Actions, resources, and condition keys for Amazon SageMaker - Service Authorization Reference

Actions, resources, and condition keys for Amazon SageMaker

Amazon SageMaker (service prefix: sagemaker) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by Amazon SageMaker

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see The actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AddAssociation Grants permission to associate a lineage entity (artifact, context, action, experiment, experiment-trial-component) to each other Write

action*

artifact*

context*

experiment*

experiment-trial-component*

AddTags Grants permission to add or overwrite one or more tags for the specified Amazon SageMaker resource Tagging

action

algorithm

app

app-image-config

artifact

automl-job

code-repository

context

data-quality-job-definition

device

device-fleet

domain

edge-packaging-job

endpoint

endpoint-config

experiment

experiment-trial

experiment-trial-component

feature-group

flow-definition

human-task-ui

hyper-parameter-tuning-job

image

inference-recommendations-job

labeling-job

model

model-bias-job-definition

model-explainability-job-definition

model-package

model-package-group

model-quality-job-definition

monitoring-schedule

notebook-instance

pipeline

processing-job

project

training-job

transform-job

user-profile

workteam

aws:RequestTag/${TagKey}

aws:TagKeys

AssociateTrialComponent Grants permission to associate a trial component with a trial Write

experiment-trial*

experiment-trial-component*

BatchDescribeModelPackage Grants permission to describe one or more ModelPackages Read

model-package*

BatchGetMetrics [permission only] Grants permission to retrieve metrics associated with SageMaker Resources such as Training Jobs. This API is not publicly exposed at this point, however admins can control this action Read

training-job*

BatchGetRecord Grants permission to get a batch of records from one or more feature groups Read

feature-group*

BatchPutMetrics [permission only] Grants permission to publish metrics associated with a SageMaker Resource such as a Training Job. This API is not publicly exposed at this point, however admins can control this action Write

training-job*

CreateAction Grants permission to create an action Write

action*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateAlgorithm Grants permission to create an algorithm Write

algorithm*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateApp Grants permission to create an App for a SageMaker Studio UserProfile Write

app*

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:InstanceTypes

sagemaker:ImageArns

sagemaker:ImageVersionArns

CreateAppImageConfig Grants permission to create an AppImageConfig Write

app-image-config*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateArtifact Grants permission to create an artifact Write

artifact*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateAutoMLJob Grants permission to create an AutoML job Write

automl-job*

iam:PassRole

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:InterContainerTrafficEncryption

sagemaker:OutputKmsKey

sagemaker:VolumeKmsKey

sagemaker:VpcSecurityGroupIds

sagemaker:VpcSubnets

CreateCodeRepository Grants permission to create a CodeRepository Write

code-repository*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateCompilationJob Grants permission to create a compilation job Write

compilation-job*

iam:PassRole

CreateContext Grants permission to create a context Write

context*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateDataQualityJobDefinition Grants permission to create a data quality job definition Write

data-quality-job-definition*

iam:PassRole

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:InstanceTypes

sagemaker:InterContainerTrafficEncryption

sagemaker:MaxRuntimeInSeconds

sagemaker:NetworkIsolation

sagemaker:OutputKmsKey

sagemaker:VolumeKmsKey

sagemaker:VpcSecurityGroupIds

sagemaker:VpcSubnets

CreateDeviceFleet Grants permission to create a device fleet Write

device-fleet*

iam:PassRole

aws:RequestTag/${TagKey}

aws:TagKeys

CreateDomain Grants permission to create a Domain for SageMaker Studio Write

domain*

iam:CreateServiceLinkedRole

iam:PassRole

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:AppNetworkAccessType

sagemaker:InstanceTypes

sagemaker:VpcSecurityGroupIds

sagemaker:VpcSubnets

sagemaker:DomainSharingOutputKmsKey

sagemaker:VolumeKmsKey

sagemaker:ImageArns

sagemaker:ImageVersionArns

CreateEdgePackagingJob Grants permission to create an edge packaging job Write

edge-packaging-job*

iam:PassRole

aws:RequestTag/${TagKey}

aws:TagKeys

CreateEndpoint Grants permission to create an endpoint using the endpoint configuration specified in the request Write

endpoint*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateEndpointConfig Grants permission to create an endpoint configuration that can be deployed using Amazon SageMaker hosting services Write

endpoint-config*

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:AcceleratorTypes

sagemaker:InstanceTypes

sagemaker:ModelArn

sagemaker:VolumeKmsKey

CreateExperiment Grants permission to create an experiment Write

experiment*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateFeatureGroup Grants permission to create a feature group Write

feature-group*

iam:PassRole

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:FeatureGroupOnlineStoreKmsKey

sagemaker:FeatureGroupOfflineStoreKmsKey

sagemaker:FeatureGroupOfflineStoreS3Uri

CreateFlowDefinition Grants permission to create a flow definition, which defines settings for a human workflow Write

flow-definition*

iam:PassRole

sagemaker:WorkteamArn

sagemaker:WorkteamType

aws:RequestTag/${TagKey}

aws:TagKeys

CreateHumanTaskUi Grants permission to define the settings you will use for the human review workflow user interface Write

human-task-ui*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateHyperParameterTuningJob Grants permission to create a hyper parameter tuning job that can be deployed using Amazon SageMaker Write

