As traduções são geradas por tradução automática. Em caso de conflito entre o conteúdo da tradução e da versão original em inglês, a versão em inglês prevalecerá.
Descrição: Fornece acesso total aos SageMaker recursos e operações da Amazon para preparação de dados no Canvas. A política também fornece acesso seleto a serviços relacionados (por exemplo, S3, IAM, KMS, RDS, Logs, Redshift CloudWatch , Athena, Glue, Secrets Manager). EventBridge Essa política deve ser anexada à função de execução de SageMaker domínio/perfil de usuário da Amazon.
AmazonSageMakerCanvasDataPrepFullAccess é uma política gerenciada pelo AWS.
Utilização desta política
Você pode vincular a AmazonSageMakerCanvasDataPrepFullAccess aos seus usuários, grupos e perfis.
Detalhes desta política
-
Tipo: política AWS gerenciada
-
Hora da criação: 27 de outubro de 2023, 22:56 UTC
-
Hora da edição: 16 de agosto de 2024, 18:11 UTC
-
ARN:
arn:aws:iam::aws:policy/AmazonSageMakerCanvasDataPrepFullAccess
Versão da política
Versão da política: v4 (padrão)
A versão padrão da política é aquela que define as permissões desta política. Quando um usuário ou função da política faz uma solicitação para acessar um AWS recurso, AWS verifica a versão padrão da política para determinar se a solicitação deve ser permitida.
Documento da política JSON
{
"Version" : "2012-10-17",
"Statement" : [
{
"Sid" : "SageMakerListFeatureGroupOperation",
"Effect" : "Allow",
"Action" : "sagemaker:ListFeatureGroups",
"Resource" : "*"
},
{
"Sid" : "SageMakerFeatureGroupOperations",
"Effect" : "Allow",
"Action" : [
"sagemaker:CreateFeatureGroup",
"sagemaker:DescribeFeatureGroup"
],
"Resource" : "arn:aws:sagemaker:*:*:feature-group/*"
},
{
"Sid" : "SageMakerProcessingJobOperations",
"Effect" : "Allow",
"Action" : [
"sagemaker:CreateProcessingJob",
"sagemaker:DescribeProcessingJob",
"sagemaker:AddTags"
],
"Resource" : "arn:aws:sagemaker:*:*:processing-job/*canvas-data-prep*"
},
{
"Sid" : "SageMakerProcessingJobListOperation",
"Effect" : "Allow",
"Action" : "sagemaker:ListProcessingJobs",
"Resource" : "*"
},
{
"Sid" : "SageMakerPipelineOperations",
"Effect" : "Allow",
"Action" : [
"sagemaker:DescribePipeline",
"sagemaker:CreatePipeline",
"sagemaker:UpdatePipeline",
"sagemaker:DeletePipeline",
"sagemaker:StartPipelineExecution",
"sagemaker:ListPipelineExecutionSteps",
"sagemaker:DescribePipelineExecution"
],
"Resource" : "arn:aws:sagemaker:*:*:pipeline/*canvas-data-prep*"
},
{
"Sid" : "KMSListOperations",
"Effect" : "Allow",
"Action" : "kms:ListAliases",
"Resource" : "*"
},
{
"Sid" : "KMSOperations",
"Effect" : "Allow",
"Action" : "kms:DescribeKey",
"Resource" : "arn:aws:kms:*:*:key/*"
},
{
"Sid" : "S3Operations",
"Effect" : "Allow",
"Action" : [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:GetBucketCors",
"s3:GetBucketLocation",
"s3:AbortMultipartUpload"
],
"Resource" : [
"arn:aws:s3:::*SageMaker*",
"arn:aws:s3:::*Sagemaker*",
"arn:aws:s3:::*sagemaker*"
],
"Condition" : {
"StringEquals" : {
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "S3GetObjectOperation",
"Effect" : "Allow",
"Action" : "s3:GetObject",
"Resource" : "arn:aws:s3:::*",
"Condition" : {
"StringEqualsIgnoreCase" : {
"s3:ExistingObjectTag/SageMaker" : "true"
},
"StringEquals" : {
