "Allow", "Action": "braket:*", "Resource": "*" }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/braket.amazonaws.com/AWSServiceRoleForAmazonBraket*", "Condition": { "StringEquals": { "iam:AWSServiceName": "braket.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::*:role/service-role/AmazonBraketServiceSageMakerNotebookRole*", "Condition": { "StringLike": { "iam:PassedToService": [ "sagemaker.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::*:role/service-role/AmazonBraketJobsExecutionRole*", "Condition": { "StringLike": { "iam:PassedToService": [ "braket.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "logs:GetQueryResults" ], "Resource": [ "arn:aws:logs:*:*:log-group:*" ] }, { "Effect": "Allow", "Action": [ "logs:PutLogEvents", "logs:CreateLogStream", "logs:CreateLogGroup" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/braket*" }, { "Effect": "Allow", "Action": "cloudwatch:PutMetricData", "Resource": "*", "Condition": { "StringEquals": { "cloudwatch:namespace": "/aws/braket" } } } ] }
About the AmazonBraketJobsExecutionPolicy policy
The AmazonBraketJobsExecutionPolicy policy grants permissions for execution roles used in Amazon Braket Hybrid Jobs as follows:
-
Download containers from Amazon Elastic Container Registry - Permissions to read and download container images that are used for the Amazon Braket Hybrid Jobs feature. Containers must conform to the format "arn:aws:ecr:*:*:repository/amazon-braket*".
-
Create log groups and log events and query log groups in order to maintain usage log files for your account – Create, store, and view logging information about Amazon Braket usage in your account. Query metrics on hybrid jobs log groups. Encompass the proper Braket path and allow putting log data. Put metric data in CloudWatch.
-
Store data in Amazon S3 buckets – List the S3 buckets in your account, put objects into and get objects from any bucket in your account that starts with amazon-braket- in its name. These permissions are required for Braket to put files containing results from processed quantum tasks into the bucket, and to retrieve them from the bucket.
-
Pass IAM roles – Passing in IAM roles to the CreateJob API. Roles must conform to the format arn:aws:iam::*:role/service-role/AmazonBraketJobsExecutionRole*.
"Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:ListBucket", "s3:CreateBucket", "s3:PutBucketPublicAccessBlock", "s3:PutBucketPolicy" ], "Resource": "arn:aws:s3:::amazon-braket-*" }, { "Effect": "Allow", "Action": [ "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "ecr:BatchCheckLayerAvailability" ], "Resource": "arn:aws:ecr:*:*:repository/amazon-braket*" }, { "Effect": "Allow", "Action": [ "ecr:GetAuthorizationToken" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "braket:CancelJob", "braket:CancelQuantumTask", "braket:CreateJob", "braket:CreateQuantumTask", "braket:GetDevice", "braket:GetJob", "braket:GetQuantumTask", "braket:SearchDevices", "braket:SearchJobs", "braket:SearchQuantumTasks", "braket:ListTagsForResource", "braket:TagResource", "braket:UntagResource" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::*:role/service-role/AmazonBraketJobsExecutionRole*", "Condition": { "StringLike": { "iam:PassedToService": [ "braket.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "iam:ListRoles" ], "Resource": "arn:aws:iam::*:role/*" }, { "Effect": "Allow", "Action": [ "logs:GetQueryResults" ], "Resource": [ "arn:aws:logs:*:*:log-group:*" ] }, { "Effect": "Allow", "Action": [ "logs:PutLogEvents", "logs:CreateLogStream", "logs:CreateLogGroup", "logs:GetLogEvents", "logs:DescribeLogStreams", "logs:StartQuery", "logs:StopQuery" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/braket*" }, { "Effect": "Allow", "Action": "cloudwatch:PutMetricData", "Resource": "*", "Condition": { "StringEquals": { "cloudwatch:namespace": "/aws/braket" } } } ] }
Restrict user access to certain devices
To restrict access for certain users to certain Braket devices, you can add a deny permissions policy to a specific IAM role.
The following actions can be restricted with such permissions:
-
CreateQuantumTask- to deny quantum task creation on specified devices. -
CreateJob- to deny hybrid job creation on specified devices. -
GetDevice- to deny getting details of specified devices.