hyper-parameter-tuning-job*

iam:PassRole

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:FileSystemAccessMode

sagemaker:FileSystemDirectoryPath

sagemaker:FileSystemId

sagemaker:FileSystemType

sagemaker:InstanceTypes

sagemaker:InterContainerTrafficEncryption

sagemaker:MaxRuntimeInSeconds

sagemaker:NetworkIsolation

sagemaker:OutputKmsKey

sagemaker:VolumeKmsKey

sagemaker:VpcSecurityGroupIds

sagemaker:VpcSubnets

CreateImage Grants permission to create a SageMaker Image Write

image*

iam:PassRole

aws:RequestTag/${TagKey}

aws:TagKeys

CreateImageVersion Grants permission to create a SageMaker ImageVersion Write

image*

CreateInferenceRecommendationsJob Grants permission to create an inference recommendations job Write

inference-recommendations-job*

iam:PassRole

aws:RequestTag/${TagKey}

aws:TagKeys

CreateLabelingJob Grants permission to start a labeling job. A labeling job takes unlabeled data in and produces labeled data as output, which can be used for training SageMaker models Write

labeling-job*

iam:PassRole

sagemaker:WorkteamArn

sagemaker:WorkteamType

sagemaker:VolumeKmsKey

sagemaker:OutputKmsKey

aws:RequestTag/${TagKey}

aws:TagKeys

CreateLineageGroupPolicy Grants permission to create a lineage group policy Write
CreateModel Grants permission to create a model in Amazon SageMaker. In the request, you specify a name for the model and describe one or more containers Write

model*

iam:PassRole

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:NetworkIsolation

sagemaker:VpcSecurityGroupIds

sagemaker:VpcSubnets

CreateModelBiasJobDefinition Grants permission to create a model bias job definition Write

model-bias-job-definition*

iam:PassRole

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:InstanceTypes

sagemaker:InterContainerTrafficEncryption

sagemaker:MaxRuntimeInSeconds

sagemaker:NetworkIsolation

sagemaker:OutputKmsKey

sagemaker:VolumeKmsKey

sagemaker:VpcSecurityGroupIds

sagemaker:VpcSubnets

CreateModelExplainabilityJobDefinition Grants permission to create a model explainability job definition Write

model-explainability-job-definition*

iam:PassRole

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:InstanceTypes

sagemaker:InterContainerTrafficEncryption

sagemaker:MaxRuntimeInSeconds

sagemaker:NetworkIsolation

sagemaker:OutputKmsKey

sagemaker:VolumeKmsKey

sagemaker:VpcSecurityGroupIds

sagemaker:VpcSubnets

CreateModelPackage Grants permission to create a ModelPackage Write

model-package

model-package-group

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:ModelApprovalStatus

CreateModelPackageGroup Grants permission to create a ModelPackageGroup Write

model-package-group*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateModelQualityJobDefinition Grants permission to create a model quality job definition Write

model-quality-job-definition*

iam:PassRole

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:InstanceTypes

sagemaker:InterContainerTrafficEncryption

sagemaker:MaxRuntimeInSeconds

sagemaker:NetworkIsolation

sagemaker:OutputKmsKey

sagemaker:VolumeKmsKey

sagemaker:VpcSecurityGroupIds

sagemaker:VpcSubnets

CreateMonitoringSchedule Grants permission to create a monitoring schedule Write

monitoring-schedule*

iam:PassRole

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:InstanceTypes

sagemaker:InterContainerTrafficEncryption

sagemaker:MaxRuntimeInSeconds

sagemaker:NetworkIsolation

sagemaker:OutputKmsKey

sagemaker:VolumeKmsKey

sagemaker:VpcSecurityGroupIds

sagemaker:VpcSubnets

CreateNotebookInstance Grants permission to create an Amazon SageMaker notebook instance. A notebook instance is an Amazon EC2 instance running on a Jupyter Notebook Write

notebook-instance*

iam:PassRole

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:AcceleratorTypes

sagemaker:DirectInternetAccess

sagemaker:InstanceTypes

sagemaker:RootAccess

sagemaker:VolumeKmsKey

sagemaker:VpcSecurityGroupIds

sagemaker:VpcSubnets

CreateNotebookInstanceLifecycleConfig Grants permission to create a notebook instance lifecycle configuration that can be deployed using Amazon SageMaker Write

notebook-instance-lifecycle-config*

CreatePipeline Grants permission to create a pipeline Write

pipeline*

iam:PassRole

aws:RequestTag/${TagKey}

aws:TagKeys

CreatePresignedDomainUrl Grants permission to return a URL that you can use from your browser to connect to the Domain as a specified UserProfile when AuthMode is 'IAM' Write

user-profile*

aws:SourceIp

aws:SourceVpc

aws:SourceVpce

CreatePresignedNotebookInstanceUrl Grants permission to create a URL that you can use from your browser to connect to the Notebook Instance Write

notebook-instance*

CreateProcessingJob Grants permission to start a processing job. After processing completes, Amazon SageMaker saves the resulting artifacts and other optional output to an Amazon S3 location that you specify Write

processing-job*

iam:PassRole

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:InstanceTypes

sagemaker:MaxRuntimeInSeconds

sagemaker:NetworkIsolation

sagemaker:OutputKmsKey

sagemaker:VolumeKmsKey

sagemaker:VpcSecurityGroupIds

sagemaker:VpcSubnets

sagemaker:InterContainerTrafficEncryption

CreateProject Grants permission to create a Project Write

project*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateTrainingJob Grants permission to start a model training job. After training completes, Amazon SageMaker saves the resulting model artifacts and other optional output to an Amazon S3 location that you specify Write