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "S3ListOperations",
"Effect" : "Allow",
"Action" : [
"s3:ListBucket",
"s3:ListAllMyBuckets"
],
"Resource" : "*"
},
{
"Sid" : "IAMListOperations",
"Effect" : "Allow",
"Action" : "iam:ListRoles",
"Resource" : "*"
},
{
"Sid" : "IAMGetOperations",
"Effect" : "Allow",
"Action" : "iam:GetRole",
"Resource" : "arn:aws:iam::*:role/*"
},
{
"Sid" : "IAMPassOperation",
"Effect" : "Allow",
"Action" : "iam:PassRole",
"Resource" : "arn:aws:iam::*:role/*",
"Condition" : {
"StringEquals" : {
"iam:PassedToService" : [
"sagemaker.amazonaws.com",
"events.amazonaws.com"
]
}
}
},
{
"Sid" : "EventBridgePutOperation",
"Effect" : "Allow",
"Action" : [
"events:PutRule"
],
"Resource" : "arn:aws:events:*:*:rule/*",
"Condition" : {
"StringEquals" : {
"aws:RequestTag/sagemaker:is-canvas-data-prep-job" : "true"
}
}
},
{
"Sid" : "EventBridgeOperations",
"Effect" : "Allow",
"Action" : [
"events:DescribeRule",
"events:PutTargets"
],
"Resource" : "arn:aws:events:*:*:rule/*",
"Condition" : {
"StringEquals" : {
"aws:ResourceTag/sagemaker:is-canvas-data-prep-job" : "true"
}
}
},
{
"Sid" : "EventBridgeTagBasedOperations",
"Effect" : "Allow",
"Action" : [
"events:TagResource"
],
"Resource" : "arn:aws:events:*:*:rule/*",
"Condition" : {
"StringEquals" : {
"aws:RequestTag/sagemaker:is-canvas-data-prep-job" : "true",
"aws:ResourceTag/sagemaker:is-canvas-data-prep-job" : "true"
}
}
},
{
"Sid" : "EventBridgeListTagOperation",
"Effect" : "Allow",
"Action" : "events:ListTagsForResource",
"Resource" : "*"
},
{
"Sid" : "GlueOperations",
"Effect" : "Allow",
"Action" : [
"glue:GetDatabases",
"glue:GetTable",
"glue:GetTables",
"glue:SearchTables"
],
"Resource" : [
"arn:aws:glue:*:*:table/*",
"arn:aws:glue:*:*:catalog",
"arn:aws:glue:*:*:database/*"
]
},
{
"Sid" : "EMROperations",
"Effect" : "Allow",
"Action" : [
"elasticmapreduce:DescribeCluster",
"elasticmapreduce:ListInstanceGroups"
],
"Resource" : "arn:aws:elasticmapreduce:*:*:cluster/*"
},
{
"Sid" : "EMRListOperation",
"Effect" : "Allow",
"Action" : "elasticmapreduce:ListClusters",
"Resource" : "*"
},
{
"Sid" : "AthenaListDataCatalogOperation",
"Effect" : "Allow",
"Action" : "athena:ListDataCatalogs",
"Resource" : "*"
},
{
"Sid" : "AthenaQueryExecutionOperations",
"Effect" : "Allow",
"Action" : [
"athena:GetQueryExecution",
"athena:GetQueryResults",
"athena:StartQueryExecution",
"athena:StopQueryExecution"
],
"Resource" : "arn:aws:athena:*:*:workgroup/*"
},
{
"Sid" : "AthenaDataCatalogOperations",
"Effect" : "Allow",
"Action" : [
"athena:ListDatabases",
"athena:ListTableMetadata"
],
"Resource" : "arn:aws:athena:*:*:datacatalog/*"
},
{
"Sid" : "RedshiftOperations",
"Effect" : "Allow",
"Action" : [
"redshift-data:DescribeStatement",
"redshift-data:CancelStatement",
"redshift-data:GetStatementResult"
],
"Resource" : "*"
},
{
"Sid" : "RedshiftArnBasedOperations",
"Effect" : "Allow",
"Action" : [
"redshift-data:ExecuteStatement",
"redshift-data:ListSchemas",
"redshift-data:ListTables"
],
"Resource" : "arn:aws:redshift:*:*:cluster:*"
},
{
"Sid" : "RedshiftGetCredentialsOperation",
"Effect" : "Allow",
"Action" : "redshift:GetClusterCredentials",
"Resource" : [
"arn:aws:redshift:*:*:dbuser:*/sagemaker_access*",
"arn:aws:redshift:*:*:dbname:*"
]
},
{
"Sid" : "SecretsManagerARNBasedOperation",
