Actions, resources, and condition keys for Amazon SageMaker - Service Authorization Reference

Actions, resources, and condition keys for Amazon SageMaker

Amazon SageMaker (service prefix: sagemaker) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by Amazon SageMaker

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

Note

Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AddAssociation Grants permission to associate a lineage entity (artifact, context, action, experiment, experiment-trial-component) to each other Write

action*

artifact*

context*

experiment*

experiment-trial-component*

AddTags Grants permission to add or overwrite one or more tags for the specified Amazon SageMaker resource Tagging

action

algorithm

app

app-image-config

artifact

automl-job

cluster

code-repository

compilation-job

context

data-quality-job-definition

device

device-fleet

domain

edge-deployment-plan

edge-packaging-job

endpoint

endpoint-config

experiment

experiment-trial

experiment-trial-component

feature-group

flow-definition

human-task-ui

hyper-parameter-tuning-job

image

inference-component

inference-recommendations-job

labeling-job

model

model-bias-job-definition

model-card

model-explainability-job-definition

model-package

model-package-group

model-quality-job-definition

monitoring-schedule

notebook-instance

pipeline

processing-job

project

studio-lifecycle-config

training-job

transform-job

user-profile

workteam

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:TaggingAction

AssociateTrialComponent Grants permission to associate a trial component with a trial Write

experiment-trial*

experiment-trial-component*

BatchDescribeModelPackage Grants permission to describe one or more ModelPackages Read

model-package*

BatchGetMetrics [permission only] Grants permission to retrieve metrics associated with SageMaker Resources such as Training Jobs or Trial Components. This API is not publicly exposed at this point, however admins can control this action Read

experiment-trial-component*

training-job*

BatchGetRecord Grants permission to get a batch of records from one or more feature groups Read

feature-group*

BatchPutMetrics Grants permission to publish metrics associated with a SageMaker Resource such as a Training Job or Trial Component Write

experiment-trial-component*

training-job*

CreateAction Grants permission to create an action Write

action*

sagemaker:AddTags

aws:RequestTag/${TagKey}

aws:TagKeys

CreateAlgorithm Grants permission to create an algorithm Write

algorithm*

sagemaker:AddTags

aws:RequestTag/${TagKey}

aws:TagKeys

CreateApp Grants permission to create an App for a SageMaker UserProfile or Space Write

app*

sagemaker:AddTags

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:InstanceTypes

sagemaker:ImageArns

sagemaker:ImageVersionArns

sagemaker:OwnerUserProfileArn

sagemaker:SpaceSharingType

CreateAppImageConfig Grants permission to create an AppImageConfig Write

app-image-config*

sagemaker:AddTags

aws:RequestTag/${TagKey}

aws:TagKeys

CreateArtifact Grants permission to create an artifact Write

artifact*

sagemaker:AddTags

aws:RequestTag/${TagKey}

aws:TagKeys

CreateAutoMLJob Grants permission to create an AutoML job Write

automl-job*

iam:PassRole

sagemaker:AddTags

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:InterContainerTrafficEncryption

sagemaker:OutputKmsKey

sagemaker:VolumeKmsKey

sagemaker:VpcSecurityGroupIds

sagemaker:VpcSubnets

CreateAutoMLJobV2 Grants permission to create a V2 AutoML job Write

automl-job*

iam:PassRole

sagemaker:AddTags

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:InterContainerTrafficEncryption

sagemaker:OutputKmsKey

sagemaker:VolumeKmsKey

sagemaker:VpcSecurityGroupIds

sagemaker:VpcSubnets

CreateCluster Grants permission to create a SageMaker HyperPod cluster Write

cluster*

iam:PassRole

sagemaker:AddTags

aws:RequestTag/${TagKey}

aws:TagKeys

CreateCodeRepository Grants permission to create a CodeRepository Write

code-repository*

sagemaker:AddTags

aws:RequestTag/${TagKey}

aws:TagKeys

CreateCompilationJob Grants permission to create a compilation job Write

compilation-job*

iam:PassRole

sagemaker:AddTags

aws:RequestTag/${TagKey}

aws:TagKeys

CreateContext Grants permission to create a context Write

context*

sagemaker:AddTags

aws:RequestTag/${TagKey}

aws:TagKeys

CreateDataQualityJobDefinition Grants permission to create a data quality job definition Write