training-job*

iam:PassRole

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:FileSystemAccessMode

sagemaker:FileSystemDirectoryPath

sagemaker:FileSystemId

sagemaker:FileSystemType

sagemaker:InstanceTypes

sagemaker:InterContainerTrafficEncryption

sagemaker:MaxRuntimeInSeconds

sagemaker:NetworkIsolation

sagemaker:OutputKmsKey

sagemaker:VolumeKmsKey

sagemaker:VpcSecurityGroupIds

sagemaker:VpcSubnets

CreateTransformJob Grants permission to start a transform job. After the results are obtained, Amazon SageMaker saves them to an Amazon S3 location that you specify Write

transform-job*

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:InstanceTypes

sagemaker:ModelArn

sagemaker:OutputKmsKey

sagemaker:VolumeKmsKey

CreateTrial Grants permission to create a trial Write

experiment-trial*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateTrialComponent Grants permission to create a trial component Write

experiment-trial-component*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateUserProfile Grants permission to create a UserProfile for a SageMaker Studio Domain Write

user-profile*

iam:PassRole

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:VpcSecurityGroupIds

sagemaker:InstanceTypes

sagemaker:DomainSharingOutputKmsKey

sagemaker:ImageArns

sagemaker:ImageVersionArns

CreateWorkforce Grants permission to create a workforce Write

workforce*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateWorkteam Grants permission to create a workteam Write

workteam*

aws:RequestTag/${TagKey}

aws:TagKeys

DeleteAction Grants permission to delete an action Write

action*

DeleteAlgorithm Grants permission to delete an algorithm Write

algorithm*

DeleteApp Grants permission to delete an App Write

app*

DeleteAppImageConfig Grants permission to delete an AppImageConfig Write

app-image-config*

DeleteArtifact Grants permission to delete an artifact Write

artifact*

DeleteAssociation Grants permission to delete the association from a lineage entity (artifact, context, action, experiment, experiment-trial-component) to another Write

action*

artifact*

context*

experiment*

experiment-trial-component*

DeleteCodeRepository Grants permission to delete a CodeRepository Write

code-repository*

DeleteContext Grants permission to delete a context Write

context*

DeleteDataQualityJobDefinition Grants permission to delete the data quality job definition created using the CreateDataQualityJobDefinition API Write

data-quality-job-definition*

DeleteDeviceFleet Grants permission to delete a device fleet Write

device-fleet*

DeleteDomain Grants permission to delete a Domain Write

domain*

DeleteEndpoint Grants permission to delete an endpoint. Amazon SageMaker frees up all the resources that were deployed when the endpoint was created Write

endpoint*

DeleteEndpointConfig Grants permission to delete the endpoint configuration created using the CreateEndpointConfig API. The DeleteEndpointConfig API deletes only the specified configuration. It does not delete any endpoints created using the configuration Write

endpoint-config*

DeleteExperiment Grants permission to delete an experiment Write

experiment*

DeleteFeatureGroup Grants permission to delete a feature group Write

feature-group*

aws:RequestTag/${TagKey}

DeleteFlowDefinition Grants permission to delete the specified flow definition Write

flow-definition*

DeleteHumanLoop Grants permission to delete a specified human loop Write

human-loop*

DeleteHumanTaskUi Grants permission to delete the specified human task user interface (worker task template) Write

human-task-ui*

DeleteImage Grants permission to delete a SageMaker Image Write

image*

DeleteImageVersion Grants permission to delete a SageMaker ImageVersion Write

image-version*

DeleteLineageGroupPolicy Grants permission to delete a lineage group policy Write
DeleteModel Grants permission to delete a model created using the CreateModel API. The DeleteModel API deletes only the model entry in Amazon SageMaker that you created by calling the CreateModel API. It does not delete model artifacts, inference code, or the IAM role that you specified when creating the model Write

model*

DeleteModelBiasJobDefinition Grants permission to delete the model bias job definition created using the CreateModelBiasJobDefinition API Write

model-bias-job-definition*

DeleteModelExplainabilityJobDefinition Grants permission to delete the model explainability job definition created using the CreateModelExplainabilityJobDefinition API Write

model-explainability-job-definition*

DeleteModelPackage Grants permission to delete a ModelPackage Write

model-package*

DeleteModelPackageGroup Grants permission to delete a ModelPackageGroup Write

model-package-group*

DeleteModelPackageGroupPolicy Grants permission to delete a ModelPackageGroup policy Write

model-package-group*

DeleteModelQualityJobDefinition Grants permission to delete the model quality job definition created using the CreateModelQualityJobDefinition API Write

model-quality-job-definition*

DeleteMonitoringSchedule Grants permission to delete a monitoring schedule Write

monitoring-schedule*

DeleteNotebookInstance Grants permission to delete a Amazon SageMaker notebook instance. Before you can delete a notebook instance, you must call the StopNotebookInstance API Write

notebook-instance*

DeleteNotebookInstanceLifecycleConfig Grants permission to delete a notebook instance lifecycle configuration Write

notebook-instance-lifecycle-config*

DeletePipeline Grants permission to delete a pipeline Write

pipeline*

DeleteProject Grants permission to delete a project Write

project*

DeleteRecord Grants permission to delete a record from a feature group Write

feature-group*

DeleteTags Grants permission to delete the specified set of tags from an Amazon SageMaker resource Tagging

