Autorizzazioni API Amazon SageMaker AI: riferimento ad azioni, autorizzazioni e risorse

Quando configuri il controllo dell'accesso e scrivi policy di autorizzazione che puoi collegare a un'identità IAM (una policy basata su identità), utilizza la seguente tabella come riferimento. La tabella elenca ogni operazione dell'API Amazon SageMaker AI, le azioni corrispondenti per le quali puoi concedere le autorizzazioni per eseguire l'azione e la AWS risorsa per la quale puoi concedere le autorizzazioni. Puoi specificare le azioni nel campo Action della policy e il valore della risorsa nel campo Resource.

Nota

Salvo per le API ListTags, le limitazioni a livello di risorsa non sono disponibili per le chiamate List-. Qualsiasi utente chiamando un'API List- vedrà tutte le risorse di quel tipo nell'account.

Per esprimere le condizioni nelle tue politiche di Amazon SageMaker AI, puoi utilizzare chiavi di condizione AWS-wide. Per un elenco completo delle chiavi AWS-wide, consulta Available Keys nel Service Authorization Reference.

avvertimento

Alcune azioni SageMaker API potrebbero essere ancora accessibili tramite. Search API Ad esempio, se un utente ha una policy IAM che nega le autorizzazioni a una Describe chiamata per una particolare risorsa SageMaker AI, quell'utente può comunque accedere alle informazioni descrittive tramite l'API di ricerca. Per limitare completamente l'accesso utente alle chiamate Describe, devi limitare anche l'accesso all'API di Search. Per un elenco di risorse SageMaker AI accessibili tramite l'API di ricerca, consulta l'SageMaker AI Search AWS CLI Command Reference.

Utilizzare le barre di scorrimento per visualizzare il resto della tabella.

Operazioni dell'API Amazon SageMaker AI e autorizzazioni richieste per le azioni

Operazioni delle API Amazon SageMaker AI	Autorizzazioni necessarie (azioni API)	Risorse
DeleteEarthObservationJob	sagemaker-geospatial:DeleteEarthObservationJob	arn:aws:sagemaker-geospatial:region:account-id:earth-observation-job/id
DeleteVectorEnrichmentJob	sagemaker-geospatial:DeleteVectorEnrichmentJob	arn:aws:sagemaker-geospatial:region:account-id:vector-enrichment-job/id
ExportEarthObservationJob	sagemaker-geospatial:ExportEarthObservationJob	arn:aws:sagemaker-geospatial:region:account-id:earth-observation-job/id
ExportVectorEnrichmentJob	sagemaker-geospatial:ExportVectorEnrichmentJob	arn:aws:sagemaker-geospatial:region:account-id:vector-enrichment-job/id
GetEarthObservationJob	sagemaker-geospatial:GetEarthObservationJob	arn:aws:sagemaker-geospatial:region:account-id:earth-observation-job/id
GetRasterDataCollection	sagemaker-geospatial:GetRasterDataCollection	arn:aws:sagemaker-geospatial:region:account-id:raster-data-collection/public/id
GetTile	sagemaker-geospatial:GetTile	arn:aws:sagemaker-geospatial:region:account-id:earth-observation-job/id
GetVectorEnrichmentJob	sagemaker-geospatial:GetVectorEnrichmentJob	arn:aws:sagemaker-geospatial:region:account-id:vector-enrichment-job/id
ListEarthObservationJobs	sagemaker-geospatial:ListEarthObservationJobs	*
ListRasterDataCollections	sagemaker-geospatial:ListRasterDataCollections	*
ListTagsForResource	sagemaker-geospatial:ListTagsForResource	arn:aws:sagemaker-geospatial:region:account-id:earth-observation-job/id arn:aws:sagemaker-geospatial:region:account-id:vector-enrichment-job/id
ListVectorEnrichmentJobs	sagemaker-geospatial:ListVectorEnrichmentJobs	*