data-quality-job-definition*

iam:PassRole

sagemaker:AddTags

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:InstanceTypes

sagemaker:InterContainerTrafficEncryption

sagemaker:MaxRuntimeInSeconds

sagemaker:NetworkIsolation

sagemaker:OutputKmsKey

sagemaker:VolumeKmsKey

sagemaker:VpcSecurityGroupIds

sagemaker:VpcSubnets

CreateDeviceFleet Grants permission to create a device fleet Write

device-fleet*

iam:PassRole

sagemaker:AddTags

aws:RequestTag/${TagKey}

aws:TagKeys

CreateDomain Grants permission to create a Domain for SageMaker Studio Write

domain*

iam:CreateServiceLinkedRole

iam:PassRole

sagemaker:AddTags

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:AppNetworkAccessType

sagemaker:InstanceTypes

sagemaker:VpcSecurityGroupIds

sagemaker:VpcSubnets

sagemaker:DomainSharingOutputKmsKey

sagemaker:VolumeKmsKey

sagemaker:ImageArns

sagemaker:ImageVersionArns

CreateEdgeDeploymentPlan Grants permission to create an edge deployment plan Write

edge-deployment-plan*

iam:PassRole

sagemaker:AddTags

aws:RequestTag/${TagKey}

aws:TagKeys

CreateEdgeDeploymentStage Grants permission to create an edge deployment stage Write

edge-deployment-plan*

iam:PassRole

sagemaker:AddTags

aws:RequestTag/${TagKey}

aws:TagKeys

CreateEdgePackagingJob Grants permission to create an edge packaging job Write

edge-packaging-job*

iam:PassRole

sagemaker:AddTags

aws:RequestTag/${TagKey}

aws:TagKeys

CreateEndpoint Grants permission to create an endpoint using the endpoint configuration specified in the request Write

endpoint*

sagemaker:AddTags

endpoint-config*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateEndpointConfig Grants permission to create an endpoint configuration that can be deployed using Amazon SageMaker hosting services Write

endpoint-config*

iam:PassRole

sagemaker:AddTags

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:AcceleratorTypes

sagemaker:InstanceTypes

sagemaker:ModelArn

sagemaker:VolumeKmsKey

sagemaker:ServerlessMaxConcurrency

sagemaker:ServerlessMemorySize

sagemaker:NetworkIsolation

sagemaker:VpcSecurityGroupIds

sagemaker:VpcSubnets

CreateExperiment Grants permission to create an experiment Write

experiment*

sagemaker:AddTags

aws:RequestTag/${TagKey}

aws:TagKeys

CreateFeatureGroup Grants permission to create a feature group Write

feature-group*

iam:PassRole

sagemaker:AddTags

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:FeatureGroupOnlineStoreKmsKey

sagemaker:FeatureGroupOfflineStoreKmsKey

sagemaker:FeatureGroupOfflineStoreS3Uri

sagemaker:FeatureGroupEnableOnlineStore

sagemaker:FeatureGroupOfflineStoreConfig

sagemaker:FeatureGroupDisableGlueTableCreation

CreateFlowDefinition Grants permission to create a flow definition, which defines settings for a human workflow Write

flow-definition*

iam:PassRole

sagemaker:AddTags

sagemaker:WorkteamArn

sagemaker:WorkteamType

aws:RequestTag/${TagKey}

aws:TagKeys

CreateHub Grants permission to create a hub Write

hub*

sagemaker:AddTags

aws:RequestTag/${TagKey}

aws:TagKeys

CreateHumanTaskUi Grants permission to define the settings you will use for the human review workflow user interface Write

human-task-ui*

sagemaker:AddTags

aws:RequestTag/${TagKey}

aws:TagKeys

CreateHyperParameterTuningJob Grants permission to create a hyper parameter tuning job that can be deployed using Amazon SageMaker Write

