Set up SDK permissions
To use Amazon Rekognition Custom Labels SDK operations, you need access permissions to the Amazon Rekognition Custom Labels API and the Amazon S3 bucket used for model training.
Granting SDK operation permissions
We recommend that you grant only the permissions required to perform a task
(least-privilege permissions). For example, to call DetectCustomLabels, you need permission to perform
rekognition:DetectCustomLabels
. To find the permissions for an
operation, check the API reference.
When you are just starting out with an application, you might not know the
specific permissions you need, so you can start with broader permissions. AWS
managed policies provide permissions to help you get started.
You can use the AmazonRekognitionCustomLabelsFullAccess
AWS managed
policy to get complete access to the Amazon Rekognition Custom Labels API. For more information, see
AWS managed policy: AmazonRekognitionCustomLabelsFullAccess. When you
know the permissions that your application needs, reduce permissions further by
defining customer managed policies specific to your use cases. For more information,
see Customer managed policies.
To assign permissions, see Assigning permissions.
Policy updates for using the AWS SDK
To use the AWS SDK with the latest release of Amazon Rekognition Custom Labels, you no longer need to
give Amazon Rekognition Custom Labels permissions to access the
Amazon S3 bucket that contains your training and testing images. If you have previously added
permissions, You don't need to remove them. If you choose to, remove any policy from the
bucket where the
service for the principal is rekognition.amazonaws.com
. For example:
"Principal": { "Service": "rekognition.amazonaws.com" }
For more information, see Using bucket policies.
Assigning permissions
To provide access, add permissions to your users, groups, or roles:
-
Users and groups in AWS IAM Identity Center:
Create a permission set. Follow the instructions in Create a permission set in the AWS IAM Identity Center User Guide.
-
Users managed in IAM through an identity provider:
Create a role for identity federation. Follow the instructions in Create a role for a third-party identity provider (federation) in the IAM User Guide.
-
IAM users:
-
Create a role that your user can assume. Follow the instructions in Create a role for an IAM user in the IAM User Guide.
-
(Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in Adding permissions to a user (console) in the IAM User Guide.
-