SearchRasterDataCollection	sagemaker-geospatial:SearchRasterDataCollection	arn:aws:sagemaker-geospatial:region:account-id:raster-data-collection/public/id
StartEarthObservationJob	sagemaker-geospatial:StartEarthObservationJob	arn:aws:sagemaker-geospatial:region:account-id:earth-observation-job/id
StartVectorEnrichmentJob	sagemaker-geospatial:StartVectorEnrichmentJob	arn:aws:sagemaker-geospatial:region:account-id:vector-enrichment-job/id
StopEarthObservationJob	sagemaker-geospatial:StopEarthObservationJob	arn:aws:sagemaker-geospatial:region:account-id:earth-observation-job/id
StopVectorEnrichmentJob	sagemaker-geospatial:StopVectorEnrichmentJob	arn:aws:sagemaker-geospatial:region:account-id:vector-enrichment-job/id
TagResource	sagemaker-geospatial:TagResource	arn:aws:sagemaker-geospatial:region:account-id:earth-observation-job/id arn:aws:sagemaker-geospatial:region:account-id:vector-enrichment-job/id
UntagResource	sagemaker-geospatial:UntagResource	arn:aws:sagemaker-geospatial:region:account-id:earth-observation-job/id arn:aws:sagemaker-geospatial:region:account-id:vector-enrichment-job/id
AddTags	sagemaker:AddTags	arn:aws:sagemaker:region:account-id:*
CreateApp	sagemaker:CreateApp	arn:aws:sagemaker:region:account-id:app/domain-id/user-profile-name/app-type/appName
CreateAppImageConfig	sagemaker:CreateAppImageConfig	arn:aws:sagemaker:region:account-id:app-image-config/appImageConfigName
CreateAutoMLJob	sagemaker:CreateAutoMLJob iam:PassRole La seguente autorizzazione è richiesta solo se una qualsiasi classe ResourceConfig associata dispone di un parametro VolumeKmsKeyId specificato e il ruolo associato non dispone di una policy che consente questa azione: kms:CreateGrant	arn:aws:sagemaker:region:account-id:automl-job/autoMLJobName
CreateAutoMLJobV2	sagemaker:CreateAutoMLJobV2 iam:PassRole La seguente autorizzazione è richiesta solo se una qualsiasi classe ResourceConfig associata dispone di un parametro VolumeKmsKeyId specificato e il ruolo associato non dispone di una policy che consente questa azione: kms:CreateGrant	arn:aws:sagemaker:region:account-id:automl-job/autoMLJobName
CreateDomain	sagemaker:CreateDomain iam:CreateServiceLinkedRole iam:PassRole Richiesta se viene specificata una chiave gestita dal cliente KMS per: KmsKeyId elasticfilesystem:CreateFileSystem kms:CreateGrant kms:Decrypt kms:DescribeKey kms:GenerateDataKeyWithoutPlainText Necessario per creare un dominio che supporti RStudio: sagemaker:CreateApp	arn:aws:sagemaker:region:account-id:domain/domain-id
CreateEndpoint	sagemaker:CreateEndpoint kms:CreateGrant (necessario solo se EndPointConfig associato ha un KmsKeyId specificato)	arn:aws:sagemaker:region:account-id:endpoint/endpointName arn:aws:sagemaker:region:account-id:endpoint-config/endpointConfigName
CreateEndpointConfig	sagemaker:CreateEndpointConfig	arn:aws:sagemaker:region:account-id:endpoint-config/endpointConfigName
CreateFlowDefinition	sagemaker:CreateFlowDefinition iam:PassRole	arn:aws:sagemaker:region:account-id:flow-definition/flowDefinitionName
CreateHumanTaskUi	sagemaker:CreateHumanTaskUi	arn:aws:sagemaker:region:account-id:human-task-ui/humanTaskUiName
CreateInferenceRecommendationsJob	sagemaker:CreateInferenceRecommendationsJob iam:PassRole Le seguenti autorizzazioni sono obbligatorie solo se si specifica una chiave di crittografia: kms:CreateGrant kms:Decrypt kms:DescribeKey kms:GenerateDataKey	arn:aws:sagemaker:region:account-id:inference-recommendations-job/inferenceRecommendationsJobName