hyper-parameter-tuning-job*

iam:PassRole

sagemaker:AddTags

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:FileSystemAccessMode

sagemaker:FileSystemDirectoryPath

sagemaker:FileSystemId

sagemaker:FileSystemType

sagemaker:InstanceTypes

sagemaker:InterContainerTrafficEncryption

sagemaker:MaxRuntimeInSeconds

sagemaker:NetworkIsolation

sagemaker:OutputKmsKey

sagemaker:VolumeKmsKey

sagemaker:VpcSecurityGroupIds

sagemaker:VpcSubnets

CreateImage Grants permission to create a SageMaker Image Write

image*

iam:PassRole

sagemaker:AddTags

aws:RequestTag/${TagKey}

aws:TagKeys

CreateImageVersion Grants permission to create a SageMaker ImageVersion Write

image*

CreateInferenceComponent Grants permission to create an inference component on an endpoint Write

endpoint*

sagemaker:AddTags

inference-component*

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:ModelArn

CreateInferenceExperiment Grants permission to create an inference experiment Write

inference-experiment*

iam:PassRole

sagemaker:AddTags

aws:RequestTag/${TagKey}

aws:TagKeys

CreateInferenceRecommendationsJob Grants permission to create an inference recommendations job Write

inference-recommendations-job*

iam:PassRole

sagemaker:AddTags

aws:RequestTag/${TagKey}

aws:TagKeys

CreateLabelingJob Grants permission to start a labeling job. A labeling job takes unlabeled data in and produces labeled data as output, which can be used for training SageMaker models Write

labeling-job*

iam:PassRole

sagemaker:AddTags

sagemaker:WorkteamArn

sagemaker:WorkteamType

sagemaker:VolumeKmsKey

sagemaker:OutputKmsKey

aws:RequestTag/${TagKey}

aws:TagKeys

CreateLineageGroupPolicy Grants permission to create a lineage group policy Write
CreateModel Grants permission to create a model in Amazon SageMaker. In the request, you specify a name for the model and describe one or more containers Write

model*

iam:PassRole

sagemaker:AddTags

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:NetworkIsolation

sagemaker:VpcSecurityGroupIds

sagemaker:VpcSubnets

CreateModelBiasJobDefinition Grants permission to create a model bias job definition Write

model-bias-job-definition*

iam:PassRole

sagemaker:AddTags

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:InstanceTypes

sagemaker:InterContainerTrafficEncryption

sagemaker:MaxRuntimeInSeconds

sagemaker:NetworkIsolation

sagemaker:OutputKmsKey

sagemaker:VolumeKmsKey

sagemaker:VpcSecurityGroupIds

sagemaker:VpcSubnets

CreateModelCard Grants permission to create a model card Write

model-card*

sagemaker:AddTags

aws:RequestTag/${TagKey}

aws:TagKeys

CreateModelCardExportJob Grants permission to create an export job for a model card Write

model-card*

CreateModelExplainabilityJobDefinition Grants permission to create a model explainability job definition Write

model-explainability-job-definition*

iam:PassRole

sagemaker:AddTags

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:InstanceTypes

sagemaker:InterContainerTrafficEncryption

sagemaker:MaxRuntimeInSeconds

sagemaker:NetworkIsolation

sagemaker:OutputKmsKey

sagemaker:VolumeKmsKey

sagemaker:VpcSecurityGroupIds

sagemaker:VpcSubnets

CreateModelPackage Grants permission to create a ModelPackage Write

model-package

sagemaker:AddTags

model-package-group

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:ModelApprovalStatus

sagemaker:CustomerMetadataProperties/${MetadataKey}

CreateModelPackageGroup Grants permission to create a ModelPackageGroup Write

model-package-group*

sagemaker:AddTags

aws:RequestTag/${TagKey}

aws:TagKeys

CreateModelQualityJobDefinition Grants permission to create a model quality job definition Write

model-quality-job-definition*

iam:PassRole

sagemaker:AddTags

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:InstanceTypes

sagemaker:InterContainerTrafficEncryption

sagemaker:MaxRuntimeInSeconds

sagemaker:NetworkIsolation

sagemaker:OutputKmsKey

sagemaker:VolumeKmsKey

sagemaker:VpcSecurityGroupIds

sagemaker:VpcSubnets

CreateMonitoringSchedule Grants permission to create a monitoring schedule Write

monitoring-schedule*

iam:PassRole

sagemaker:AddTags

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:InstanceTypes

sagemaker:InterContainerTrafficEncryption

sagemaker:MaxRuntimeInSeconds

sagemaker:NetworkIsolation

sagemaker:OutputKmsKey

sagemaker:VolumeKmsKey

sagemaker:VpcSecurityGroupIds

sagemaker:VpcSubnets

CreateNotebookInstance Grants permission to create an Amazon SageMaker notebook instance. A notebook instance is an Amazon EC2 instance running on a Jupyter Notebook Write