action

algorithm

app

app-image-config

artifact

automl-job

code-repository

compilation-job

context

data-quality-job-definition

device

device-fleet

domain

edge-packaging-job

endpoint

endpoint-config

experiment

experiment-trial

experiment-trial-component

feature-group

flow-definition

human-task-ui

hyper-parameter-tuning-job

image

inference-recommendations-job

labeling-job

model

model-bias-job-definition

model-explainability-job-definition

model-package

model-package-group

model-quality-job-definition

monitoring-schedule

notebook-instance

pipeline

processing-job

project

training-job

transform-job

user-profile

workteam

aws:TagKeys

DeleteTrial Grants permission to delete a trial Write

experiment-trial*

DeleteTrialComponent Grants permission to delete a trial component Write

experiment-trial-component*

DeleteUserProfile Grants permission to delete a UserProfile Write

user-profile*

DeleteWorkforce Grants permission to delete a workforce Write

workforce*

DeleteWorkteam Grants permission to delete a workteam Write

workteam*

DeregisterDevices Grants permission to deregister a set of devices Write

device*

DescribeAction Grants permission to get information about an action Read

action*

DescribeAlgorithm Grants permission to describe an algorithm Read

algorithm*

DescribeApp Grants permission to describe an App Read

app*

DescribeAppImageConfig Grants permission to describe an AppImageConfig Read

app-image-config*

DescribeArtifact Grants permission to get information about an artifact Read

artifact*

DescribeAutoMLJob Grants permission to describe an AutoML job that was created via the CreateAutoMLJob API Read

automl-job*

DescribeCodeRepository Grants permission to describe a CodeRepository Read

code-repository*

DescribeCompilationJob Grants permission to return information about a compilation job Read

compilation-job*

DescribeContext Grants permission to get information about a context Read

context*

DescribeDataQualityJobDefinition Grants permission to return information about a data quality job definition Read

data-quality-job-definition*

DescribeDevice Grants permission to access information about a device Read

device*

DescribeDeviceFleet Grants permission to access information about a device fleet Read

device-fleet*

DescribeDomain Grants permission to describe a Domain Read

domain*

DescribeEdgePackagingJob Grants permission to access information about an edge packaging job Read

edge-packaging-job*

DescribeEndpoint Grants permission to return the description of an endpoint Read

endpoint*

DescribeEndpointConfig Grants permission to return the description of an endpoint configuration, which was created using the CreateEndpointConfig API Read

endpoint-config*

DescribeExperiment Grants permission to return information about an experiment Read

experiment*

DescribeFeatureGroup Grants permission to return information about a feature group Read

feature-group*

DescribeFlowDefinition Grants permission to return information about the specified flow definition Read

flow-definition*

DescribeHumanLoop Grants permission to return information about the specified human loop Read

human-loop*

DescribeHumanTaskUi Grants permission to return detailed information about the specified human review workflow user interface Read

human-task-ui*

DescribeHyperParameterTuningJob Grants permission to describe a hyper parameter tuning job that was created via the CreateHyperParameterTuningJob API Read

hyper-parameter-tuning-job*

DescribeImage Grants permission to return information about a SageMaker Image Read

image*

DescribeImageVersion Grants permission to return information about a SageMaker ImageVersion Read

image-version*

DescribeInferenceRecommendationsJob Grants permission to get information about an inference recommendations job Read

inference-recommendations-job*

DescribeLabelingJob Grants permission to return information about a labeling job Read

labeling-job*

DescribeLineageGroup Grants permission to describe a lineage group Read
DescribeModel Grants permission to describe a model that you created using the CreateModel API Read

model*

DescribeModelBiasJobDefinition Grants permission to return information about a model bias job definition Read

model-bias-job-definition*

DescribeModelExplainabilityJobDefinition Grants permission to return information about a model explainability job definition Read

model-explainability-job-definition*

DescribeModelPackage Grants permission to describe a ModelPackage Read

model-package*

DescribeModelPackageGroup Grants permission to describe a ModelPackageGroup Read

model-package-group*

DescribeModelQualityJobDefinition Grants permission to return information about a model quality job definition Read

model-quality-job-definition*

DescribeMonitoringSchedule Grants permission to return information about a monitoring schedule Read

monitoring-schedule*

DescribeNotebookInstance Grants permission to return information about a notebook instance Read

notebook-instance*

DescribeNotebookInstanceLifecycleConfig Grants permission to describe a notebook instance lifecycle configuration that was created via the CreateNotebookInstanceLifecycleConfig API Read

notebook-instance-lifecycle-config*

DescribePipeline Grants permission to get information about a pipeline Read

pipeline*

DescribePipelineDefinitionForExecution Grants permission to get the pipeline definition for a pipeline execution Read

pipeline-execution*

DescribePipelineExecution Grants permission to get information about a pipeline execution Read

pipeline-execution*

DescribeProcessingJob Grants permission to return information about a processing job Read

processing-job*

DescribeProject Grants permission to describe a project Read

project*

DescribeSubscribedWorkteam Grants permission to return information about a subscribed workteam Read

workteam*

DescribeTrainingJob Grants permission to return information about a training job Read

training-job*

DescribeTransformJob Grants permission to return information about a transform job Read

transform-job*

DescribeTrial Grants permission to return information about a trial Read

experiment-trial*

DescribeTrialComponent Grants permission to return information about a trial component Read