CreateHyperParameterTuningJob	sagemaker:CreateHyperParameterTuningJob iam:PassRole La seguente autorizzazione è richiesta solo se una qualsiasi classe ResourceConfig associata dispone di un parametro VolumeKmsKeyId specificato e il ruolo associato non dispone di una policy che consente questa azione: kms:CreateGrant	arn:aws:sagemaker:region:account-id:hyper-parameter-tuning-job/hyperParameterTuningJobName
CreateImage	sagemaker:CreateImage iam:PassRole	arn:aws:sagemaker:region:account-id:image/*
CreateImageVersion	sagemaker:CreateImageVersion	arn:aws:sagemaker:region:account-id:image-version/imageName/*
CreateLabelingJob	saggista: CreateLabelingJob obiettivo: PassRole	arn:aws:sagemaker:region:account-id:labeling-job/labelingJobName
CreateModel	sagemaker:CreateModel iam:PassRole	arn:aws:sagemaker:region:account-id:model/modelName
CreateModelPackage	sagemaker:CreateModelPackage	arn:aws:sagemaker:region:account-id:model-package/modelPackageName
CreateModelPackageGroup	sagemaker:CreateModelPackageGroup	arn:aws:sagemaker:region:account-id:model-package-group/modelPackageGroupName
CreateNotebookInstance	sagemaker:CreateNotebookInstance iam:PassRole Le seguenti autorizzazioni sono obbligatorie solo se si specifica un VPC per l'istanza del notebook: ec2:CreateNetworkInterface ec2:DescribeSecurityGroups ec2:DescribeSubnets ec2:DescribeVpcs Le seguenti autorizzazioni sono obbligatorie solo se si specifica una chiave di crittografia: kms:DescribeKey kms:CreateGrant Le seguenti autorizzazioni sono obbligatorie solo se si specifica un Secrets Manager di AWS per accedere a un repository Git privato: secretsmanager:GetSecretValue	arn:aws:sagemaker:region:account-id:notebook-instance/notebookInstanceName
CreatePipeline	sagemaker:CreatePipeline iam:PassRole	arn:aws-partition:sagemaker:region:account-id:pipeline/pipeline-name arn:aws-partition:iam::account-id:role/role-name
CreatePresignedDomainUrl	sagemaker:CreatePresignedDomainUrl	arn:aws:sagemaker:region:account-id:app/domain-id/userProfileName/*
CreatePresignedNotebookInstanceUrl	sagemaker:CreatePresignedNotebookInstanceUrl	arn:aws:sagemaker:region:account-id:notebook-instance/notebookInstanceName
CreateProcessingJob	sagemaker:CreateProcessingJob iam:PassRole kms:CreateGrant (obbligatorio solo se il ProcessingResources associato dispone di un VolumeKmsKeyId specificato e il ruolo associato non dispone di una policy che consente questa azione) ec2:CreateNetworkInterface(richiesto solo se si specifica un VPC)	arn:aws:sagemaker:region:account-id:processing-job/processingJobName
CreateSpace	sagemaker:CreateSpace	arn:aws:sagemaker:region:account-id:space/domain-id/spaceName
CreateStudioLifecycleConfig	sagemaker:CreateStudioLifecycleConfig	arn:aws:sagemaker:region:account-id:studio-lifecycle-config/.*
CreateTrainingJob	sagemaker:CreateTrainingJob iam:PassRole kms:CreateGrant (obbligatorio solo se il ResourceConfig associato dispone di un VolumeKmsKeyId specificato e il ruolo associato non dispone di una policy che consente questa azione)	arn:aws:sagemaker:region:account-id:training-job/trainingJobName
CreateTrainingPlan	sagemaker:CreateTrainingPlan sagemaker:CreateReservedCapacity sagemaker:AddTags	arn:aws:sagemaker:region:account-id:training-plan/*" arn:aws:sagemaker:region:account-id:reserved-capacity/*