notebook-instance*

iam:PassRole

sagemaker:AddTags

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:AcceleratorTypes

sagemaker:DirectInternetAccess

sagemaker:InstanceTypes

sagemaker:MinimumInstanceMetadataServiceVersion

sagemaker:RootAccess

sagemaker:VolumeKmsKey

sagemaker:VpcSecurityGroupIds

sagemaker:VpcSubnets

CreateNotebookInstanceLifecycleConfig Grants permission to create a notebook instance lifecycle configuration that can be deployed using Amazon SageMaker Write

notebook-instance-lifecycle-config*

CreatePipeline Grants permission to create a pipeline Write

pipeline*

iam:PassRole

sagemaker:AddTags

aws:RequestTag/${TagKey}

aws:TagKeys

CreatePresignedDomainUrl Grants permission to return a URL that you can use from your browser to connect to the Domain as a specified UserProfile when AuthMode is 'IAM' Write

user-profile*

CreatePresignedNotebookInstanceUrl Grants permission to create a URL that you can use from your browser to connect to the Notebook Instance Write

notebook-instance*

CreateProcessingJob Grants permission to start a processing job. After processing completes, Amazon SageMaker saves the resulting artifacts and other optional output to an Amazon S3 location that you specify Write

processing-job*

iam:PassRole

sagemaker:AddTags

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:InstanceTypes

sagemaker:MaxRuntimeInSeconds

sagemaker:NetworkIsolation

sagemaker:OutputKmsKey

sagemaker:VolumeKmsKey

sagemaker:VpcSecurityGroupIds

sagemaker:VpcSubnets

sagemaker:InterContainerTrafficEncryption

CreateProject Grants permission to create a Project Write

project*

sagemaker:AddTags

aws:RequestTag/${TagKey}

aws:TagKeys

CreateSharedModel [permission only] Grants permission to create a shared model in a SageMaker Studio application Write

shared-model*

CreateSpace Grants permission to create a Space for a SageMaker Domain Write

space*

sagemaker:AddTags

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:InstanceTypes

sagemaker:ImageArns

sagemaker:ImageVersionArns

sagemaker:OwnerUserProfileArn

sagemaker:SpaceSharingType

CreateStudioLifecycleConfig Grants permission to create a Studio Lifecycle Configuration that can be deployed using Amazon SageMaker Write

studio-lifecycle-config*

sagemaker:AddTags

aws:RequestTag/${TagKey}

aws:TagKeys

CreateTrainingJob Grants permission to start a model training job. After training completes, Amazon SageMaker saves the resulting model artifacts and other optional output to an Amazon S3 location that you specify Write

training-job*

iam:PassRole

sagemaker:AddTags

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:FileSystemAccessMode

sagemaker:FileSystemDirectoryPath

sagemaker:FileSystemId

sagemaker:FileSystemType

sagemaker:InstanceTypes

sagemaker:InterContainerTrafficEncryption

sagemaker:MaxRuntimeInSeconds

sagemaker:NetworkIsolation

sagemaker:OutputKmsKey

sagemaker:VolumeKmsKey

sagemaker:VpcSecurityGroupIds

sagemaker:VpcSubnets

sagemaker:KeepAlivePeriod

sagemaker:EnableRemoteDebug

CreateTransformJob Grants permission to start a transform job. After the results are obtained, Amazon SageMaker saves them to an Amazon S3 location that you specify Write

transform-job*

sagemaker:AddTags

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:InstanceTypes

sagemaker:ModelArn

sagemaker:OutputKmsKey

sagemaker:VolumeKmsKey

CreateTrial Grants permission to create a trial Write

experiment*

sagemaker:AddTags

experiment-trial*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateTrialComponent Grants permission to create a trial component Write

experiment-trial-component*

sagemaker:AddTags

aws:RequestTag/${TagKey}

aws:TagKeys

CreateUserProfile Grants permission to create a UserProfile for a SageMaker Domain Write

