Set up policies and permissions for Studio
You will need to install the proper policies and permissions before you schedule your first notebook run. The following provides instructions on setting up the following permissions:
-
Job execution role trust relationships
-
Additional IAM permissions attached to the job execution role
-
(optional) The AWS KMS permission policy to use a custom KMS key
Important
If your AWS account belongs to an organization with service control policies (SCP)
in place, your effective permissions are the logical intersection between what is allowed
by the SCPs and what is allowed by your IAM role and user policies. For example, if your
organization’s SCP specifies that you can only access resources in us-east-1
and us-west-1
, and your policies only allow you to access resources in
us-west-1
and us-west-2
, then ultimately you can only access
resources in us-west-1
. If you want to exercise all the permissions allowed
in your role and user policies, your organization’s SCPs should grant the same set of
permissions as your own IAM user and role policies. For details about how to determine
your allowed requests, see Determining whether a request is allowed or denied within an account.
Trust relationships
To modify the trust relationships, complete the following steps:
-
Open the IAM console
. -
Select Roles in the left panel.
-
Find the job execution role for your notebook job and choose the role name.
-
Choose the Trust relationships tab.
-
Choose Edit trust policy.
-
Copy and paste the following policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "sagemaker.amazonaws.com" }, "Action": "sts:AssumeRole" }, { "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
-
Choose Update Policy.
Additional IAM permissions
You might need to include additional IAM permissions in the following situations:
-
Your Studio execution and notebook job roles differ
-
You need to access Amazon S3 resources through a S3 VPC endpoint
-
You want to use a custom KMS key to encrypt your input and output Amazon S3 buckets
The following discussion provides the policies you need for each case.
Permissions needed if your Studio execution and notebook job roles differ
The following JSON snippet is an example policy that you should add to the Studio execution and notebook job roles if you don’t use the Studio execution role as the notebook job role. Review and modify this policy if you need to further restrict privileges.
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":"iam:PassRole", "Resource":"arn:aws:iam::*:role/*", "Condition":{ "StringLike":{ "iam:PassedToService":[ "sagemaker.amazonaws.com", "events.amazonaws.com" ] } } }, { "Effect":"Allow", "Action":[ "events:TagResource", "events:DeleteRule", "events:PutTargets", "events:DescribeRule", "events:PutRule", "events:RemoveTargets", "events:DisableRule", "events:EnableRule" ], "Resource":"*", "Condition":{ "StringEquals":{ "aws:ResourceTag/sagemaker:is-scheduling-notebook-job":"true" } } }, { "Effect":"Allow", "Action":[ "s3:CreateBucket", "s3:PutBucketVersioning", "s3:PutEncryptionConfiguration" ], "Resource":"arn:aws:s3:::sagemaker-automated-execution-*" }, { "Sid": "S3DriverAccess", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetObject", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::sagemakerheadlessexecution-*" ] }, { "Effect":"Allow", "Action":[ "sagemaker:ListTags" ], "Resource":[ "arn:aws:sagemaker:*:*:user-profile/*", "arn:aws:sagemaker:*:*:space/*", "arn:aws:sagemaker:*:*:training-job/*", "arn:aws:sagemaker:*:*:pipeline/*" ] }, { "Effect":"Allow", "Action":[ "sagemaker:AddTags" ], "Resource":[ "arn:aws:sagemaker:*:*:training-job/*", "arn:aws:sagemaker:*:*:pipeline/*" ] }, { "Effect":"Allow", "Action":[ "ec2:CreateNetworkInterface", "ec2:CreateNetworkInterfacePermission", "ec2:CreateVpcEndpoint", "ec2:DeleteNetworkInterface", "ec2:DeleteNetworkInterfacePermission", "ec2:DescribeDhcpOptions", "ec2:DescribeNetworkInterfaces", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcs", "ecr:BatchCheckLayerAvailability", "ecr:BatchGetImage", "ecr:GetDownloadUrlForLayer", "ecr:GetAuthorizationToken", "s3:ListBucket", "s3:GetBucketLocation", "s3:GetEncryptionConfiguration", "s3:PutObject", "s3:DeleteObject", "s3:GetObject", "sagemaker:DescribeApp", "sagemaker:DescribeDomain", "sagemaker:DescribeUserProfile", "sagemaker:DescribeSpace", "sagemaker:DescribeStudioLifecycleConfig", "sagemaker:DescribeImageVersion", "sagemaker:DescribeAppImageConfig", "sagemaker:CreateTrainingJob", "sagemaker:DescribeTrainingJob", "sagemaker:StopTrainingJob", "sagemaker:Search", "sagemaker:CreatePipeline", "sagemaker:DescribePipeline", "sagemaker:DeletePipeline", "sagemaker:StartPipelineExecution" ], "Resource":"*" } ] }
Permissions needed to access Amazon S3 resources through a S3 VPC endpoint
If you run SageMaker Studio in private VPC mode and access S3 through the S3 VPC
endpoint, you can add permissions to the VPC endpoint policy to control which S3
resources are accessible through the VPC endpoint. Add the following permissions to your
VPC endpoint policy. You can modify the policy if you need to further restrict
permissions—for example, you can provide a more narrow specification for the
Principal
field.
{ "Sid": "S3DriverAccess", "Effect": "Allow", "Principal": "*", "Action": [ "s3:GetBucketLocation", "s3:GetObject", "s3:ListBucket" ], "Resource": "arn:aws:s3:::sagemakerheadlessexecution-*" }
For details about how to set up a S3 VPC endpoint policy, see Edit the VPC endpoint policy.
Permissions needed to use a custom KMS key (optional)
By default, the input and output Amazon S3 buckets are encrypted using server side encryption, but you can specify a custom KMS key to encrypt your data in the output Amazon S3 bucket and the storage volume attached to the notebook job.
If you want to use a custom KMS key, attach the following policy and supply your own KMS key ARN.
{ "Version": "2012-10-17", "Statement": [ { "Effect":"Allow", "Action":[ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey", "kms:CreateGrant" ], "Resource":"
your_KMS_key_ARN
" } ] }