CreateTransformJob	sagemaker:CreateTransformJob kms:CreateGrant (obbligatorio solo se il TransformResources associato dispone di un VolumeKmsKeyId specificato e il ruolo associato non dispone di una policy che consente questa azione)	arn:aws:sagemaker:region:account-id:transform-job/transformJobName
CreateUserProfile	sagemaker:CreateUserProfile iam:PassRole	arn:aws:sagemaker:region:account-id:user-profile/domain-id/userProfileName
CreateWorkforce	sagemaker:CreateWorkforce cognito-idp:DescribeUserPoolClient cognito-idp:UpdateUserPool cognito-idp:DescribeUserPool cognito-idp:UpdateUserPoolClient	arn:aws:sagemaker:region:account-id:workforce/*
CreateWorkteam	sagemaker:CreateWorkteam cognito-idp:DescribeUserPoolClient cognito-idp:UpdateUserPool cognito-idp:DescribeUserPool cognito-idp:UpdateUserPoolClient	arn:aws:sagemaker:region:account-id:workteam/private-crowd/work team name
DeleteApp	sagemaker:DeleteApp	arn:aws:sagemaker:region:account-id:app/domain-id/user-profile-name/app-type/appName
DeleteAppImageConfig	sagemaker:DeleteAppImageConfig	arn:aws:sagemaker:region:account-id:app-image-config/appImageConfigName
DeleteDomain	sagemaker:DeleteDomain	arn:aws:sagemaker:region:account-id:domain/domainId
DeleteEndpoint	sagemaker:DeleteEndpoint	arn:aws:sagemaker:region:account-id:endpoint/endpointName
DeleteEndpointConfig	sagemaker:DeleteEndpointConfig	arn:aws:sagemaker:region:account-id:endpoint-config/endpointConfigName
DeleteFlowDefinition	sagemaker:DeleteFlowDefinition	arn:aws:sagemaker:region:account-id:flow-definition/flowDefinitionName
DeleteHumanLoop	sagemaker:DeleteHumanLoop	arn:aws:sagemaker:region:account-id:human-loop/humanLoopName
DeleteImage	sagemaker:DeleteImage	arn:aws:sagemaker:region:account-id:image/imageName
DeleteImageVersion	sagemaker:DeleteImageVersion	arn:aws:sagemaker:region:account-id:image-version/imageName/versionNumber
DeleteModel	sagemaker:DeleteModel	arn:aws:sagemaker:region:account-id:model/modelName
DeleteModelPackage	sagemaker:DeleteModelPackage	arn:aws:sagemaker:region:account-id:model-package/modelPackageName
DeleteModelPackageGroup	sagemaker:DeleteModelPackageGroup	arn:aws:sagemaker:region:account-id:model-package-group/modelPackageGroupName
DeleteModelPackageGroupPolicy	sagemaker:DeleteModelPackageGroupPolicy	arn:aws:sagemaker:region:account-id:model-package-group/modelPackageGroupName
DeleteNotebookInstance	sagemaker:DeleteNotebookInstance La seguente autorizzazione è obbligatoria solo se è stato specificato un VPC per l'istanza del notebook: ec2:DeleteNetworkInterface Le seguenti autorizzazioni sono obbligatorie solo se è stata specificata una chiave di crittografia al momento della creazione dell'istanza del notebook: kms:DescribeKey	arn:aws:sagemaker:region:account-id:notebook-instance/notebookInstanceName
DeletePipeline	sagemaker:DeletePipeline	arn:aws-partition:sagemaker:region:account-id:pipeline/pipeline-name
DeleteSpace	sagemaker:DeleteSpace	arn:aws:sagemaker:region:account-id:space/domain-id/spaceName
DeleteTags	sagemaker:DeleteTags	arn:aws:sagemaker:region:account-id:*
DeleteUserProfile	sagemaker:DeleteUserProfile	arn:aws:sagemaker:region:account-id:user-profile/domain-id/userProfileName
DeleteWorkforce	sagemaker:DeleteWorkforce	arn:aws:sagemaker:region:account-id:workforce/*
DeleteWorkteam	sagemaker:DeleteWorkteam	arn:aws:sagemaker:region:account-id:workteam/private-crowd/*