user-profile*

iam:PassRole

sagemaker:AddTags

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:VpcSecurityGroupIds

sagemaker:InstanceTypes

sagemaker:DomainSharingOutputKmsKey

sagemaker:ImageArns

sagemaker:ImageVersionArns

CreateWorkforce Grants permission to create a workforce Write

workforce*

sagemaker:AddTags

aws:RequestTag/${TagKey}

aws:TagKeys

CreateWorkteam Grants permission to create a workteam Write

workteam*

sagemaker:AddTags

aws:RequestTag/${TagKey}

aws:TagKeys

DeleteAction Grants permission to delete an action Write

action*

DeleteAlgorithm Grants permission to delete an algorithm Write

algorithm*

DeleteApp Grants permission to delete an App Write

app*

sagemaker:OwnerUserProfileArn

sagemaker:SpaceSharingType

DeleteAppImageConfig Grants permission to delete an AppImageConfig Write

app-image-config*

DeleteArtifact Grants permission to delete an artifact Write

artifact*

DeleteAssociation Grants permission to delete the association from a lineage entity (artifact, context, action, experiment, experiment-trial-component) to another Write

action*

artifact*

context*

experiment*

experiment-trial-component*

DeleteCluster Grants permission to delete a SageMaker HyperPod cluster Write

cluster*

DeleteCodeRepository Grants permission to delete a CodeRepository Write

code-repository*

DeleteCompilationJob Grants permission to delete a compilation job Write

compilation-job*

DeleteContext Grants permission to delete a context Write

context*

DeleteDataQualityJobDefinition Grants permission to delete the data quality job definition created using the CreateDataQualityJobDefinition API Write

data-quality-job-definition*

DeleteDeviceFleet Grants permission to delete a device fleet Write

device-fleet*

DeleteDomain Grants permission to delete a Domain Write

domain*

DeleteEdgeDeploymentPlan Grants permission to delete an edge deployment plan Write

edge-deployment-plan*

DeleteEdgeDeploymentStage Grants permission to delete an edge deployment stage Write

edge-deployment-plan*

DeleteEndpoint Grants permission to delete an endpoint. Amazon SageMaker frees up all the resources that were deployed when the endpoint was created Write

endpoint*

DeleteEndpointConfig Grants permission to delete the endpoint configuration created using the CreateEndpointConfig API. The DeleteEndpointConfig API deletes only the specified configuration. It does not delete any endpoints created using the configuration Write

endpoint-config*

DeleteExperiment Grants permission to delete an experiment Write

experiment*

DeleteFeatureGroup Grants permission to delete a feature group Write

feature-group*

aws:RequestTag/${TagKey}

DeleteFlowDefinition Grants permission to delete the specified flow definition Write

flow-definition*

DeleteHub Grants permission to delete hubs Write

hub*

DeleteHubContent Grants permission to delete hub content Write

hub*

hub-content*

DeleteHumanLoop Grants permission to delete a specified human loop Write

human-loop*

DeleteHumanTaskUi Grants permission to delete the specified human task user interface (worker task template) Write

human-task-ui*

DeleteHyperParameterTuningJob Grants permission to delete a hyper parameter tuning job Write

hyper-parameter-tuning-job*

DeleteImage Grants permission to delete a SageMaker Image Write

image*

DeleteImageVersion Grants permission to delete a SageMaker ImageVersion Write

image-version*

DeleteInferenceComponent Grants permission to delete an inference component. Amazon SageMaker frees up the resources that were reserved when the inference component was created Write

inference-component*

DeleteInferenceExperiment Grants permission to delete an inference experiment Write

inference-experiment*

DeleteLineageGroupPolicy Grants permission to delete a lineage group policy Write
DeleteModel Grants permission to delete a model created using the CreateModel API. The DeleteModel API deletes only the model entry in Amazon SageMaker that you created by calling the CreateModel API. It does not delete model artifacts, inference code, or the IAM role that you specified when creating the model Write

model*

DeleteModelBiasJobDefinition Grants permission to delete the model bias job definition created using the CreateModelBiasJobDefinition API Write

model-bias-job-definition*

DeleteModelCard Grants permission to delete a model card Write

model-card*

DeleteModelExplainabilityJobDefinition Grants permission to delete the model explainability job definition created using the CreateModelExplainabilityJobDefinition API Write

model-explainability-job-definition*

DeleteModelPackage Grants permission to delete a ModelPackage Write

model-package*

DeleteModelPackageGroup Grants permission to delete a ModelPackageGroup Write

model-package-group*

DeleteModelPackageGroupPolicy Grants permission to delete a ModelPackageGroup policy Write

