Setting up permissions - Amazon Personalize

Setting up permissions

To use Amazon Personalize, you have to set up permissions that allow IAM users to access the Amazon Personalize console and API operations. You also have to set up permissions that allow Amazon Personalize to perform tasks on your behalf and to access resources that you own.

We recommend creating an AWS Identity and Access Management (IAM) user with access restricted to Amazon Personalize operations. You can add other permissions as needed. For more information, see Amazon Personalize identity-based policies.

Note

We recommend creating a new IAM policy that grants only the permissions necessary to use Amazon Personalize.

To set up permissions

  1. Attach a policy to your Amazon Personalize IAM user or group that allows full access to Amazon Personalize.

  2. Optionally attach the CloudWatchFullAccess AWS managed policy to your IAM user or group to grant permissions to monitor Amazon Personalize with CloudWatch. See AWS managed policies.

  3. Create an IAM role for Amazon Personalize and attach the policy from step 1 to the new role. See Creating an IAM role for Amazon Personalize.

  4. If you are using AWS Key Management Service (AWS KMS) for encryption, you must give your IAM user and Amazon Personalize IAM service role permission to use your key. You must also add Amazon Personalize as a Principle in your AWS KMS key policy. For more information see Using key policies in AWS KMS in the AWS Key Management Service Developer Guide.

  5. Complete the steps in Giving Amazon Personalize access to Amazon S3 resources to use IAM and Amazon S3 bucket policies to give Amazon Personalize access to your Amazon S3 resources.

Creating a new IAM policy

Create an IAM policy that provides users and Amazon Personalize full access to your Amazon Personalize resources. Then attach the policy to your IAM user or group.

To create and attach an IAM policy

  1. Sign in to the IAM console (https://console.aws.amazon.com/iam).

  2. In the navigation pane, choose Policies.

  3. Choose Create policy.

  4. Choose the JSON tab.

  5. Paste following JSON policy document in the text field.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "personalize:*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": "personalize.amazonaws.com" } } } ] }
  6. Choose Next: Tags. Optionally add any tags and choose Review.

  7. On the Review policy page, for Name, enter a name for the policy. Optionally, enter a description for Description.

  8. In Summary, review the policy to see the permissions it grants, then choose Create policy.

  9. Attach the new policy to your IAM user or group.

    For information on attaching a policy to a user, see Changing permissions for an IAM user in the IAM User Guide. For information on attaching a policy to a group, see Attaching a policy to an IAM group in the IAM User Guide.

  10. If you are using AWS KMS for encryption, give your user or group permission to use your key. For more information see Using key policies in AWS KMS in the AWS Key Management Service Developer Guide.

Creating an IAM role for Amazon Personalize

To use Amazon Personalize, you must create an AWS Identity and Access Management service role for Amazon Personalize. For information on how to create an IAM role, see Creating a role to delegate permissions to an AWS service in the IAM User Guide. As you create your role, configure the following for Amazon Personalize:

Next, if you are completing the getting started exercise, you are ready create your training data and grant Amazon Personalize access to your Amazon S3 bucket. See Creating the training data (Custom dataset group).

If you are not completing the getting started exercise, you are ready to import your data. See Preparing and importing data.