Amazon SageMakerAPI 권한 작업, 권한 및 리소스 참조 - Amazon SageMaker

문서의 영문과 번역 사이에 충돌이 있는 경우에는 영문 버전을 따릅니다. 번역 버전은 기계 번역을 사용하여 제공합니다.

Amazon SageMakerAPI 권한 작업, 권한 및 리소스 참조

IAM 자격 증명에 연결할 수 있는 액세스 컨트롤 설정 및 권한 정책(자격 증명 기반 정책) 작성 시 다음 를 참조하십시오. 에는 각 Amazon SageMaker API 작업, 작업을 수행할 권한을 부여할 수 있는 해당 작업, 권한을 부여할 수 있는 AWS 리소스가 나열되어 있습니다. 정책의 Action 필드에서 작업을 지정하고, 정책의 Resource 필드에서 리소스 값을 지정합니다.

참고

ListTags API를 제외하고 리소스 수준 제한은 List- 호출에서 사용할 수 없습니다. List- API를 호출하는 사용자는 계정 내에서 이러한 유형의 모든 리소스를 보게 됩니다.

Amazon SageMaker 정책의 조건을 표시하려면 AWS 차원 조건 키를 사용할 수 있습니다. AWS 전체 키의 전체 목록은 다음을 참조하십시오. 사용 가능한 키 에서 IAM 사용 설명서.

스크롤 막대를 사용하여 테이블의 나머지 부분을 확인합니다.

Amazon SageMaker API 작업 및 작업에 대한 필수 권한
Amazon SageMaker API 작업 필요한 권한(API 작업) 리소스:

AddTags

sagemaker:AddTags

arn:aws:sagemaker:region:account-id:*

CreateEndpoint

sagemaker:CreateEndpoint

kms:CreateGrant(연결된 EndPointConfigKmsKeyId가 지정된 경우에만 필요함)

arn:aws:sagemaker:region:account-id:endpoint/endpointName

arn:aws:sagemaker:region:account-id:endpoint-config/endpointConfigName

CreateEndpointConfig

sagemaker:CreateEndpointConfig

arn:aws:sagemaker:region:account-id:endpoint-config/endpointConfigName

CreateFlowDefinition

sagemaker:CreateFlowDefinition

iam:PassRole

arn:aws:sagemaker:region:account-id:flow-definition/flowDefinitionName

CreateHumanTaskUi

sagemaker:CreateHumanTaskUi

arn:aws:sagemaker:region:account-id:human-task-ui/humanTaskUiName

CreateHyperParameterTuningJob

sagemaker:CreateHyperParameterTuningJob

iam:PassRole

arn:aws:sagemaker:region:account-id:hyper-parameter-tuning-job/hyperParameterTuningJobName

CreatePresignedNotebookInstanceUrl

sagemaker:CreatePresignedNotebookInstanceUrl

arn:aws:sagemaker:region:account-id:notebook-instance/notebookInstanceName

CreateLabelingJob

sagemaker:CreateLabelingJob

iam:PassRole

arn:aws:sagemaker:region:account-id:labeling-job/labelingJobName

CreateModel

sagemaker:CreateModel

iam:PassRole

arn:aws:sagemaker:region:account-id:model/modelName

CreateNotebookInstance

sagemaker:CreateNotebookInstance

iam:PassRole

다음 권한은 노트북 인스턴스에 VPC를 지정한 경우에만 필요합니다.

ec2:CreateNetworkInterface

ec2:DescribeSecurityGroups

ec2:DescribeSubnets

ec2:DescribeVpcs

다음 권한은 노트북 인스턴스에 VPC 및 Elastic Inference 가속기를 지정한 경우에만 필요합니다.

ec2:DescribeVpcEndpoints

다음 권한은 암호화 키를 지정한 경우에만 필요합니다.

kms:DescribeKey

kms:CreateGrant

다음 권한은 프라이빗 Git 리포지토리에 액세스하기 위한 AWS Secrets Manager 암호를 지정한 경우에만 필요합니다.