model-package-group*

DeleteModelQualityJobDefinition Grants permission to delete the model quality job definition created using the CreateModelQualityJobDefinition API Write

model-quality-job-definition*

DeleteMonitoringSchedule Grants permission to delete a monitoring schedule Write

monitoring-schedule*

DeleteNotebookInstance Grants permission to delete a Amazon SageMaker notebook instance. Before you can delete a notebook instance, you must call the StopNotebookInstance API Write

notebook-instance*

DeleteNotebookInstanceLifecycleConfig Grants permission to delete a notebook instance lifecycle configuration Write

notebook-instance-lifecycle-config*

DeletePipeline Grants permission to delete a pipeline Write

pipeline*

DeleteProject Grants permission to delete a project Write

project*

DeleteRecord Grants permission to delete a record from a feature group Write

feature-group*

DeleteSpace Grants permission to delete a Space Write

space*

sagemaker:OwnerUserProfileArn

sagemaker:SpaceSharingType

DeleteStudioLifecycleConfig Grants permission to delete a Studio Lifecycle Configuration Write

studio-lifecycle-config*

DeleteTags Grants permission to delete the specified set of tags from an Amazon SageMaker resource Tagging

action

algorithm

app

app-image-config

artifact

automl-job

cluster

code-repository

compilation-job

context

data-quality-job-definition

device

device-fleet

domain

edge-deployment-plan

edge-packaging-job

endpoint

endpoint-config

experiment

experiment-trial

experiment-trial-component

feature-group

flow-definition

human-task-ui

hyper-parameter-tuning-job

image

inference-component

inference-recommendations-job

labeling-job

model

model-bias-job-definition

model-card

model-explainability-job-definition

model-package

model-package-group

model-quality-job-definition

monitoring-schedule

notebook-instance

pipeline

processing-job

project

studio-lifecycle-config

training-job

transform-job

user-profile

workteam

aws:TagKeys

DeleteTrial Grants permission to delete a trial Write

experiment-trial*

DeleteTrialComponent Grants permission to delete a trial component Write

experiment-trial-component*

DeleteUserProfile Grants permission to delete a UserProfile Write

user-profile*

DeleteWorkforce Grants permission to delete a workforce Write

workforce*

DeleteWorkteam Grants permission to delete a workteam Write

workteam*

DeregisterDevices Grants permission to deregister a set of devices Write

device*

DescribeAction Grants permission to get information about an action Read

action*

DescribeAlgorithm Grants permission to describe an algorithm Read

algorithm*

DescribeApp Grants permission to describe an App Read

app*

DescribeAppImageConfig Grants permission to describe an AppImageConfig Read

app-image-config*

DescribeArtifact Grants permission to get information about an artifact Read

artifact*

DescribeAutoMLJob Grants permission to describe an AutoML job that was created via the CreateAutoMLJob API Read

automl-job*

DescribeAutoMLJobV2 Grants permission to describe an AutoML job that was created via the CreateAutoMLJobV2 API Read

automl-job*

DescribeCluster Grants permission to return information about a SageMaker HyperPod cluster Read

cluster*

DescribeClusterNode Grants permission to return information about a SageMaker HyperPod cluster node Read

cluster*

DescribeCodeRepository Grants permission to describe a CodeRepository Read

code-repository*

DescribeCompilationJob Grants permission to return information about a compilation job Read

compilation-job*

DescribeContext Grants permission to get information about a context Read

context*

DescribeDataQualityJobDefinition Grants permission to return information about a data quality job definition Read

data-quality-job-definition*

DescribeDevice Grants permission to access information about a device Read

device*

DescribeDeviceFleet Grants permission to access information about a device fleet Read

device-fleet*

DescribeDomain Grants permission to describe a Domain Read

domain*

DescribeEdgeDeploymentPlan Grants permission to access information about an edge deployment plan Read

edge-deployment-plan*

DescribeEdgePackagingJob Grants permission to access information about an edge packaging job Read

edge-packaging-job*

DescribeEndpoint Grants permission to return the description of an endpoint Read

endpoint*

DescribeEndpointConfig Grants permission to return the description of an endpoint configuration, which was created using the CreateEndpointConfig API Read