DescribeApp	sagemaker:DescribeApp	arn:aws:sagemaker:region:account-id:app/domain-id/user-profile-name/app-type/appName
DescribeAppImageConfig	sagemaker:DescribeAppImageConfig	arn:aws:sagemaker:region:account-id:app-image-config/appImageConfigName
DescribeAutoMLJob	sagemaker:DescribeAutoMLJob	arn:aws:sagemaker:region:account-id:automl-job/autoMLJobName
DescribeAutoMLJobV2	sagemaker:DescribeAutoMLJobV2	arn:aws:sagemaker:region:account-id:automl-job/autoMLJobName
DescribeDomain	sagemaker:DescribeDomain	arn:aws:sagemaker:region:account-id:domain/domainId
DescribeEndpoint	sagemaker:DescribeEndpoint	arn:aws:sagemaker:region:account-id:endpoint/endpointName
DescribeEndpointConfig	sagemaker:DescribeEndpointConfig	arn:aws:sagemaker:region:account-id:endpoint-config/endpointConfigName
DescribeFlowDefinition	sagemaker:DescribeFlowDefinition	arn:aws:sagemaker:region:account-id:flow-definition/flowDefinitionName
DescribeHumanLoop	sagemaker:DescribeHumanLoop	arn:aws:sagemaker:region:account-id:human-loop/humanLoopName
DescribeHumanTaskUi	sagemaker:DescribeHumanTaskUi	arn:aws:sagemaker:region:account-id:human-task-ui/humanTaskUiName
DescribeHyperParameterTuningJob	sagemaker:DescribeHyperParameterTuningJob	arn:aws:sagemaker:region:account-id:hyper-parameter-tuning-job/hyperParameterTuningJob
DescribeImage	sagemaker:DescribeImage	arn:aws:sagemaker:region:account-id:image/imageName
DescribeImageVersion	sagemaker:DescribeImageVersion	arn:aws:sagemaker:region:account-id:image-version/imageName/versionNumber
DescribeLabelingJob	sagemaker:DescribeLabelingJob	arn:aws:sagemaker:region:account-id:labeling-job/labelingJobName
DescribeModel	sagemaker:DescribeModel	arn:aws:sagemaker:region:account-id:model/modelName
DescribeModelPackage	sagemaker:DescribeModelPackage	arn:aws:sagemaker:region:account-id:model-package/modelPackageName
DescribeModelPackageGroup	sagemaker:DescribeModelPackageGroup	arn:aws:sagemaker:region:account-id:model-package-group/modelPackageGroupName
DescribeNotebookInstance	sagemaker:DescribeNotebookInstance	arn:aws:sagemaker:region:account-id:notebook-instance/notebookInstanceName
DescribePipeline	sagemaker:DescribePipeline	arn:aws-partition:sagemaker:region:account-id:pipeline/pipeline-name
DescribePipelineDefinitionForExecution	sagemaker:DescribePipelineDefinitionForExecution	arn:aws-partition:sagemaker:region:account-id:pipeline/pipeline-name/execution/execution-id
DescribePipelineExecution	sagemaker:DescribePipelineExecution	arn:aws-partition:sagemaker:region:account-id:pipeline/pipeline-name/execution/execution-id
DescribeProcessingJob	sagemaker:DescribeProcessingJob	arn:aws:sagemaker:region:account-id:processing-job/processingjobname
DescribeSpace	sagemaker:DescribeSpace	arn:aws:sagemaker:region:account-id:space/domain-id/spaceName
DescribeSubscribedWorkteam	sagemaker:DescribeSubscribedWorkteam aws-marketplace:ViewSubscriptions	arn:aws:sagemaker:region:account-id:workteam/vendor-crowd/*
DescribeTrainingJob	sagemaker:DescribeTrainingJob	arn:aws:sagemaker:region:account-id:training-job/trainingjobname
DescribeTransformJob	sagemaker:DescribeTransformJob	arn:aws:sagemaker:region:account-id:transform-job/transformjobname
DescribeUserProfile	sagemaker:DescribeUserProfile	arn:aws:sagemaker:region:account-id:user-profile/domain-id/userProfileName
DescribeWorkforce	sagemaker:DescribeWorkforce	arn:aws:sagemaker:region:account-id:workforce/*
