AWS Glue
Developer Guide

Step 6: Create an IAM Policy for Amazon SageMaker Notebooks

If you plan to use Amazon SageMaker notebooks with development endpoints, you must specify permissions when you create the notebook. You provide those permissions by using AWS Identity and Access Management (IAM).

To create an IAM policy for Amazon SageMaker notebooks

  1. Sign in to the AWS Management Console and open the IAM console at

  2. In the left navigation pane, choose Policies.

  3. Choose Create Policy.

  4. On the Create Policy page, navigate to a tab to edit the JSON. Create a policy document with the following JSON statements. Edit bucket-name, region-code, account-id, and development-endpoint-name for your environment. The development-endpoint-name must already exist before you use this policy in an IAM role used to create an Amazon SageMaker notebook.

    { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:ListBucket" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::bucket-name" ] }, { "Action": [ "s3:GetObject" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::bucket-name*" ] }, { "Action": [ "logs:CreateLogStream", "logs:DescribeLogStreams", "logs:PutLogEvents", "logs:CreateLogGroup" ], "Effect": "Allow", "Resource": [ "arn:aws:logs:region-code:account-id:log-group:/aws/sagemaker/*", "arn:aws:logs:region-code:account-id:log-group:/aws/sagemaker/*:log-stream:aws-glue-*" ] }, { "Action": [ "glue:UpdateDevEndpoint", "glue:GetDevEndpoint", "glue:GetDevEndpoints" ], "Effect": "Allow", "Resource": [ "arn:aws:glue:region-code:account-id:devEndpoint/development-endpoint-name*" ] } ] }

    Then choose Review policy.

    The following table describes the permissions granted by this policy.

    Action Resource Description



    Grants permission to list Amazon S3 buckets.



    Grants permission to get Amazon S3 objects that are used by Amazon SageMaker notebooks.

    "logs:CreateLogStream", "logs:DescribeLogStreams", "logs:PutLogEvents", "logs:CreateLogGroup"

    "arn:aws:logs:region-code:account-id:log-group:/aws/sagemaker/*", "arn:aws:logs:region-code:account-id:log-group:/aws/sagemaker/*:log-stream:aws-glue-*"

    Grants permission to write logs to Amazon CloudWatch Logs from notebooks.

    Naming convention: Writes to log groups whose names begin with aws-glue.

    "glue:UpdateDevEndpoint", "glue:GetDevEndpoint", "glue:GetDevEndpoints"


    Grants permission to use a development endpoint from Amazon SageMaker notebooks.

  5. On the Review Policy screen, enter your Policy Name, for example AWSGlueSageMakerNotebook. Enter an optional description, and when you're satisfied with the policy, choose Create policy.