AWS Managed Policies for Model Registry - Amazon SageMaker

AWS Managed Policies for Model Registry

These AWS managed policies adds permissions required to use Model Registry. The policies are available in your AWS account and are used by execution roles created from the Amazon SageMaker console.

AWS managed policy: AmazonSageMakerModelRegistryFullAccess

This AWS managed policy grants permissions needed to use all Model Registry features inside an Amazon SageMaker domain. This policy is attached to an execution role when configuring Model Registry settings to enable Model Registry permissions.

This policy includes the following permissions.

  • ecr – Allows principals to retrieve information, including metadata, about Amazon Elastic Container Registry (Amazon ECR) images.

  • iam – Allows principals to pass the execution role to the Amazon SageMaker service.

  • resource-groups – Allows principals to create, list, tag, and delete AWS Resource Groups.

  • s3 – Allows principals to retrieve objects from the Amazon Simple Storage Service (Amazon S3) buckets where model versions are stored. Retrievable objects are limited to those whose case-insensitive name contains the string "sagemaker".

  • sagemaker – Allows principals to catalog, manage, and deploy models using the SageMaker model registry.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sagemaker:DescribeAction", "sagemaker:DescribeInferenceRecommendationsJob", "sagemaker:DescribeModelPackage", "sagemaker:DescribeModelPackageGroup", "sagemaker:DescribePipeline", "sagemaker:DescribePipelineExecution", "sagemaker:ListAssociations", "sagemaker:ListArtifacts", "sagemaker:ListModelMetadata", "sagemaker:ListModelPackages", "sagemaker:Search", "sagemaker:GetSearchSuggestions" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "sagemaker:AddTags", "sagemaker:CreateModel", "sagemaker:CreateModelPackage", "sagemaker:CreateModelPackageGroup", "sagemaker:CreateEndpoint", "sagemaker:CreateEndpointConfig", "sagemaker:CreateInferenceRecommendationsJob", "sagemaker:DeleteModelPackage", "sagemaker:DeleteModelPackageGroup", "sagemaker:DeleteTags", "sagemaker:UpdateModelPackage" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::*SageMaker*", "arn:aws:s3:::*Sagemaker*", "arn:aws:s3:::*sagemaker*" ] }, { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:ListAllMyBuckets" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ecr:BatchGetImage", "ecr:DescribeImages" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::*:role/*", "Condition": { "StringEquals": { "iam:PassedToService": "sagemaker.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "tag:GetResources" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "resource-groups:GetGroupQuery" ], "Resource": "arn:aws:resource-groups:*:*:group/*" }, { "Effect": "Allow", "Action": [ "resource-groups:ListGroupResources" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "resource-groups:CreateGroup", "resource-groups:Tag" ], "Resource": "arn:aws:resource-groups:*:*:group/*", "Condition": { "ForAnyValue:StringEquals": { "aws:TagKeys": "sagemaker:collection" } } }, { "Effect": "Allow", "Action": "resource-groups:DeleteGroup", "Resource": "arn:aws:resource-groups:*:*:group/*", "Condition": { "StringEquals": { "aws:ResourceTag/sagemaker:collection": "true" } } } ] }

Amazon SageMaker updates to Model Registry managed policies

View details about updates to AWS managed policies for Model Registry since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the SageMaker Document history page.

Policy Version Change Date

AmazonSageMakerModelRegistryFullAccess - New policy

1

Initial policy

April 12, 2023