Setting up permissions - Amazon Personalize

Setting up permissions

To prepare data with Data Wrangler, you must set up the following permissions:

  • Create a service role for Amazon Personalize: If you haven't already, complete the instructions in Setting up Amazon Personalize to create an IAM service role for Amazon Personalize. This role must have GetObject and ListBucket permissions for the Amazon S3 buckets that store your processed data. And it must have permission to use any AWS KMS keys.

    For information about granting Amazon Personalize access to your Amazon S3 buckets, see Giving Amazon Personalize access to Amazon S3 resources. For information about granting Amazon Personalize access to your AWS KMS keys, see Giving Amazon Personalize permission to use your AWS KMS key.

  • Create an administrative user with SageMaker permissions: Your administrator must have full access to SageMaker and must be able to create a SageMaker domain. For more information, see Create an Administrative User and Group in the Amazon SageMaker Developer Guide.

  • Create a SageMaker execution role: Create a SageMaker execution role with access to SageMaker resources and Amazon Personalize data import operations. The SageMaker execution role must have the AmazonSageMakerFullAccess policy attached. If you require more granular Data Wrangler permissions, see Data Wrangler Security and Permissions in the Amazon SageMaker Developer Guide. For more information on SageMaker roles, see SageMaker Roles.

    To grant access to Amazon Personalize data import operations, attach the following IAM policy to the SageMaker execution role. This policy grants the permissions required to import data into Amazon Personalize and attach a policy to your Amazon S3 bucket. And it grants PassRole permissions when the service is Amazon Personalize. Update the Amazon S3 bucket-name to the name of the Amazon S3 bucket you want to use as the destination for your formatted data after you prepare it with Data Wrangler.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "personalize:Create*", "personalize:List*", "personalize:Describe*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:PutBucketPolicy" ], "Resource": [ "arn:aws:s3:::bucket-name", "arn:aws:s3:::bucket-name/*" ] }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": "personalize.amazonaws.com" } } } ] }

    For information on creating an IAM policy, see Creating IAM policies in the IAM User Guide. For information on attaching an IAM policy to role, see Adding and removing IAM identity permissions in the IAM User Guide.