secretsmanager:GetSecretValue

arn:aws:sagemaker:region:account-id:notebook-instance/notebookInstanceName

CreateProcessingJob

sagemaker:CreateProcessingJob

iam:PassRole

kms:CreateGrant(연결된 ProcessingResourcesVolumeKmsKeyId가 지정되고, 연결된 역할에 이 작업을 허용하는 정책이 없을 경우에만 필요함)

arn:aws:sagemaker:region:account-id:processing-job/processingJobName

CreateTrainingJob

sagemaker:CreateTrainingJob

iam:PassRole

kms:CreateGrant(연결된 ResourceConfigVolumeKmsKeyId가 지정되고, 연결된 역할에 이 작업을 허용하는 정책이 없을 경우에만 필요함)

arn:aws:sagemaker:region:account-id:training-job/trainingJobName

CreateTransformJob

sagemaker:CreateTransformJob

kms:CreateGrant(연결된 TransformResourcesVolumeKmsKeyId가 지정되고, 연결된 역할에 이 작업을 허용하는 정책이 없을 경우에만 필요함)

arn:aws:sagemaker:region:account-id:transform-job/transformJobName

CreateWorkteam

sagemaker:CreateWorkteam

cognito-idp:DescribeUserPoolClient

cognito-idp:UpdateUserPool

cognito-idp:DescribeUserPool

cognito-idp:UpdateUserPoolClient

arn:aws:sagemaker:region:account-id:workteam/private-crowd/work team name

arn:aws:sagemaker:region:account-id:workteam/vendor-crowd/work team name

arn:aws:sagemaker:region:account-id:workteam/public-crowd/work team name

DeleteEndpoint

sagemaker:DeleteEndpoint

arn:aws:sagemaker:region:account-id:endpoint/endpointName

DeleteEndpointConfig

sagemaker:DeleteEndpointConfig

arn:aws:sagemaker:region:account-id:endpoint-config/endpointConfigName

DeleteFlowDefinition

sagemaker:DeleteFlowDefinition

arn:aws:sagemaker:region:account-id:flow-definition/flowDefinitionName

DeleteHumanLoop

sagemaker:DeleteHumanLoop

arn:aws:sagemaker:region:account-id:human-loop/humanLoopName

DeleteModel

sagemaker:DeleteModel

arn:aws:sagemaker:region:account-id:model/modelName

DeleteNotebookInstance

sagemaker:DeleteNotebookInstance

다음 권한은 노트북 인스턴스에 VPC를 지정한 경우에만 필요합니다.

ec2:DeleteNetworkInterface

다음 권한은 노트북 인스턴스를 생성할 때 암호화 키를 지정한 경우에만 필요합니다.

kms:DescribeKey

arn:aws:sagemaker:region:account-id:notebook-instance/notebookInstanceName

DeleteTags

sagemaker:DeleteTags

arn:aws:sagemaker:region:account-id:*

DeleteWorkteam

sagemaker:DeleteWorkteam

arn:aws:sagemaker:region:account-id:workteam/*

DescribeEndpoint

sagemaker:DescribeEndpoint

arn:aws:sagemaker:region:account-id:endpoint/endpointName

DescribeEndpointConfig

sagemaker:DescribeEndpointConfig

arn:aws:sagemaker:region:account-id:endpoint-config/endpointConfigName

DescribeFlowDefinition

sagemaker:DescribeFlowDefinition

arn:aws:sagemaker:region:account-id:flow-definition/flowDefinitionName

DescribeHumanLoop

sagemaker:DescribeHumanLoop

arn:aws:sagemaker:region:account-id:human-loop/humanLoopName

DescribeHumanTaskUi

sagemaker:DescribeHumanTaskUi

arn:aws:sagemaker:region:account-id:human-task-ui/humanTaskUiName

DescribeHyperParameterTuningJob

sagemaker:DescribeHyperParameterTuningJob

arn:aws:sagemaker:region:account-id:hyper-parameter-tuning-job/hyperParameterTuningJob

DescribeLabelingJob

sagemaker:DescribeLabelingJob

arn:aws:sagemaker:region:account-id:labeling-job/labelingJobName

DescribeModel

sagemaker:DescribeModel

arn:aws:sagemaker:region:account-id:model/modelName

DescribeNotebookInstance

sagemaker:DescribeNotebookInstance

arn:aws:sagemaker:region:account-id:notebook-instance/notebookInstanceName

DescribeProcessingJob

sagemaker:DescribeProcessingJob

arn:aws:sagemaker:region:account-id:processing-job/processingjobname

DescribeSubscribedWorkteam

sagemaker:DescribeSubscribedWorkteam

aws-marketplace:ViewSubscriptions

arn:aws:sagemaker:region:account-id:workteam/*

DescribeTrainingJob

sagemaker:DescribeTrainingJob

arn:aws:sagemaker:region:account-id:training-job/trainingjobname

DescribeTransformJob

sagemaker:DescribeTransformJob

arn:aws:sagemaker:region:account-id:transform-job/transformjobname

DescribeWorkteam

sagemaker:DescribeWorkteam

arn:aws:sagemaker:region:account-id:workteam/*

runtime_InvokeEndpoint

sagemaker:InvokeEndpoint

arn:aws:sagemaker:region:account-id:endpoint/endpointName

ListEndpointConfigs

sagemaker:ListEndpointConfigs

*

ListEndpoints

sagemaker:ListEndpoints

*

ListFlowDefinitions

sagemaker:ListFlowDefinitions

*

ListHumanLoops

sagemaker:ListHumanLoops

*

ListHumanTaskUis

sagemaker:ListHumanTaskUis

*

ListHyperParameterTuningJobs

sagemaker:ListHyperParameterTuningJobs

arn:aws:sagemaker:region:account-id:hyper-parameter-tuning-job/hyperParameterTuningJob