experiment-trial-component*

DescribeUserProfile Grants permission to describe a UserProfile Read

user-profile*

DescribeWorkforce Grants permission to return information about a workforce Read

workforce*

DescribeWorkteam Grants permission to return information about a workteam Read

workteam*

DisableSagemakerServicecatalogPortfolio Grants permission to disable a SageMaker Service Catalog Portfolio Write
DisassociateTrialComponent Grants permission to disassociate a trial component from a trial Write

experiment-trial*

experiment-trial-component*

processing-job*

EnableSagemakerServicecatalogPortfolio Grants permission to enable a SageMaker Service Catalog Portfolio Write
GetDeviceFleetReport Grants permission to access a summary of the devices in a device fleet Read

device-fleet*

GetDeviceRegistration Grants permission to get device registration. After you deploy a model onto edge devices this api is used to get current device registration Read

device*

GetLineageGroupPolicy Grants permission to retreive a lineage group policy Read
GetModelPackageGroupPolicy Grants permission to get a ModelPackageGroup policy Read

model-package-group*

GetRecord Grants permission to get a record from a feature group Read

feature-group*

GetSagemakerServicecatalogPortfolioStatus Grants permission to get a SageMaker Service Catalog Portfolio Read
GetSearchSuggestions Grants permission to get search suggestions when provided with a keyword Read
InvokeEndpoint Grants permission to invoke an endpoint. After you deploy a model into production using Amazon SageMaker hosting services, your client applications use this API to get inferences from the model hosted at the specified endpoint Read

endpoint*

sagemaker:TargetModel

InvokeEndpointAsync Grants permission to get inferences from the hosted model at the specified endpoint in an asynchronous manner Read

endpoint*

ListActions Grants permission to list actions List
ListAlgorithms Grants permission to list Algorithms List
ListAppImageConfigs Grants permission to list the AppImageConfigs in your account List
ListApps Grants permission to list the Apps in your account List
ListArtifacts Grants permission to list artifacts List
ListAssociations Grants permission to list associations List
ListAutoMLJobs Grants permission to list AutoML jobs List
ListCandidatesForAutoMLJob Grants permission to lists candidates for an AutoML job List
ListCodeRepositories Grants permission to list code repositories List
ListCompilationJobs Grants permission to list compilation jobs List
ListContexts Grants permission to list contexts List
ListDataQualityJobDefinitions Grants permission to list data quality job definitions List
ListDeviceFleets Grants permission to list device fleets List
ListDevices Grants permission to list devices List
ListDomains Grants permission to list the Domains in your account List
ListEdgePackagingJobs Grants permission to list edge packaging jobs List
ListEndpointConfigs Grants permission to list endpoint configurations List
ListEndpoints Grants permission to list endpoints List
ListExperiments Grants permission to list experiments List
ListFeatureGroups Grants permission to list feature groups List
ListFlowDefinitions Grants permission to return summary information about flow definitions, given the specified parameters List
ListHumanLoops Grants permission to return summary information about human loops, given the specified parameters List
ListHumanTaskUis Grants permission to return summary information about human review workflow user interfaces, given the specified parameters List
ListHyperParameterTuningJobs Grants permission to list hyper parameter tuning jobs List
ListImageVersions Grants permission to list ImageVersions that belong to a SageMaker Image List

image*

ListImages Grants permission to list SageMaker Images in your account List
ListInferenceRecommendationsJobs Grants permission to list inference recommendations jobs List
ListLabelingJobs Grants permission to list labeling jobs List
ListLabelingJobsForWorkteam Grants permission to list labeling jobs for workteam List

workteam*

ListLineageGroups Grants permission to list lineage groups List
ListModelBiasJobDefinitions Grants permission to list model bias job definitions List
ListModelExplainabilityJobDefinitions Grants permission to list model explainability job definitions List
ListModelMetadata Grants permission to list model metadata for inference recommendations jobs List
ListModelPackageGroups Grants permission to list ModelPackageGroups List
ListModelPackages Grants permission to list ModelPackages List

model-package-group

ListModelQualityJobDefinitions Grants permission to list model quality job definitions List
ListModels Grants permission to list the models created with the CreateModel API List
ListMonitoringExecutions Grants permission to list monitoring executions List
ListMonitoringSchedules Grants permission to list monitoring schedules List
ListNotebookInstanceLifecycleConfigs Grants permission to list the notebook instance lifecycle configurations that can be deployed using Amazon SageMaker List
ListNotebookInstances Grants permission to list the Amazon SageMaker notebook instances in the requester's account in an AWS Region List
ListPipelineExecutionSteps Grants permission to list steps for a pipeline execution List

pipeline-execution*

ListPipelineExecutions Grants permission to list executions for a pipeline List

pipeline*

ListPipelineParametersForExecution Grants permission to list parameters for a pipeline execution List

pipeline-execution*

ListPipelines Grants permission to list pipelines List
ListProcessingJobs Grants permission to list processing jobs List
ListProjects Grants permission to list Projects List
ListSubscribedWorkteams Grants permission to list subscribed workteams List
ListTags Grants permission to list the tag set associated with the specified resource List

action

algorithm

app

app-image-config

artifact

automl-job

code-repository

context

data-quality-job-definition

device

device-fleet

domain

edge-packaging-job

endpoint

endpoint-config

experiment

experiment-trial

experiment-trial-component

feature-group

flow-definition

human-task-ui

hyper-parameter-tuning-job

image

labeling-job

model

model-bias-job-definition

model-explainability-job-definition

model-package

model-package-group

model-quality-job-definition

monitoring-schedule

notebook-instance

pipeline

project

training-job

transform-job

user-profile

workteam

ListTrainingJobs Grants permission to list training jobs List
ListTrainingJobsForHyperParameterTuningJob Grants permission to list training jobs for a hyper parameter tuning job List

