Amazon Personalize
Developer Guide

Setting up Permissions

To use Amazon Personalize, you have to set up permissions that allow access to the Amazon Personalize console and API operations. You also have to allow Amazon Personalize to perform tasks on your behalf and to access resources that you own.

We recommend creating a user with access restricted to Amazon Personalize operations. You can add other permissions as needed. For more information, see Using Identity-Based Policies (IAM Policies) for Amazon Personalize.

Required Permissions

The following policies provide the required permissions to use Amazon Personalize.

AmazonPersonalizeFullAccess Policy

Allows you to perform the following actions:

  • Access all Amazon Personalize resources

  • Publish and list metrics on Amazon CloudWatch

  • List, read, write, and delete all objects in an Amazon S3 bucket that contains Personalize or personalize in the bucket name

  • Pass a role to Amazon Personalize

For a step-by-step procedure for creating an IAM role that passes these permissions to Amazon Personalize, see Creating an IAM Role.

Amazon S3 Bucket Policy

Allows Amazon Personalize access to the S3 bucket that contains your training data. For more information, see Uploading to an Amazon S3 Bucket.

CloudWatchFullAccess Policy (Optional)

The AmazonPersonalizeFullAccess policy provides permissions to publish and list Amazon Personalize metrics in CloudWatch. The CloudWatchFullAccess policy adds additional permissions, such as viewing metrics, displaying metric statistics, and setting metric based alarms. For more information, see Monitoring Amazon Personalize.

Creating an IAM Role

In the following procedure, you create an IAM role that allows Amazon Personalize to access your resources and perform tasks on your behalf.

A user needs permission to create the IAM role. To give a user permission, see Creating a Role to Delegate Permissions to an AWS Service.

  1. Sign in to the IAM console (https://console.aws.amazon.com/iam).

  2. In the navigation pane, choose Roles.

  3. Choose Create role.

  4. For Select type of trusted entity, choose AWS service.

  5. For Choose the service that will use this role, select Amazon Personalize. If you don't see Amazon Personalize listed, choose EC2 with EC2 as your use case.

  6. Choose Next: Permissions.

  7. For Attach permissions policies, choose AmazonPersonalizeFullAccess.

    1. To display the policy in the list, type part of the policy name in the Filter policies query filter.

    2. Choose the check box next to AmazonPersonalizeFullAccess.

    3. (Optional) Repeat steps a. & b. for CloudWatchFullAccess.

  8. Choose Next: Tags. You don't need to add any tags. Choose Next: Review.

  9. In the Review section, for Role name, enter a name for the role (for example, PersonalizeRole). Update the description for the role in Role description, then choose Create role.

  10. Choose the new role to open the role's summary page.

  11. Copy the Role ARN value and save it. You need it in order to import a dataset into Amazon Personalize.

  12. If you didn't choose Amazon Personalize as the service that will use this role, perform the following additional steps.

    1. Choose Trust relationships.

    2. Choose Edit trust relationship and update the trust policy to match the following:

      { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "personalize.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
    3. Choose Update Trust Policy.

  13. In the navigation pane, choose Policies, and choose Create policy.

  14. Choose the JSON tab, and update the policy as follows.

    { "Version": "2012-10-17", "Id": "PersonalizeS3BucketAccessPolicy", "Statement": [ { "Sid": "PersonalizeS3BucketAccessPolicy", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::bucket-name", "arn:aws:s3:::bucket-name/*" ] } ] }
  15. Choose Review policy.

  16. For Name, enter PersonalizeS3BucketAccessPolicy.

  17. (Optional) For Description, enter a short sentence describing this policy, for example, Allow Amazon Personalize to access its S3 bucket.

  18. Choose Create policy.

  19. In the navigation pane, choose Roles, and choose the new role.

  20. For Permissions, choose PersonalizeS3BucketPolicy.

    1. To display the policy in the list, type part of the policy name in the Filter policies filter box.

    2. Choose the check box next to PersonalizeS3BucketPolicy.

    3. Choose Attach policy.

Your role is now ready for use with Amazon Personalize. Record the role ARN. You will need it for import jobs.