Setting up permissions - Amazon Personalize

Setting up permissions

To use Amazon Personalize, you have to set up permissions that allow IAM users to access the Amazon Personalize console and API operations. You also have to set up permissions that allow Amazon Personalize to perform tasks on your behalf and to access resources that you own.

We recommend creating an AWS Identity and Access Management (IAM) user with access restricted to Amazon Personalize operations. You can add other permissions as needed. For more information, see Amazon Personalize identity-based policies.

Note

We recommend creating a new IAM policy that grants only the permissions necessary to use Amazon Personalize.

To set up permissions

  1. Attach a policy to your Amazon Personalize IAM user or group that allows full access to Amazon Personalize.

  2. Attach the AmazonS3FullAccess AWS managed policy to your user or group to grant permissions to access Amazon S3 and create an Amazon S3 bucket. For more information on granting permission to your Amazon S3 resources see Using bucket policies and user policies in the Amazon S3 Developer Guide.

  3. Optionally attach the CloudWatchFullAccess AWS managed policy to your IAM user or group to grant permissions to monitor Amazon Personalize with CloudWatch. See AWS managed policies.

  4. Create an IAM role for Amazon Personalize and attach the policy from step 1 to the new role. See Creating an IAM role for Amazon Personalize.

  5. If you are using AWS Key Management Service (AWS KMS) for encryption, you must give your IAM user and Amazon Personalize IAM service-linked role permission to use your key. You must also add Amazon Personalize as a Principle in your AWS KMS key policy. For more information see Using key policies in AWS KMS in the AWS Key Management Service Developer Guide.

Creating a new IAM policy

Create an IAM policy that provides users and Amazon Personalize full access to your Amazon Personalize resources. Then attach the policy to your IAM user or group.

To create and attach an IAM policy

  1. Sign in to the IAM console (https://console.aws.amazon.com/iam).

  2. In the navigation pane, choose Policies.

  3. Choose Create policy.

  4. Choose the JSON tab.

  5. Paste following JSON policy document in the text field.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "personalize:*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": "personalize.amazonaws.com" } } } ] }
  6. When you have finished, choose Review policy.

  7. On the Review policy page, for Name, enter a name for the policy. Optionally, enter a description for Description.

  8. In Summary, review the policy to see the permissions it grants, then choose Create policy.

  9. Attach the new policy to your IAM user or group.

    For information on attaching a policy to a user, see Changing permissions for an IAM user in the IAM User Guide. For information on attaching a policy to a group, see Attaching a policy to an IAM group in the IAM User Guide.

  10. If you are using AWS KMS for encryption, give your user or group permission to use your key. For more information see Using key policies in AWS KMS in the AWS Key Management Service Developer Guide.

Creating an IAM role for Amazon Personalize

In the following procedure, you create an IAM role that allows Amazon Personalize to access your resources and perform tasks on your behalf.

  1. Sign in to the IAM console (https://console.aws.amazon.com/iam/).

  2. In the navigation pane, choose Roles.

  3. Choose Create role.

  4. For Select type of trusted entity, choose AWS service.

  5. For Choose the service that will use this role, choose Amazon Personalize.

  6. Choose Next: Permissions.

  7. For Attach permissions policies, either choose the policy you created in Creating a new IAM policy or choose AmazonPersonalizeFullAccess (see AWS managed policies).

    1. To display the policy in the list, type part of the policy name in the Filter policies query filter.

    2. Choose the check box next to the policy name.

  8. Choose Next: Tags. You don't need to add any tags, so choose Next: Review.

  9. In the Review section, for Role name, enter a name for the role (for example, PersonalizeRole). Update the description for the role in Role description, then choose Create role.

  10. Choose the new role to open the role's summary page.

  11. Copy the Role ARN value and save it. You need it to import a dataset into Amazon Personalize.

  12. If you are using AWS KMS for encryption, give your Amazon Personalize service-linked role permission to use your key. For more information see Using key policies in AWS KMS in the AWS Key Management Service Developer Guide.

    Next, if you are completing the getting started exercise, you are ready create your training data and grant Amazon Personalize access to your Amazon S3 bucket. See Creating the training data.

    If you are not completing the getting started exercise, you are ready to import your data. See Preparing and importing data.