hyper-parameter-tuning-job*

ListTransformJobs Grants permission to list transform jobs List
ListTrialComponents Grants permission to list trial components List
ListTrials Grants permission to list trials List
ListUserProfiles Grants permission to list the UserProfiles in your account List
ListWorkforces Grants permission to list workforces List
ListWorkteams Grants permission to list workteams List
PutLineageGroupPolicy Grants permission to put a lineage group policy Write
PutModelPackageGroupPolicy Grants permission to put a ModelPackageGroup policy Write

model-package-group*

PutRecord Grants permission to put a record to a feature group Write

feature-group*

QueryLineage Grants permission to explore the lineage graph List
RegisterDevices Grants permission to register a set of devices Write

device*

aws:RequestTag/${TagKey}

aws:TagKeys

RenderUiTemplate Grants permission to render a UI template used for a human annotation task Read

iam:PassRole

Search Grants permission to search for SageMaker objects Read
SendHeartbeat Grants permission to publish heartbeat data from devices. After you deploy a model onto edge devices this api is used to report device status Write

device*

SendPipelineExecutionStepFailure Grants permission to fail a pending callback step Write

pipeline-execution*

SendPipelineExecutionStepSuccess Grants permission to succeed a pending callback step Write

pipeline-execution*

StartHumanLoop Grants permission to start a human loop Write

flow-definition*

StartMonitoringSchedule Grants permission to start a monitoring schedule Write

monitoring-schedule*

StartNotebookInstance Grants permission to start a notebook instance. This launches an EC2 instance with the latest version of the libraries and attaches your EBS volume Write

notebook-instance*

StartPipelineExecution Grants permission to start a pipeline execution Write

pipeline*

StopAutoMLJob Grants permission to stop a running AutoML job Write

automl-job*

StopCompilationJob Grants permission to stop a compilation job Write

compilation-job*

StopEdgePackagingJob Grants permission to stop an edge packaging job Write

edge-packaging-job*

StopHumanLoop Grants permission to stop a specified human loop Write

human-loop*

StopHyperParameterTuningJob Grants permission to stop a running hyper parameter tuning job create via the CreateHyperParameterTuningJob Write

hyper-parameter-tuning-job*

StopInferenceRecommendationsJob Grants permission to stop an inference recommendations job Write

inference-recommendations-job*

StopLabelingJob Grants permission to stop a labeling job. Any labels already generated will be exported before stopping Write

labeling-job*

StopMonitoringSchedule Grants permission to stop a monitoring schedule Write

monitoring-schedule*

StopNotebookInstance Grants permission to stop a notebook instance. This terminates the EC2 instance. Before terminating the instance, Amazon SageMaker disconnects the EBS volume from it. Amazon SageMaker preserves the EBS volume Write

notebook-instance*

StopPipelineExecution Grants permission to stop a pipeline execution Write

pipeline-execution*

StopProcessingJob Grants permission to stop a processing job. To stop a job, Amazon SageMaker sends the algorithm the SIGTERM signal, which delays job termination for 120 seconds Write

processing-job*

StopTrainingJob Grants permission to stop a training job. To stop a job, Amazon SageMaker sends the algorithm the SIGTERM signal, which delays job termination for 120 seconds Write

training-job*

StopTransformJob Grants permission to stop a transform job. When Amazon SageMaker receives a StopTransformJob request, the status of the job changes to Stopping. After Amazon SageMaker stops the job, the status is set to Stopped Write

transform-job*

UpdateAction Grants permission to update an action Write

action*

UpdateAppImageConfig Grants permission to update an AppImageConfig Write

app-image-config*

UpdateArtifact Grants permission to update an artifact Write

artifact*

UpdateCodeRepository Grants permission to update a CodeRepository Write

code-repository*

UpdateContext Grants permission to update a context Write

context*

UpdateDeviceFleet Grants permission to update a device fleet Write

device-fleet*

UpdateDevices Grants permission to update a set of devices Write

device*

UpdateDomain Grants permission to update a Domain Write

domain*

sagemaker:VpcSecurityGroupIds

sagemaker:InstanceTypes

sagemaker:DomainSharingOutputKmsKey

sagemaker:ImageArns

sagemaker:ImageVersionArns

UpdateEndpoint Grants permission to update an endpoint to use the endpoint configuration specified in the request Write

endpoint*

UpdateEndpointWeightsAndCapacities Grants permission to update variant weight, capacity, or both of one or more variants associated with an endpoint Write

endpoint*

UpdateExperiment Grants permission to update an experiment Write

experiment*

UpdateImage Grants permission to update the properties of a SageMaker Image Write

image*

iam:PassRole

UpdateModelPackage Grants permission to update a ModelPackage Write

model-package*

sagemaker:ModelApprovalStatus

UpdateMonitoringSchedule Grants permission to update a monitoring schedule Write

monitoring-schedule*

iam:PassRole

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:InstanceTypes

sagemaker:MaxRuntimeInSeconds

sagemaker:NetworkIsolation

sagemaker:OutputKmsKey

sagemaker:VolumeKmsKey

sagemaker:VpcSecurityGroupIds

sagemaker:VpcSubnets

sagemaker:InterContainerTrafficEncryption

UpdateNotebookInstance Grants permission to update a notebook instance. Notebook instance updates include upgrading or downgrading the EC2 instance used for your notebook instance to accommodate changes in your workload requirements. You can also update the VPC security groups Write

