Step 2: Set up permissions

To use Amazon Lookout for Vision, you needs access permissions to the Lookout for Vision console, AWS SDK operations, and the Amazon S3 bucket that you use for model training.

Note

If you only use AWS SDK operations, you can use policies that are scoped to AWS SDK operations. For more information, see Set up SDK permissions.

Setting console access with AWS managed policies

Use the following AWS managed policies to apply appropriate access permissions for the Amazon Lookout for Vision console and SDK operations.

• AmazonLookoutVisionConsoleFullAccess — allows full access to the Amazon Lookout for Vision console and SDK operations. You need AmazonLookoutVisionConsoleFullAccess permissions to create the console bucket. For more information, see Step 3: Create the console bucket.

• AmazonLookoutVisionConsoleReadOnlyAccess— allows read-only access to the Amazon Lookout for Vision console and SDK operations.

To assign permissions, see Assigning permissions.

For information about AWS managed policies, see AWS managed policies.

Setting Amazon S3 bucket permissions

Amazon Lookout for Vision uses an Amazon S3 bucket to store the following files:

• Dataset images — Images that are used to train a model. For more information, see Creating your dataset.

• Amazon SageMaker Ground Truth format manifest files. For example, the manifest file output from SageMaker GroundTruth job. For more information, see Creating a dataset using an Amazon SageMaker Ground Truth manifest file.

• The output from model training.

If you use the console, Lookout for Vision creates an Amazon S3 bucket (console bucket) to manage your projects. The LookoutVisionConsoleReadOnlyAccess and LookoutVisionConsoleFullAccess managed policies include Amazon S3 access permissions for the console bucket.

You can use the console bucket to store dataset images and SageMaker Ground Truth format manifest files. Alternatively, You can use a different Amazon S3 bucket. The bucket must be owned by your AWS account and must be located in the AWS Region in which you are using Lookout for Vision.

To use a different bucket, add the following policy to the desired user or group. Replace my-bucket with the name of the desired bucket. For information about adding IAM policies, see Creating IAM Policies.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "LookoutVisionS3BucketAccessPermissions",
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListBucket"
            ],            
            "Resource": [
                "arn:aws:s3:::my-bucket"
            ]
        },
        {
            "Sid": "LookoutVisionS3ObjectAccessPermissions",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:GetObjectVersion",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::my-bucket/*"
            ]
        }
    ]
}

To assign permissions, see Assigning permissions.

Assigning permissions

To provide access, add permissions to your users, groups, or roles:

• Users and groups in AWS IAM Identity Center:

  Create a permission set. Follow the instructions in Create a permission set in the AWS IAM Identity Center User Guide.

• Users managed in IAM through an identity provider:

  Create a role for identity federation. Follow the instructions in Creating a role for a third-party identity provider (federation) in the IAM User Guide.

• IAM users:

  • Create a role that your user can assume. Follow the instructions in Creating a role for an IAM user in the IAM User Guide.

  • (Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in Adding permissions to a user (console) in the IAM User Guide.