endpoint-config*

DescribeExperiment Grants permission to return information about an experiment Read

experiment*

DescribeFeatureGroup Grants permission to return information about a feature group Read

feature-group*

DescribeFeatureMetadata Grants permission to return information about a feature metadata Read

feature-group*

DescribeFlowDefinition Grants permission to return information about the specified flow definition Read

flow-definition*

DescribeHub Grants permission to describe hubs Read

hub*

DescribeHubContent Grants permission to describe hub content Read

hub*

hub-content*

DescribeHumanLoop Grants permission to return information about the specified human loop Read

human-loop*

DescribeHumanTaskUi Grants permission to return detailed information about the specified human review workflow user interface Read

human-task-ui*

DescribeHyperParameterTuningJob Grants permission to describe a hyper parameter tuning job that was created via the CreateHyperParameterTuningJob API Read

hyper-parameter-tuning-job*

DescribeImage Grants permission to return information about a SageMaker Image Read

image*

DescribeImageVersion Grants permission to return information about a SageMaker ImageVersion Read

image-version*

DescribeInferenceComponent Grants permission to return the description of an inference component Read

inference-component*

DescribeInferenceExperiment Grants permission to get information about an inference experiment Read

inference-experiment*

DescribeInferenceRecommendationsJob Grants permission to get information about an inference recommendations job Read

inference-recommendations-job*

DescribeLabelingJob Grants permission to return information about a labeling job Read

labeling-job*

DescribeLineageGroup Grants permission to describe a lineage group Read
DescribeModel Grants permission to describe a model that you created using the CreateModel API Read

model*

DescribeModelBiasJobDefinition Grants permission to return information about a model bias job definition Read

model-bias-job-definition*

DescribeModelCard Grants permission to get information about a model card Read

model-card*

DescribeModelCardExportJob Grants permission to get information about a model card export job Read

model-card-export-job*

DescribeModelExplainabilityJobDefinition Grants permission to return information about a model explainability job definition Read

model-explainability-job-definition*

DescribeModelPackage Grants permission to describe a ModelPackage Read

model-package*

DescribeModelPackageGroup Grants permission to describe a ModelPackageGroup Read

model-package-group*

DescribeModelQualityJobDefinition Grants permission to return information about a model quality job definition Read

model-quality-job-definition*

DescribeMonitoringSchedule Grants permission to return information about a monitoring schedule Read

monitoring-schedule*

DescribeNotebookInstance Grants permission to return information about a notebook instance Read

notebook-instance*

DescribeNotebookInstanceLifecycleConfig Grants permission to describe a notebook instance lifecycle configuration that was created via the CreateNotebookInstanceLifecycleConfig API Read

notebook-instance-lifecycle-config*

DescribePipeline Grants permission to get information about a pipeline Read

pipeline*

DescribePipelineDefinitionForExecution Grants permission to get the pipeline definition for a pipeline execution Read

pipeline-execution*

DescribePipelineExecution Grants permission to get information about a pipeline execution Read

pipeline-execution*

DescribeProcessingJob Grants permission to return information about a processing job Read

processing-job*

DescribeProject Grants permission to describe a project Read

project*

DescribeSharedModel [permission only] Grants permission to describe a shared model in a SageMaker Studio application Read

shared-model*

DescribeSpace Grants permission to describe a Space Read

space*

DescribeStudioLifecycleConfig Grants permission to describe a Studio Lifecycle Configuration Read

studio-lifecycle-config*

DescribeSubscribedWorkteam Grants permission to return information about a subscribed workteam Read

workteam*

DescribeTrainingJob Grants permission to return information about a training job Read

training-job*

DescribeTransformJob Grants permission to return information about a transform job Read

transform-job*

DescribeTrial Grants permission to return information about a trial Read

experiment-trial*

DescribeTrialComponent Grants permission to return information about a trial component Read

experiment-trial-component*

DescribeUserProfile Grants permission to describe a UserProfile Read

user-profile*

DescribeWorkforce Grants permission to return information about a workforce Read

workforce*

DescribeWorkteam Grants permission to return information about a workteam Read

workteam*

DisableSagemakerServicecatalogPortfolio Grants permission to disable a SageMaker Service Catalog Portfolio Write
DisassociateTrialComponent Grants permission to disassociate a trial component from a trial Write