"Effect" : "Allow",
"Action" : "secretsmanager:CreateSecret",
"Resource" : "arn:aws:secretsmanager:*:*:secret:AmazonSageMaker-*"
},
{
"Sid" : "SecretManagerTagBasedOperation",
"Effect" : "Allow",
"Action" : [
"secretsmanager:DescribeSecret",
"secretsmanager:GetSecretValue"
],
"Resource" : "arn:aws:secretsmanager:*:*:secret:AmazonSageMaker-*",
"Condition" : {
"StringEquals" : {
"aws:ResourceTag/SageMaker" : "true",
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "RDSOperation",
"Effect" : "Allow",
"Action" : "rds:DescribeDBInstances",
"Resource" : "*"
},
{
"Sid" : "LoggingOperation",
"Effect" : "Allow",
"Action" : [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource" : "arn:aws:logs:*:*:log-group:/aws/sagemaker/studio:*"
},
{
"Sid" : "EMRServerlessCreateApplicationOperation",
"Effect" : "Allow",
"Action" : "emr-serverless:CreateApplication",
"Resource" : "arn:aws:emr-serverless:*:*:/*",
"Condition" : {
"StringEquals" : {
"aws:RequestTag/sagemaker:is-canvas-resource" : "True",
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "EMRServerlessListApplicationOperation",
"Effect" : "Allow",
"Action" : "emr-serverless:ListApplications",
"Resource" : "arn:aws:emr-serverless:*:*:/*",
"Condition" : {
"StringEquals" : {
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "EMRServerlessApplicationOperations",
"Effect" : "Allow",
"Action" : [
"emr-serverless:UpdateApplication",
"emr-serverless:GetApplication"
],
"Resource" : "arn:aws:emr-serverless:*:*:/applications/*",
"Condition" : {
"StringEquals" : {
"aws:ResourceTag/sagemaker:is-canvas-resource" : "True",
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "EMRServerlessStartJobRunOperation",
"Effect" : "Allow",
"Action" : "emr-serverless:StartJobRun",
"Resource" : "arn:aws:emr-serverless:*:*:/applications/*",
"Condition" : {
"StringEquals" : {
"aws:RequestTag/sagemaker:is-canvas-resource" : "True",
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "EMRServerlessListJobRunOperation",
"Effect" : "Allow",
"Action" : "emr-serverless:ListJobRuns",
"Resource" : "arn:aws:emr-serverless:*:*:/applications/*",
"Condition" : {
"StringEquals" : {
"aws:ResourceTag/sagemaker:is-canvas-resource" : "True",
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "EMRServerlessJobRunOperations",
"Effect" : "Allow",
"Action" : [
"emr-serverless:GetJobRun",
"emr-serverless:CancelJobRun"
],
"Resource" : "arn:aws:emr-serverless:*:*:/applications/*/jobruns/*",
"Condition" : {
"StringEquals" : {
"aws:ResourceTag/sagemaker:is-canvas-resource" : "True",
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "EMRServerlessTagResourceOperation",
"Effect" : "Allow",
"Action" : "emr-serverless:TagResource",
"Resource" : "arn:aws:emr-serverless:*:*:/*",
"Condition" : {
"StringEquals" : {
"aws:RequestTag/sagemaker:is-canvas-resource" : "True",
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "IAMPassOperationForEMRServerless",
"Effect" : "Allow",
"Action" : "iam:PassRole",
"Resource" : [
"arn:aws:iam::*:role/service-role/AmazonSageMakerCanvasEMRSExecutionAccess-*",
"arn:aws:iam::*:role/AmazonSageMakerCanvasEMRSExecutionAccess-*"
],
"Condition" : {
"StringEquals" : {
"iam:PassedToService" : "emr-serverless.amazonaws.com",
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
}
]
}Saiba mais