notebook-instance*

sagemaker:AcceleratorTypes

sagemaker:InstanceTypes

sagemaker:RootAccess

UpdateNotebookInstanceLifecycleConfig Grants permission to updates a notebook instance lifecycle configuration created with the CreateNotebookInstanceLifecycleConfig API Write

notebook-instance-lifecycle-config*

UpdatePipeline Grants permission to update a pipeline Write

pipeline*

iam:PassRole

UpdatePipelineExecution Grants permission to update a pipeline execution Write

pipeline-execution*

UpdateProject Grants permission to update a Project Write

project*

aws:RequestTag/${TagKey}

aws:TagKeys

UpdateTrainingJob Grants permission to update a training job Write

training-job*

sagemaker:InstanceTypes

UpdateTrial Grants permission to update a trial Write

experiment-trial*

UpdateTrialComponent Grants permission to update a trial component Write

experiment-trial-component*

UpdateUserProfile Grants permission to update a UserProfile Write

user-profile*

sagemaker:InstanceTypes

sagemaker:VpcSecurityGroupIds

sagemaker:InstanceTypes

sagemaker:DomainSharingOutputKmsKey

sagemaker:ImageArns

sagemaker:ImageVersionArns

UpdateWorkforce Grants permission to update a workforce Write

workforce*

UpdateWorkteam Grants permission to update a workteam Write

workteam*

Resource types defined by Amazon SageMaker

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The resource types table.

Resource types ARN Condition keys
device arn:${Partition}:sagemaker:${Region}:${Account}:device-fleet/${DeviceFleetName}/device/${DeviceName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

device-fleet arn:${Partition}:sagemaker:${Region}:${Account}:device-fleet/${DeviceFleetName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

edge-packaging-job arn:${Partition}:sagemaker:${Region}:${Account}:edge-packaging-job/${EdgePackagingJobName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

human-loop arn:${Partition}:sagemaker:${Region}:${Account}:human-loop/${HumanLoopName}
flow-definition arn:${Partition}:sagemaker:${Region}:${Account}:flow-definition/${FlowDefinitionName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

human-task-ui arn:${Partition}:sagemaker:${Region}:${Account}:human-task-ui/${HumanTaskUiName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

inference-recommendations-job arn:${Partition}:sagemaker:${Region}:${Account}:inference-recommendations-job/${InferenceRecommendationsJobName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

labeling-job arn:${Partition}:sagemaker:${Region}:${Account}:labeling-job/${LabelingJobName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

workteam arn:${Partition}:sagemaker:${Region}:${Account}:workteam/${WorkteamName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

workforce arn:${Partition}:sagemaker:${Region}:${Account}:workforce/${WorkforceName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

domain arn:${Partition}:sagemaker:${Region}:${Account}:domain/${DomainId}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

user-profile arn:${Partition}:sagemaker:${Region}:${Account}:user-profile/${DomainId}/${UserProfileName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

app arn:${Partition}:sagemaker:${Region}:${Account}:app/${DomainId}/${UserProfileName}/${AppType}/${AppName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

app-image-config arn:${Partition}:sagemaker:${Region}:${Account}:app-image-config/${AppImageConfigName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

notebook-instance arn:${Partition}:sagemaker:${Region}:${Account}:notebook-instance/${NotebookInstanceName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

notebook-instance-lifecycle-config arn:${Partition}:sagemaker:${Region}:${Account}:notebook-instance-lifecycle-config/${NotebookInstanceLifecycleConfigName}
code-repository arn:${Partition}:sagemaker:${Region}:${Account}:code-repository/${CodeRepositoryName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

image arn:${Partition}:sagemaker:${Region}:${Account}:image/${ImageName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

image-version arn:${Partition}:sagemaker:${Region}:${Account}:image-version/${ImageName}/${Version}
algorithm arn:${Partition}:sagemaker:${Region}:${Account}:algorithm/${AlgorithmName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

training-job arn:${Partition}:sagemaker:${Region}:${Account}:training-job/${TrainingJobName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

processing-job arn:${Partition}:sagemaker:${Region}:${Account}:processing-job/${ProcessingJobName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

hyper-parameter-tuning-job arn:${Partition}:sagemaker:${Region}:${Account}:hyper-parameter-tuning-job/${HyperParameterTuningJobName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

project arn:${Partition}:sagemaker:${Region}:${Account}:project/${ProjectName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

model-package arn:${Partition}:sagemaker:${Region}:${Account}:model-package/${ModelPackageName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

model-package-group arn:${Partition}:sagemaker:${Region}:${Account}:model-package-group/${ModelPackageGroupName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

model arn:${Partition}:sagemaker:${Region}:${Account}:model/${ModelName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

endpoint-config arn:${Partition}:sagemaker:${Region}:${Account}:endpoint-config/${EndpointConfigName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

endpoint arn:${Partition}:sagemaker:${Region}:${Account}:endpoint/${EndpointName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

transform-job arn:${Partition}:sagemaker:${Region}:${Account}:transform-job/${TransformJobName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

compilation-job arn:${Partition}:sagemaker:${Region}:${Account}:compilation-job/${CompilationJobName}
automl-job arn:${Partition}:sagemaker:${Region}:${Account}:automl-job/${AutoMLJobJobName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

monitoring-schedule arn:${Partition}:sagemaker:${Region}:${Account}:monitoring-schedule/${MonitoringScheduleName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

