Amazon SageMaker API Permissions: Actions, Permissions, and Resources Reference - Amazon SageMaker

Amazon SageMaker API Permissions: Actions, Permissions, and Resources Reference

When you are setting up access control and writing a permissions policy that you can attach to an IAM identity (an identity-based policy), use the following table as a reference. The table lists each Amazon SageMaker API operation, the corresponding actions for which you can grant permissions to perform the action, and the AWS resource for which you can grant the permissions. You specify the actions in the policy's Action field, and you specify the resource value in the policy's Resource field.

Note

Except for the ListTags API, resource-level restrictions are not available on List- calls . Any user calling a List- API will see all resources of that type in the account.

To express conditions in your Amazon SageMaker policies, you can use AWS-wide condition keys. For a complete list of AWS-wide keys, see Available Keys in the IAM User Guide.

Use the scroll bars to see the rest of the table.

Amazon SageMaker API Operations and Required Permissions for Actions
Amazon SageMaker API Operations Required Permissions (API Actions) Resources

AddTags

sagemaker:AddTags

arn:aws:sagemaker:region:account-id:*

CreateApp

sagemaker:CreateApp

arn:aws:sagemaker:region:account-id:app/domain-id/user-profile-name/app-type/appName

CreateAppImageConfig

sagemaker:CreateAppImageConfig

arn:aws:sagemaker:region:account-id:app-image-config/appImageConfigName

CreateAutoMLJob

sagemaker:CreateAutoMLJob

iam:PassRole

The following permission is required only the associated ResourceConfig has a specified VolumeKmsKeyId and the associated role does not have a policy that permits this action:

kms:CreateGrant

arn:aws:sagemaker:region:account-id:automl-job/autoMLJobName

CreateDomain

sagemaker:CreateDomain

iam:CreateServiceLinkedRole

iam:PassRole

Required if a KMS customer managed key is specified for KmsKeyId:

elasticfilesystem:CreateFileSystem

kms:CreateGrant

kms:Decrypt

kms:DescribeKey

kms:GenerateDataKeyWithoutPlainText

Required to create a domain that supports RStudio:

sagemaker:CreateApp

arn:aws:sagemaker:region:account-id:domain/domain-id

CreateEndpoint

sagemaker:CreateEndpoint

kms:CreateGrant (required only if the associated EndPointConfig has a KmsKeyId specified)

arn:aws:sagemaker:region:account-id:endpoint/endpointName

arn:aws:sagemaker:region:account-id:endpoint-config/endpointConfigName

CreateEndpointConfig

sagemaker:CreateEndpointConfig

arn:aws:sagemaker:region:account-id:endpoint-config/endpointConfigName

CreateFlowDefinition

sagemaker:CreateFlowDefinition

iam:PassRole

arn:aws:sagemaker:region:account-id:flow-definition/flowDefinitionName

CreateHumanTaskUi

sagemaker:CreateHumanTaskUi

arn:aws:sagemaker:region:account-id:human-task-ui/humanTaskUiName

CreateInferenceRecommendationsJob

sagemaker:CreateInferenceRecommendationsJob

iam:PassRole

The following permissions are required only if you specify an encryption key:

kms:CreateGrant

kms:Decrypt

kms:DescribeKey

kms:GenerateDataKey

arn:aws:sagemaker:region:account-id:inference-recommendations-job/inferenceRecommendationsJobName

CreateHyperParameterTuningJob

sagemaker:CreateHyperParameterTuningJob

iam:PassRole

The following permission is required only if any of the associated ResourceConfig have a specified VolumeKmsKeyId and the associated role does not have a policy that permits this action:

kms:CreateGrant

arn:aws:sagemaker:region:account-id:hyper-parameter-tuning-job/hyperParameterTuningJobName

CreateImage

sagemaker:CreateImage

iam:PassRole

arn:aws:sagemaker:region:account-id:image/*

CreateImageVersion

sagemaker:CreateImageVersion

arn:aws:sagemaker:region:account-id:image-version/imageName/*

CreateLabelingJob

sagemaker:CreateLabelingJob

iam:PassRole

arn:aws:sagemaker:region:account-id:labeling-job/labelingJobName

CreateModel

sagemaker:CreateModel

iam:PassRole

arn:aws:sagemaker:region:account-id:model/modelName

CreateModelPackage

sagemaker:CreateModelPackage

arn:aws:sagemaker:region:account-id:model-package/modelPackageName

CreateModelPackageGroup

sagemaker:CreateModelPackageGroup

arn:aws:sagemaker:region:account-id:model-package-group/modelPackageGroupName

CreateNotebookInstance

sagemaker:CreateNotebookInstance

iam:PassRole

The following permissions are required only if you specify a VPC for your notebook instance:

ec2:CreateNetworkInterface

ec2:DescribeSecurityGroups

ec2:DescribeSubnets

ec2:DescribeVpcs

The following permission is required only if you specify a VPC and an elastic inference accelerator for your notebook instance:

ec2:DescribeVpcEndpoints

The following permissions are required only if you specify an encryption key:

kms:DescribeKey

kms:CreateGrant

The following permission is required only if you specify an AWS Secrets Manager secret to access a private Git repository:

secretsmanager:GetSecretValue

arn:aws:sagemaker:region:account-id:notebook-instance/notebookInstanceName

CreatePipeline

sagemaker:CreatePipeline

iam:PassRole

arn:aws-partition:sagemaker:region:account-id:pipeline/pipeline-name

arn:aws-partition:iam::account-id:role/role-name

CreatePresignedDomainUrl

sagemaker:CreatePresignedDomainUrl

arn:aws:sagemaker:region:account-id:app/domain-id/userProfileName/*

CreatePresignedNotebookInstanceUrl

sagemaker:CreatePresignedNotebookInstanceUrl

arn:aws:sagemaker:region:account-id:notebook-instance/notebookInstanceName

CreateProcessingJob

sagemaker:CreateProcessingJob

iam:PassRole

kms:CreateGrant (required only if the associated ProcessingResources has a specified VolumeKmsKeyId and the associated role does not have a policy that permits this action)

arn:aws:sagemaker:region:account-id:processing-job/processingJobName

CreateStudioLifecycleConfig

sagemaker:CreateStudioLifecycleConfig

arn:aws:sagemaker:region:account-id:studio-lifecycle-config/.*

CreateTrainingJob

sagemaker:CreateTrainingJob

iam:PassRole

kms:CreateGrant (required only if the associated ResourceConfig has a specified VolumeKmsKeyId and the associated role does not have a policy that permits this action)

arn:aws:sagemaker:region:account-id:training-job/trainingJobName

CreateTransformJob

sagemaker:CreateTransformJob

kms:CreateGrant (required only if the associated TransformResources has a specified VolumeKmsKeyId and the associated role does not have a policy that permits this action)

arn:aws:sagemaker:region:account-id:transform-job/transformJobName

CreateUserProfile

sagemaker:CreateUserProfile

iam:PassRole

arn:aws:sagemaker:region:account-id:user-profile/domain-id/userProfileName

CreateWorkforce

sagemaker:CreateWorkforce

cognito-idp:DescribeUserPoolClient

cognito-idp:UpdateUserPool

cognito-idp:DescribeUserPool

cognito-idp:UpdateUserPoolClient

arn:aws:sagemaker:region:account-id:workforce/*

CreateWorkteam

sagemaker:CreateWorkteam

cognito-idp:DescribeUserPoolClient

cognito-idp:UpdateUserPool

cognito-idp:DescribeUserPool

cognito-idp:UpdateUserPoolClient

arn:aws:sagemaker:region:account-id:workteam/private-crowd/work team name

DeleteApp

sagemaker:DeleteApp

arn:aws:sagemaker:region:account-id:app/domain-id/user-profile-name/app-type/appName

DeleteAppImageConfig

sagemaker:DeleteAppImageConfig

arn:aws:sagemaker:region:account-id:app-image-config/appImageConfigName

DeleteDomain

sagemaker:DeleteDomain

arn:aws:sagemaker:region:account-id:domain/domainId

DeleteEndpoint

sagemaker:DeleteEndpoint

arn:aws:sagemaker:region:account-id:endpoint/endpointName

DeleteEndpointConfig

sagemaker:DeleteEndpointConfig

arn:aws:sagemaker:region:account-id:endpoint-config/endpointConfigName

DeleteFlowDefinition

sagemaker:DeleteFlowDefinition

arn:aws:sagemaker:region:account-id:flow-definition/flowDefinitionName

DeleteHumanLoop

sagemaker:DeleteHumanLoop

arn:aws:sagemaker:region:account-id:human-loop/humanLoopName

DeleteImage

sagemaker:DeleteImage

arn:aws:sagemaker:region:account-id:image/imageName

DeleteImageVersion

sagemaker:DeleteImageVersion

arn:aws:sagemaker:region:account-id:image-version/imageName/versionNumber

DeleteModel

sagemaker:DeleteModel

arn:aws:sagemaker:region:account-id:model/modelName

DeleteModelPackage

sagemaker:DeleteModelPackage

arn:aws:sagemaker:region:account-id:model-package/modelPackageName

DeleteModelPackageGroup

sagemaker:DeleteModelPackageGroup

arn:aws:sagemaker:region:account-id:model-package-group/modelPackageGroupName

DeleteModelPackageGroupPolicy

sagemaker:DeleteModelPackageGroupPolicy

arn:aws:sagemaker:region:account-id:model-package-group/modelPackageGroupName

DeleteNotebookInstance

sagemaker:DeleteNotebookInstance

The following permission is required only if you specified a VPC for your notebook instance:

ec2:DeleteNetworkInterface

The following permissions are required only if you specified an encryption key when you created the notebook instance:

kms:DescribeKey

arn:aws:sagemaker:region:account-id:notebook-instance/notebookInstanceName

DeletePipeline

sagemaker:DeletePipeline

arn:aws-partition:sagemaker:region:account-id:pipeline/pipeline-name

DeleteTags

sagemaker:DeleteTags

arn:aws:sagemaker:region:account-id:*

DeleteUserProfile

sagemaker:DeleteUserProfile

arn:aws:sagemaker:region:account-id:user-profile/domain-id/userProfileName

DeleteWorkforce

sagemaker:DeleteWorkforce

arn:aws:sagemaker:region:account-id:workforce/*

DeleteWorkteam

sagemaker:DeleteWorkteam

arn:aws:sagemaker:region:account-id:workteam/private-crowd/*

DescribeApp

sagemaker:DescribeApp

arn:aws:sagemaker:region:account-id:app/domain-id/user-profile-name/app-type/appName

DescribeAppImageConfig

sagemaker:DescribeAppImageConfig

arn:aws:sagemaker:region:account-id:app-image-config/appImageConfigName

DescribeDomain

sagemaker:DescribeDomain

arn:aws:sagemaker:region:account-id:domain/domainId

DescribeEndpoint

sagemaker:DescribeEndpoint

arn:aws:sagemaker:region:account-id:endpoint/endpointName

DescribeEndpointConfig

sagemaker:DescribeEndpointConfig

arn:aws:sagemaker:region:account-id:endpoint-config/endpointConfigName

DescribeFlowDefinition

sagemaker:DescribeFlowDefinition

arn:aws:sagemaker:region:account-id:flow-definition/flowDefinitionName

DescribeHumanLoop

sagemaker:DescribeHumanLoop

arn:aws:sagemaker:region:account-id:human-loop/humanLoopName

DescribeHumanTaskUi

sagemaker:DescribeHumanTaskUi

arn:aws:sagemaker:region:account-id:human-task-ui/humanTaskUiName

DescribeHyperParameterTuningJob

sagemaker:DescribeHyperParameterTuningJob

arn:aws:sagemaker:region:account-id:hyper-parameter-tuning-job/hyperParameterTuningJob

DescribeImage

sagemaker:DescribeImage

arn:aws:sagemaker:region:account-id:image/imageName

DescribeImageVersion

sagemaker:DescribeImageVersion

arn:aws:sagemaker:region:account-id:image-version/imageName/versionNumber

DescribeLabelingJob

sagemaker:DescribeLabelingJob

arn:aws:sagemaker:region:account-id:labeling-job/labelingJobName

DescribeModel

sagemaker:DescribeModel

arn:aws:sagemaker:region:account-id:model/modelName

DescribeModelPackage

sagemaker:DescribeModelPackage

arn:aws:sagemaker:region:account-id:model-package/modelPackageName

DescribeModelPackageGroup

sagemaker:DescribeModelPackageGroup

arn:aws:sagemaker:region:account-id:model-package-group/modelPackageGroupName

DescribeNotebookInstance

sagemaker:DescribeNotebookInstance

arn:aws:sagemaker:region:account-id:notebook-instance/notebookInstanceName

DescribePipeline

sagemaker:DescribePipeline

arn:aws-partition:sagemaker:region:account-id:pipeline/pipeline-name

DescribePipelineDefinitionForExecution

sagemaker:DescribePipelineDefinitionForExecution

arn:aws-partition:sagemaker:region:account-id:pipeline/pipeline-name/execution/execution-id

DescribePipelineExecution

sagemaker:DescribePipelineExecution

arn:aws-partition:sagemaker:region:account-id:pipeline/pipeline-name/execution/execution-id

