StartEarthObservationJob API: Execution role permissions - Amazon SageMaker

StartEarthObservationJob API: Execution role permissions

For an execution role that you can pass in a StartEarthObservationJob API request, you can attach the following minimum permissions policy to the role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:AbortMultipartUpload",
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListBucketMultipartUploads"
            ],
            "Resource": [
                "arn:aws:s3:::*SageMaker*",
                "arn:aws:s3:::*Sagemaker*",
                "arn:aws:s3:::*sagemaker*"
            ]
        },
        {
        "Effect": "Allow",
        "Action": "sagemaker-geospatial:GetEarthObservationJob",
        "Resource":  "arn:aws:sagemaker-geospatial:*:*:earth-observation-job/*"
        },
        {
        "Effect": "Allow",
        "Action": "sagemaker-geospatial:GetRasterDataCollection",
        "Resource": "arn:aws:sagemaker-geospatial:*:*:raster-data-collection/*"
        }
    ]
    }

If your input Amazon S3 bucket is encrypted using server-side encryption with an AWS KMS managed key (SSE-KMS), see Using Amazon S3 Bucket Keys for more information.