The following example restricts access to all QPUs for the AWS account
123456789012.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "braket:CreateQuantumTask", "braket:CreateJob", "braket:GetDevice" ], "Resource": [ "arn:aws:braket:*:*:device/qpu/*" ] } ] }
To adapt this code, substitute the Amazon Resource Number (ARN) of the restricted device for the string shown in the previous example. This string provides the Resource value. In Braket, a device represents a QPU or simulator that you can call to run quantum tasks. The devices available are listed on the Devices page. There are two schemas used to specify access to these devices:
-
arn:aws:braket:<region>:<account id>:device/qpu/<provider>/<device_id> -
arn:aws:braket:<region>:<account id>:device/quantum-simulator/<provider>/<device_id>
Here are examples for various types of device access
-
To select all QPUs across all regions:
arn:aws:braket:*:*:device/qpu/* -
To select all QPUs in the us-west-2 region ONLY:
arn:aws:braket:us-west-2:123456789012:device/qpu/* -
Equivalently, to select all QPUs in the us-west-2 region ONLY ( since devices are a service resource, not a customer resource):
arn:aws:braket:us-west-2:* :device/qpu/* -
To restrict access to all on-demand simulator devices:
arn:aws:braket:* :123456789012:device/quantum-simulator/* -
To restrict access to the IonQ Harmony device in the us-east-1 region:
arn:aws:braket:us-east-1:123456789012:device/ionq/Harmony -
To restrict access to devices from a certain provider (for example, to Rigetti QPU devices):
arn:aws:braket:* :123456789012:device/qpu/rigetti/* -
To restrict access to the TN1 device:
arn:aws:braket:* :123456789012:device/quantum-simulator/amazon/tn1
Amazon Braket updates to AWS managed policies
The following table provides details about updates to AWS managed policies for Braket since this service began tracking these changes.
| Change | Description | Date |
|---|---|---|
|
AmazonBraketFullAccess - Full access policy for Braket |
Added the servicequotas:GetServiceQuota and cloudwatch:GetMetricData actions to be included in the AmazonBraketFullAccess policy. . |
March 24, 2023 |
|
AmazonBraketFullAccess - Full access policy for Braket |
Braket adjusted iam:PassRole permissions for
AmazonBraketFullAccess to include the |
November 29, 2021 |
|
AmazonBraketJobsExecutionPolicy - Hybrid jobs execution policy for Amazon Braket Hybrid Jobs |
Braket updated the hybrid jobs execution role ARN to include the
|
November 29, 2021 |
|
Braket started tracking changes |
Braket started tracking changes for its AWS managed policies. |
November 29, 2021 |
Restrict user access to certain notebook instances
To restrict access for certain users to specific Braket notebook instances, you can add a deny permissions policy to a specific role, user, or group.
The following example uses policy variables to efficiently restrict permissions to start, stop, and
access specific notebook instances in the AWS account 123456789012, which
is named according to the user who should have access (for example, user
Alice would have access to a notebook instance named
amazon-braket-Alice).
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "sagemaker:CreateNotebookInstance", "sagemaker:DeleteNotebookInstance", "sagemaker:UpdateNotebookInstance", "sagemaker:CreateNotebookInstanceLifecycleConfig", "sagemaker:DeleteNotebookInstanceLifecycleConfig", "sagemaker:UpdateNotebookInstanceLifecycleConfig" ], "Resource": "*" }, { "Effect": "Deny", "Action": [ "sagemaker:DescribeNotebookInstance", "sagemaker:StartNotebookInstance", "sagemaker:StopNotebookInstance", ], "NotResource": [ "arn:aws:sagemaker:*:123456789012:notebook-instance/amazon-braket-${aws:username}" ] }, { "Effect": "Deny", "Action": [ "sagemaker:CreatePresignedNotebookInstanceUrl" ], "NotResource": [ "arn:aws:sagemaker:*:123456789012:notebook-instance/amazon-braket-${aws:username}*" ] } ] }
Restrict user access to certain S3 buckets
To restrict access for certain users to specific Amazon S3 buckets, you can add a deny policy to a specific role, user, or group.
The following example restricts permissions to retrieve and place objects into a
specific S3 bucket
(arn:aws:s3:::amazon-braket-us-east-1-123456789012-Alice) and also
restricts the listing of those objects.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "s3:ListBucket" ], "NotResource": [ "arn:aws:s3:::amazon-braket-us-east-1-123456789012-Alice" ] }, { "Effect": "Deny", "Action": [ "s3:GetObject" ], "NotResource": [ "arn:aws:s3:::amazon-braket-us-east-1-123456789012-Alice/*" ] } ] }
To restrict access to the bucket for a certain notebook instance, you can add the preceding policy to the notebook execution role.
