SageMaker geospatial capabilities roles
As a managed service, Amazon SageMaker geospatial capabilities perform operations on your behalf on the AWS hardware that is managed by SageMaker. It can perform only operations that the user permits.
A user can grant these permissions with an IAM role (referred to as an execution role).
To create and use a locally available execution role, you can use the following procedures.
Create an execution role
To work with SageMaker geospatial capabilities you need to setup a user role and an execution role. A user role is an AWS identity with permission policies that determine what the user can and can not do within AWS. An execution role is an IAM role that grants the service permission to access your AWS resources. An execution role consists of permissions and trust policy. The trust policy specifies which principals have the permission to assume the role.
Use the following procedure to create an execution role with the IAM managed
policy, AmazonSageMakerGeospatialFullAccess, attached. If your use case requires
more granular permissions, use other sections of this guide to create an execution
role that meets your business needs.
The IAM managed policy, AmazonSageMakerGeospatialFullAccess, used in the
following procedure only grants the execution role permission to perform certain
Amazon S3 actions on buckets or objects with SageMaker,
Sagemaker, sagemaker, or aws-glue in
the name. To learn how to add an additional policy to an execution role to grant
it access to other Amazon S3 buckets and objects, see Add Additional Amazon S3
Permissions to a SageMaker Execution Role.
To create a new role
Open the IAM console at https://console.aws.amazon.com/iam/
. -
Select Roles and then select Create role.
-
Select SageMaker.
-
Select Next: Permissions.
-
The IAM managed policy,
AmazonSageMakerGeospatialFullAccessis automatically attached to this role. To see the permissions included in this policy, select the sideways arrow next to the policy name. Select Next: Tags. -
(Optional) Add tags and select Next: Review.
-
Give the role a name in the text field under Role name and select Create role.
-
In the Roles section of the IAM console, select the role you just created. If needed, use the text box to search for the role using the role name you entered in step 7.
-
On the role summary page, make note of the ARN.
Passing Roles
Actions like passing a role between services are a common function within SageMaker. You can find more details on Actions, Resources, and Condition Keys for SageMaker in the IAM User Guide.
You pass the role (iam:PassRole) when making these API calls: StartEarthObservationJob, StartVectorEnrichmentJob, ExportEarthObservationJob, ExportVectorEnrichmentJob.
You attach the following trust policy to the IAM role, which grants SageMaker principal permissions to assume the role, and is the same for all of the execution roles:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "sagemaker-geospatial.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] }
The permissions that you need to grant to the role may vary depending on the API that you call. The following sections explain these permissions.
Instead of managing permissions by crafting a permission policy, you can use
the AWS managed AmazonSageMakerFullAccess permission policy. The
permissions in this policy are fairly broad, to allow for any actions you might
want to perform in SageMaker. For a listing of the policy including information about
the reasons for adding many of the permissions, see AWS managed policy: AmazonSageMakerFullAccess. If you
prefer to create custom policies and manage permissions to scope the permissions
only to the actions you need to perform with the execution role, see the
following topics.
If you're running into issues, see Troubleshooting Amazon SageMaker Identity and Access.
For more information about IAM roles, see IAM Roles in the IAM User Guide.
Topics
StartEarthObservationJob API: Execution
Role Permissions
For an execution role that you can pass in a StartEarthObservationJob API
request, you can attach the following minimum permission policy to the role:
{ { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:AbortMultipartUpload", "s3:PutObject", "s3:GetObject", "s3:ListBucketMultipartUploads" ], "Resource": [ "arn:aws:s3:::*SageMaker*", "arn:aws:s3:::*Sagemaker*", "arn:aws:s3:::*sagemaker*" ] }, { "Effect": "Allow", "Action": "sagemaker-geospatial:GetEarthObservationJob", "Resource": "arn:aws:sagemaker-geospatial:*:*:earth-observation-job/*" } ] } }
If your input Amazon S3 bucket is encrypted using server-side encryption with an AWS KMS managed key (SSE-KMS), see Using Amazon S3 Bucket Keys for more information.
StartVectorEnrichmentJob API: Execution
Role Permissions
For an execution role that you can pass in a StartVectorEnrichmentJob API
request, you can attach the following minimum permission policy to the role:
{ { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:AbortMultipartUpload", "s3:PutObject", "s3:GetObject", "s3:ListBucketMultipartUploads" ], "Resource": [ "arn:aws:s3:::*SageMaker*", "arn:aws:s3:::*Sagemaker*", "arn:aws:s3:::*sagemaker*" ] }, { "Effect": "Allow", "Action": "sagemaker-geospatial:GetVectorEnrichmentJob", "Resource": "arn:aws:sagemaker-geospatial:*:*:vector-enrichment-job/*" } ] } }
If your input Amazon S3 bucket is encrypted using server-side encryption with an AWS KMS managed key (SSE-KMS), see Using Amazon S3 Bucket Keys for more information.
ExportEarthObservationJob API: Execution
Role Permissions
For an execution role that you can pass in a ExportEarthObservationJob API
request, you can attach the following minimum permission policy to the role:
{ { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:AbortMultipartUpload", "s3:PutObject", "s3:GetObject", "s3:ListBucketMultipartUploads" ], "Resource": [ "arn:aws:s3:::*SageMaker*", "arn:aws:s3:::*Sagemaker*", "arn:aws:s3:::*sagemaker*" ] }, { "Effect": "Allow", "Action": "sagemaker-geospatial:GetEarthObservationJob", "Resource": "arn:aws:sagemaker-geospatial:*:*:earth-observation-job/*" } ] } }
If your input Amazon S3 bucket is encrypted using server-side encryption with an AWS KMS managed key (SSE-KMS), see Using Amazon S3 Bucket Keys for more information.
ExportVectorEnrichmentJob API: Execution
Role Permissions
For an execution role that you can pass in a ExportVectorEnrichmentJob API
request, you can attach the following minimum permission policy to the role:
{ { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:AbortMultipartUpload", "s3:PutObject", "s3:GetObject", "s3:ListBucketMultipartUploads" ], "Resource": [ "arn:aws:s3:::*SageMaker*", "arn:aws:s3:::*Sagemaker*", "arn:aws:s3:::*sagemaker*" ] }, { "Effect": "Allow", "Action": "sagemaker-geospatial:GetVectorEnrichmentJob", "Resource": "arn:aws:sagemaker-geospatial:*:*:vector-enrichment-job/*" } ] } }
If your input Amazon S3 bucket is encrypted using server-side encryption with an AWS KMS managed key (SSE-KMS), see Using Amazon S3 Bucket Keys for more information.