DescribeWorkteam	sagemaker:DescribeWorkteam	arn:aws:sagemaker:region:account-id:workteam/private-crowd/*
GetModelPackageGroupPolicy	sagemaker:GetModelPackageGroupPolicy	arn:aws:sagemaker:region:account-id:model-package-group/modelPackageGroupName
InvokeEndpoint	sagemaker:InvokeEndpoint	arn:aws:sagemaker:region:account-id:endpoint/endpointName
ListAppImageConfigs	sagemaker:ListAppImageConfigs	arn:aws:sagemaker:region:account-id:app-image-config/*
ListApps	sagemaker:ListApps	arn:aws:sagemaker:region:account-id:app/domain-id/user-profile-name/*
ListDomains	sagemaker:ListDomains	arn:aws:sagemaker:region:account-id:domain/*
ListEndpointConfigs	sagemaker:ListEndpointConfigs	*
ListEndpoints	sagemaker:ListEndpoints	*
ListFlowDefinitions	sagemaker:ListFlowDefinitions	*
ListHumanLoops	sagemaker:ListHumanLoops	*
ListHumanTaskUis	sagemaker:ListHumanTaskUis	*
ListHyperParameterTuningJobs	sagemaker:ListHyperParameterTuningJobs	arn:aws:sagemaker:region:account-id:hyper-parameter-tuning-job/hyperParameterTuningJob
ListImages	sagemaker:ListImages	*
ListImageVersions	sagemaker:ListImageVersions	arn:aws:sagemaker:region:account-id:image/*
ListLabelingJobs	sagemaker:ListLabelingJobs	*
ListLabelingJobsForWorkteam	sagemaker:ListLabelingJobForWorkteam	*
ListModelPackageGroups	sagemaker:ListModelPackageGroups	arn:aws:sagemaker:region:account-id :model-package-group/ModelPackageGroupName
ListModelPackages	sagemaker:ListModelPackages	arn:aws:sagemaker:region:account-id :model-package/ModelPackageName
ListModels	sagemaker:ListModels	*
ListNotebookInstances	sagemaker:ListNotebookInstances	*
ListPipelineExecutions	sagemaker:ListPipelineExecutions	arn:aws-partition:sagemaker:region:account-id:pipeline/pipeline-name
ListPipelineExecutionSteps	sagemaker:ListPipelineExecutionSteps	arn:aws-partition:sagemaker:region:account-id:pipeline/pipeline-name/execution/execution-id
ListPipelineParametersForExecution	sagemaker:ListPipelineParametersForExecution	arn:aws-partition:sagemaker:region:account-id:pipeline/pipeline-name/execution/execution-id
ListPipelines	sagemaker:ListPipelines	*
ListProcessingJobs	sagemaker:ListProcessingJobs	*
ListSpaces	sagemaker:ListSpaces	arn:aws:sagemaker:region:account-id:space/domain-id/*
ListSubscribedWorkteams	sagemaker:ListSubscribedWorkteams aws-marketplace:ViewSubscriptions	*
ListTags	sagemaker:ListTags	arn:aws:sagemaker:region:account-id:*
ListTrainingJobs	sagemaker:ListTrainingJobs	*
ListTrainingJobsForHyperParameterTuningJob	sagemaker:ListTrainingJobsForHyperParameterTuningJob	arn:aws:sagemaker:region:account-id:hyper-parameter-tuning-job/hyperParameterTuningJob
ListTransformJobs	sagemaker:ListTransformJobs	*
ListUserProfiles	sagemaker:ListUserProfiles	arn:aws:sagemaker:region:account-id:user-profile/domain-id/*
ListWorkforces	sagemaker:ListWorkforces	*
ListWorkteams	sagemaker:ListWorkteams	*
PutModelPackageGroupPolicy	sagemaker:PutModelPackageGroupPolicy	arn:aws:sagemaker:region:account-id:model-package-group/modelPackageGroupName
RetryPipelineExecution	sagemaker:RetryPipelineExecution	arn:aws-partition:sagemaker:region:account-id:pipeline/pipeline-name/execution/execution-id
Search	sagemaker:Search	*
SendPipelineExecutionStepFailure	sagemaker:SendPipelineExecutionStepFailure	*
SendPipelineExecutionStepSuccess	sagemaker:SendPipelineExecutionStepSuccess	*
StartHumanLoop	sagemaker:StartHumanLoop	arn:aws:sagemaker:region:account-id:human-loop/humanLoopName