DescribeProcessingJob

sagemaker:DescribeProcessingJob

arn:aws:sagemaker:region:account-id:processing-job/processingjobname

DescribeSubscribedWorkteam

sagemaker:DescribeSubscribedWorkteam

aws-marketplace:ViewSubscriptions

arn:aws:sagemaker:region:account-id:workteam/vendor-crowd/*

DescribeTrainingJob

sagemaker:DescribeTrainingJob

arn:aws:sagemaker:region:account-id:training-job/trainingjobname

DescribeTransformJob

sagemaker:DescribeTransformJob

arn:aws:sagemaker:region:account-id:transform-job/transformjobname

DescribeUserProfile

sagemaker:DescribeUserProfile

arn:aws:sagemaker:region:account-id:user-profile/domain-id/userProfileName

DescribeWorkforce

sagemaker:DescribeWorkforce

arn:aws:sagemaker:region:account-id:workforce/*

DescribeWorkteam

sagemaker:DescribeWorkteam

arn:aws:sagemaker:region:account-id:workteam/private-crowd/*

GetModelPackageGroupPolicy

sagemaker:GetModelPackageGroupPolicy

arn:aws:sagemaker:region:account-id:model-package-group/modelPackageGroupName

InvokeEndpoint

sagemaker:InvokeEndpoint

arn:aws:sagemaker:region:account-id:endpoint/endpointName

ListAppImageConfigs

sagemaker:ListAppImageConfigs

arn:aws:sagemaker:region:account-id:app-image-config/*

ListApps

sagemaker:ListApps

arn:aws:sagemaker:region:account-id:app/domain-id/user-profile-name/*

ListDomains

sagemaker:ListDomains

arn:aws:sagemaker:region:account-id:domain/*

ListEndpointConfigs

sagemaker:ListEndpointConfigs

*

ListEndpoints

sagemaker:ListEndpoints

*

ListFlowDefinitions

sagemaker:ListFlowDefinitions

*

ListHumanLoops

sagemaker:ListHumanLoops

*

ListHumanTaskUis

sagemaker:ListHumanTaskUis

*

ListHyperParameterTuningJobs

sagemaker:ListHyperParameterTuningJobs

arn:aws:sagemaker:region:account-id:hyper-parameter-tuning-job/hyperParameterTuningJob

ListImages

sagemaker:ListImages

*

ListImageVersions

sagemaker:ListImageVersions

arn:aws:sagemaker:region:account-id:image/*

ListLabelingJobs

sagemaker:ListLabelingJobs

*

ListLabelingJobsForWorkteam

sagemaker:ListLabelingJobForWorkteam

*

ListModelPackageGroups

sagemaker:ListModelPackageGroups

arn:aws:sagemaker:region:account-id :model-package-group/ModelPackageGroupName

ListModelPackages

sagemaker:ListModelPackages

arn:aws:sagemaker:region:account-id :model-package/ModelPackageName

ListModels

sagemaker:ListModels

*

ListNotebookInstances

sagemaker:ListNotebookInstances

*

ListPipelineExecutions

sagemaker:ListPipelineExecutions

arn:aws-partition:sagemaker:region:account-id:pipeline/pipeline-name

ListPipelineExecutionSteps

sagemaker:ListPipelineExecutionSteps

arn:aws-partition:sagemaker:region:account-id:pipeline/pipeline-name/execution/execution-id

ListPipelineParametersForExecution

sagemaker:ListPipelineParametersForExecution

arn:aws-partition:sagemaker:region:account-id:pipeline/pipeline-name/execution/execution-id

ListPipelines

sagemaker:ListPipelines

*

ListProcessingJobs

sagemaker:ListProcessingJobs

*

ListSubscribedWorkteams

sagemaker:ListSubscribedWorkteams

aws-marketplace:ViewSubscriptions

*

ListTags

sagemaker:ListTags

arn:aws:sagemaker:region:account-id:*

ListTrainingJobs

sagemaker:ListTrainingJobs

*

ListTrainingJobsForHyperParameterTuningJob

sagemaker:ListTrainingJobsForHyperParameterTuningJob

arn:aws:sagemaker:region:account-id:hyper-parameter-tuning-job/hyperParameterTuningJob

ListTransformJobs

sagemaker:ListTransformJobs

*

ListUserProfiles

sagemaker:ListUserProfiles

arn:aws:sagemaker:region:account-id:user-profile/domain-id/*

ListWorkforces

sagemaker:ListWorkforces

*

ListWorkteams

sagemaker:ListWorkteams

*

PutModelPackageGroupPolicy

sagemaker:PutModelPackageGroupPolicy

arn:aws:sagemaker:region:account-id:model-package-group/modelPackageGroupName

RetryPipelineExecution

sagemaker:RetryPipelineExecution

arn:aws-partition:sagemaker:region:account-id:pipeline/pipeline-name/execution/execution-id