ListLabelingJobs

sagemaker:ListLabelingJobs

*

ListLabelingJobsForWorkteam

sagemaker:ListLabelingJobForWorkteam

*

ListModels

sagemaker:ListModels

*

ListNotebookInstances

sagemaker:ListNotebookInstances

*

ListProcessingJobs

sagemaker:ListProcessingJobs

*

ListSubscribedWorkteams

sagemaker:ListSubscribedWorkteams

aws-marketplace:ViewSubscriptions

arn:aws:sagemaker:region:account-id:workteam/*

ListTags

sagemaker:ListTags

arn:aws:sagemaker:region:account-id:*

ListTrainingJobs

sagemaker:ListTrainingJobs

*

ListTrainingJobsForHyperParameterTuningJob

sagemaker:ListTrainingJobsForHyperParameterTuningJob

arn:aws:sagemaker:region:account-id:hyper-parameter-tuning-job/hyperParameterTuningJob

ListTransformJobs

sagemaker:ListTransformJobs

*

ListWorkteams

sagemaker:ListWorkteams

arn:aws:sagemaker:region:account-id:workteam/*

StartHumanLoop

sagemaker:StartHumanLoop

arn:aws:sagemaker:region:account-id:human-loop/humanLoopName

StartNotebookInstance

sagemaker:StartNotebookInstance

iam:PassRole

다음 권한은 노트북 인스턴스를 생성할 때 VPC를 지정한 경우에만 필요합니다.

ec2:CreateNetworkInterface

ec2:DescribeNetworkInterfaces

ec2:DescribeSecurityGroups

ec2:DescribeSubnets

ec2:DescribeVpcs

다음 권한은 노트북 인스턴스에 VPC 및 Elastic Inference 가속기를 지정한 경우에만 필요합니다.

ec2:DescribeVpcEndpoints

다음 권한은 노트북 인스턴스를 생성할 때 암호화 키를 지정한 경우에만 필요합니다.

kms:DescribeKey

kms:CreateGrant

다음 권한은 노트북 인스턴스를 생성할 때 프라이빗 Git 리포지토리에 액세스하기 위한 AWS Secrets Manager 암호를 지정한 경우에만 필요합니다.

secretsmanager:GetSecretValue

arn:aws:sagemaker:region:account-id:notebook-instance/notebookInstanceName

StopHumanLoop

sagemaker:StopHumanLoop

arn:aws:sagemaker:region:account-id:human-loop/humanLoopName

StopHyperParameterTuningJob

sagemaker:StopHyperParameterTuningJob

arn:aws:sagemaker:region:account-id:hyper-parameter-tuning-job/hyperParameterTuningJob

StopLabelingJob

sagemaker:StopLabelingJob

arn:aws:sagemaker:region:account-id:labeling-job/labelingJobName

StopNotebookInstance

sagemaker:StopNotebookInstance

arn:aws:sagemaker:region:account-id:notebook-instance/notebookInstanceName

StopProcessingJob

sagemaker:StopProcessingJob

arn:aws:sagemaker:region:account-id:processing-job/processingJobName

StopTrainingJob

sagemaker:StopTrainingJob

arn:aws:sagemaker:region:account-id:training-job/trainingJobName

StopTransformJob

sagemaker:StopTransformJob

arn:aws:sagemaker:region:account-id:transform-job/transformJobName

UpdateEndpoint

sagemaker:UpdateEndpoint

arn:aws:sagemaker:region:account-id:endpoint/endpointName

UpdateEndpointWeightsAndCapacities

sagemaker:UpdateEndpointWeightsAndCapacities

arn:aws:sagemaker:region:account-id:endpoint/endpointName

UpdateNotebookInstance

sagemaker:UpdateNotebookInstance

iam:PassRole

arn:aws:sagemaker:region:account-id:notebook-instance/notebookInstanceName

UpdateWorkteam

sagemaker:UpdateWorkteam

arn:aws:sagemaker:region:account-id:workteam/*