StartNotebookInstance	sagemaker:StartNotebookInstance Le seguenti autorizzazioni sono obbligatorie solo se è stato specificato un VPC al momento della creazione dell'istanza del notebook: ec2:CreateNetworkInterface ec2:DescribeNetworkInterfaces ec2:DescribeSecurityGroups ec2:DescribeSubnets ec2:DescribeVpcs Le seguenti autorizzazioni sono obbligatorie solo se è stata specificata una chiave di crittografia al momento della creazione dell'istanza del notebook: kms:DescribeKey kms:CreateGrant La seguente autorizzazione è obbligatoria solo se si specifica un Secrets Manager di AWS per accedere a un repository Git privato al momento della creazione dell'istanza del notebook: secretsmanager:GetSecretValue	arn:aws:sagemaker:region:account-id:notebook-instance/notebookInstanceName
StartPipelineExecution	sagemaker:StartPipelineExecution	arn:aws-partition:sagemaker:region:account-id:pipeline/pipeline-name
StopHumanLoop	sagemaker:StopHumanLoop	arn:aws:sagemaker:region:account-id:human-loop/humanLoopName
StopHyperParameterTuningJob	sagemaker:StopHyperParameterTuningJob	arn:aws:sagemaker:region:account-id:hyper-parameter-tuning-job/hyperParameterTuningJob
StopLabelingJob	sagemaker:StopLabelingJob	arn:aws:sagemaker:region:account-id:labeling-job/labelingJobName
StopNotebookInstance	sagemaker:StopNotebookInstance	arn:aws:sagemaker:region:account-id:notebook-instance/notebookInstanceName
StopPipelineExecution	sagemaker:StopPipelineExecution	arn:aws-partition:sagemaker:region:account-id:pipeline/pipeline-name/execution/execution-id
StopProcessingJob	sagemaker:StopProcessingJob	arn:aws:sagemaker:region:account-id:processing-job/processingJobName
StopTrainingJob	sagemaker:StopTrainingJob	arn:aws:sagemaker:region:account-id:training-job/trainingJobName
StopTransformJob	sagemaker:StopTransformJob	arn:aws:sagemaker:region:account-id:transform-job/transformJobName
UpdateAppImageConfig	sagemaker:UpdateAppImageConfig	arn:aws:sagemaker:region:account-id:app-image-config/appImageConfigName
UpdateDomain	sagemaker:UpdateDomain	arn:aws:sagemaker:region:account-id:domain/domainId
UpdateEndpoint	sagemaker:UpdateEndpoint	arn:aws:sagemaker:region:account-id:endpoint/endpointName
UpdateEndpointWeightsAndCapacities	sagemaker:UpdateEndpointWeightsAndCapacities	arn:aws:sagemaker:region:account-id:endpoint/endpointName
UpdateImage	sagemaker:UpdateImage iam:PassRole	arn:aws:sagemaker:region:account-id:image/imageName
UpdateModelPackage	sagemaker:UpdateModelPackage	arn:aws:sagemaker:region:account-id:model-package/modelPackageName
UpdateNotebookInstance	sagemaker:UpdateNotebookInstance iam:PassRole	arn:aws:sagemaker:region:account-id:notebook-instance/notebookInstanceName
UpdatePipeline	sagemaker:UpdatePipeline iam:PassRole	arn:aws-partition:sagemaker:region:account-id:pipeline/pipeline-name arn:aws-partition:iam::account-id:role/role-name
UpdatePipelineExecution	sagemaker:UpdatePipelineExecution	arn:aws-partition:sagemaker:region:account-id:pipeline/pipeline-name/execution/execution-id
UpdateSpace	sagemaker:UpdateSpace	arn:aws:sagemaker:region:account-id:space/domain-id/spaceName
UpdateUserProfile	sagemaker:UpdateUserProfile	arn:aws:sagemaker:region:account-id:user-profile/domain-id/userProfileName
UpdateWorkforce	sagemaker:UpdateWorkforce	arn:aws:sagemaker:region:account-id:workforce/*
UpdateWorkteam	sagemaker:UpdateWorkteam	arn:aws:sagemaker:region:account-id:workteam/private-crowd/*