SendPipelineExecutionStepFailure

sagemaker:SendPipelineExecutionStepFailure

*

SendPipelineExecutionStepSuccess

sagemaker:SendPipelineExecutionStepSuccess

*

StartHumanLoop

sagemaker:StartHumanLoop

arn:aws:sagemaker:region:account-id:human-loop/humanLoopName

StartNotebookInstance

sagemaker:StartNotebookInstance

iam:PassRole

The following permissions are required only if you specified a VPC when you created your notebook instance:

ec2:CreateNetworkInterface

ec2:DescribeNetworkInterfaces

ec2:DescribeSecurityGroups

ec2:DescribeSubnets

ec2:DescribeVpcs

The following permission is required only if you specify a VPC and an elastic inference accelerator for your notebook instance:

ec2:DescribeVpcEndpoints

The following permissions are required only if you specified an encryption key when you created the notebook instance:

kms:DescribeKey

kms:CreateGrant

The following permission is required only if you specified an AWS Secrets Manager secret to access a private Git repository when you created the notebook instance:

secretsmanager:GetSecretValue

arn:aws:sagemaker:region:account-id:notebook-instance/notebookInstanceName

StartPipelineExecution

sagemaker:StartPipelineExecution

arn:aws-partition:sagemaker:region:account-id:pipeline/pipeline-name

StopHumanLoop

sagemaker:StopHumanLoop

arn:aws:sagemaker:region:account-id:human-loop/humanLoopName

StopHyperParameterTuningJob

sagemaker:StopHyperParameterTuningJob

arn:aws:sagemaker:region:account-id:hyper-parameter-tuning-job/hyperParameterTuningJob

StopLabelingJob

sagemaker:StopLabelingJob

arn:aws:sagemaker:region:account-id:labeling-job/labelingJobName

StopNotebookInstance

sagemaker:StopNotebookInstance

arn:aws:sagemaker:region:account-id:notebook-instance/notebookInstanceName

StopPipelineExecution

sagemaker:StopPipelineExecution

arn:aws-partition:sagemaker:region:account-id:pipeline/pipeline-name/execution/execution-id

StopProcessingJob

sagemaker:StopProcessingJob

arn:aws:sagemaker:region:account-id:processing-job/processingJobName

StopTrainingJob

sagemaker:StopTrainingJob

arn:aws:sagemaker:region:account-id:training-job/trainingJobName

StopTransformJob

sagemaker:StopTransformJob

arn:aws:sagemaker:region:account-id:transform-job/transformJobName

UpdateAppImageConfig

sagemaker:UpdateAppImageConfig

arn:aws:sagemaker:region:account-id:app-image-config/appImageConfigName

UpdateDomain

sagemaker:UpdateDomain

arn:aws:sagemaker:region:account-id:domain/domainId

UpdateEndpoint

sagemaker:UpdateEndpoint

arn:aws:sagemaker:region:account-id:endpoint/endpointName

UpdateEndpointWeightsAndCapacities

sagemaker:UpdateEndpointWeightsAndCapacities

arn:aws:sagemaker:region:account-id:endpoint/endpointName

UpdateImage

sagemaker:UpdateImage

iam:PassRole

arn:aws:sagemaker:region:account-id:image/imageName

UpdateModelPackage

sagemaker:UpdateModelPackage

arn:aws:sagemaker:region:account-id:model-package/modelPackageName

UpdateNotebookInstance

sagemaker:UpdateNotebookInstance

iam:PassRole

arn:aws:sagemaker:region:account-id:notebook-instance/notebookInstanceName

UpdatePipeline

sagemaker:UpdatePipeline

iam:PassRole

arn:aws-partition:sagemaker:region:account-id:pipeline/pipeline-name

arn:aws-partition:iam::account-id:role/role-name

UpdatePipelineExecution

sagemaker:UpdatePipelineExecution

arn:aws-partition:sagemaker:region:account-id:pipeline/pipeline-name/execution/execution-id

UpdateUserProfile

sagemaker:UpdateUserProfile

arn:aws:sagemaker:region:account-id:user-profile/domain-id/userProfileName

UpdateWorkforce

sagemaker:UpdateWorkforce

arn:aws:sagemaker:region:account-id:workforce/*

UpdateWorkteam

sagemaker:UpdateWorkteam

arn:aws:sagemaker:region:account-id:workteam/private-crowd/*