data-quality-job-definition arn:${Partition}:sagemaker:${Region}:${Account}:data-quality-job-definition/${DataQualityJobDefinitionName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

model-quality-job-definition arn:${Partition}:sagemaker:${Region}:${Account}:model-quality-job-definition/${ModelQualityJobDefinitionName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

model-bias-job-definition arn:${Partition}:sagemaker:${Region}:${Account}:model-bias-job-definition/${ModelBiasJobDefinitionName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

model-explainability-job-definition arn:${Partition}:sagemaker:${Region}:${Account}:model-explainability-job-definition/${ModelExplainabilityJobDefinitionName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

experiment arn:${Partition}:sagemaker:${Region}:${Account}:experiment/${ExperimentName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

experiment-trial arn:${Partition}:sagemaker:${Region}:${Account}:experiment-trial/${TrialName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

experiment-trial-component arn:${Partition}:sagemaker:${Region}:${Account}:experiment-trial-component/${TrialComponentName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

feature-group arn:${Partition}:sagemaker:${Region}:${Account}:feature-group/${FeatureGroupName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

pipeline arn:${Partition}:sagemaker:${Region}:${Account}:pipeline/${PipelineName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

pipeline-execution arn:${Partition}:sagemaker:${Region}:${Account}:pipeline/${PipelineName}/execution/${RandomString}
artifact arn:${Partition}:sagemaker:${Region}:${Account}:artifact/${HashOfArtifactSource}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

context arn:${Partition}:sagemaker:${Region}:${Account}:context/${ContextName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

action arn:${Partition}:sagemaker:${Region}:${Account}:action/${ActionName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

lineage-group arn:${Partition}:sagemaker:${Region}:${Account}:lineage-group/${LineageGroupName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

Condition keys for Amazon SageMaker

Amazon SageMaker defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters access by a key that is present in the request the user makes to the SageMaker service String
aws:ResourceTag/${TagKey} Filters access by a tag key and value pair String
aws:SourceIp Filters access by the requestor's IP address String
aws:SourceVpc Filters access by the requestor's VPC String
aws:SourceVpce Filters access by on requestor's VPC endpoint String
aws:TagKeys Filters access by the list of all the tag key names associated with the resource in the request String
sagemaker:AcceleratorTypes Filters access by the list of all accelerator types associated with the resource in the request ArrayOfString
sagemaker:AppNetworkAccessType Filters access by the app network access type associated with the resource in the request String
sagemaker:DirectInternetAccess Filters access by the direct internet access associated with the resource in the request String
sagemaker:DomainSharingOutputKmsKey Filters access by the Domain sharing output KMS key associated with the resource in the request ARN
sagemaker:FeatureGroupOfflineStoreKmsKey Filters access by the offline store kms key associated with the feature group resource in the request ARN
sagemaker:FeatureGroupOfflineStoreS3Uri Filters access by the offline store s3 uri associated with the feature group resource in the request String
sagemaker:FeatureGroupOnlineStoreKmsKey Filters access by the online store kms key associated with the feature group resource in the request ARN
sagemaker:FileSystemAccessMode Filters access by a file system access mode associated with the resource in the request String
sagemaker:FileSystemDirectoryPath Filters access by a file system directory path associated with the resource in the request String
sagemaker:FileSystemId Filters access by a file system ID associated with the resource in the request String
sagemaker:FileSystemType Filters access by a file system type associated with the resource in the request String
sagemaker:HomeEfsFileSystemKmsKey Filters access by a key that is present in the request the user makes to the SageMaker service. This key is deprecated. It has been replaced by sagemaker:VolumeKmsKey ARN
sagemaker:ImageArns Filters access by the list of all image arns associated with the resource in the request ArrayOfString
sagemaker:ImageVersionArns Filters access by the list of all image version arns associated with the resource in the request ArrayOfString
sagemaker:InstanceTypes Filters access by the list of all instance types associated with the resource in the request ArrayOfString
sagemaker:InterContainerTrafficEncryption Filters access by the inter container traffic encryption associated with the resource in the request Bool
sagemaker:MaxRuntimeInSeconds Filters access by the max runtime in seconds associated with the resource in the request Numeric
sagemaker:ModelApprovalStatus Filters access by the model approval status with the model-package in the request String
sagemaker:ModelArn Filters access by the model arn associated with the resource in the request ARN
sagemaker:NetworkIsolation Filters access by the network isolation associated with the resource in the request Bool
sagemaker:OutputKmsKey Filters access by the output kms key associated with the resource in the request ARN
sagemaker:ResourceTag/ Filters access by the preface string for a tag key and value pair attached to a resource String
sagemaker:ResourceTag/${TagKey} Filters access by a tag key and value pair String
sagemaker:RootAccess Filters access by the root access associated with the resource in the request String
sagemaker:TargetModel Filters access by the target model associated with the Multi-Model Endpoint in the request String
sagemaker:VolumeKmsKey Filters access by the volume kms key associated with the resource in the request ARN
sagemaker:VpcSecurityGroupIds Filters access by the list of all VPC security group ids associated with the resource in the request ArrayOfString
sagemaker:VpcSubnets Filters access by the list of all VPC subnets associated with the resource in the request ArrayOfString
sagemaker:WorkteamArn Filters access by the workteam arn associated to the request ARN
sagemaker:WorkteamType Filters access by the workteam type associated to the request. This can be public-crowd, private-crowd or vendor-crowd String