experiment-trial*

experiment-trial-component*

processing-job*

EnableSagemakerServicecatalogPortfolio Grants permission to enable a SageMaker Service Catalog Portfolio Write
GetDeployments Grants permission to get deployment plan for device Read

device*

GetDeviceFleetReport Grants permission to access a summary of the devices in a device fleet Read

device-fleet*

GetDeviceRegistration Grants permission to get device registration. After you deploy a model onto edge devices this api is used to get current device registration Read

device*

GetLineageGroupPolicy Grants permission to retreive a lineage group policy Read
GetModelPackageGroupPolicy Grants permission to get a ModelPackageGroup policy Read

model-package-group*

GetRecord Grants permission to get a record from a feature group Read

feature-group*

GetSagemakerServicecatalogPortfolioStatus Grants permission to get a SageMaker Service Catalog Portfolio Read
GetScalingConfigurationRecommendation Grants permission to get a scaling policy configuration recommendation Read

inference-recommendations-job*

GetSearchSuggestions Grants permission to get search suggestions when provided with a keyword Read
ImportHubContent Grants permission to import hub content Write

hub*

sagemaker:AddTags

hub-content*

aws:RequestTag/${TagKey}

aws:TagKeys

InvokeEndpoint Grants permission to invoke an endpoint. After you deploy a model into production using Amazon SageMaker hosting services, your client applications use this API to get inferences from the model hosted at the specified endpoint Read

endpoint*

inference-component

sagemaker:TargetModel

InvokeEndpointAsync Grants permission to get inferences from the hosted model at the specified endpoint in an asynchronous manner Read

endpoint*

InvokeEndpointWithResponseStream Grants permission to get the inference response as a stream from the specified endpoint Read

endpoint*

inference-component

ListActions Grants permission to list actions List
ListAlgorithms Grants permission to list Algorithms List
ListAliases Grants permission to list Aliases that belong to a SageMaker Image or Sagemaker ImageVersion List

image*

image-version*

ListAppImageConfigs Grants permission to list the AppImageConfigs in your account List
ListApps Grants permission to list the Apps in your account List
ListArtifacts Grants permission to list artifacts List
ListAssociations Grants permission to list associations List
ListAutoMLJobs Grants permission to list AutoML jobs List
ListCandidatesForAutoMLJob Grants permission to lists candidates for an AutoML job List
ListClusterNodes Grants permission to list nodes within a SageMaker HyperPod cluster List

cluster*

ListClusters Grants permission to list SageMaker HyperPod clusters List
ListCodeRepositories Grants permission to list code repositories List
ListCompilationJobs Grants permission to list compilation jobs List
ListContexts Grants permission to list contexts List
ListDataQualityJobDefinitions Grants permission to list data quality job definitions List
ListDeviceFleets Grants permission to list device fleets List
ListDevices Grants permission to list devices List
ListDomains Grants permission to list the Domains in your account List
ListEdgeDeploymentPlans Grants permission to list edge deployment plans List
ListEdgePackagingJobs Grants permission to list edge packaging jobs List
ListEndpointConfigs Grants permission to list endpoint configurations List
ListEndpoints Grants permission to list endpoints List
ListExperiments Grants permission to list experiments List
ListFeatureGroups Grants permission to list feature groups List
ListFlowDefinitions Grants permission to return summary information about flow definitions, given the specified parameters List
ListHubContentVersions Grants permission to list all versions of hub content List

hub*

hub-content*

ListHubContents Grants permission to list newest versions of hub content List

hub*

ListHubs Grants permission to list hubs List
ListHumanLoops Grants permission to return summary information about human loops, given the specified parameters List
ListHumanTaskUis Grants permission to return summary information about human review workflow user interfaces, given the specified parameters List
ListHyperParameterTuningJobs Grants permission to list hyper parameter tuning jobs List
ListImageVersions Grants permission to list ImageVersions that belong to a SageMaker Image List

image*

ListImages Grants permission to list SageMaker Images in your account List
ListInferenceComponents Grants permission to list inference components List
ListInferenceExperiments Grants permission to list inference experiments List
ListInferenceRecommendationsJobSteps Grants permission to list inference recommendations job steps List
ListInferenceRecommendationsJobs Grants permission to list inference recommendations jobs List
ListLabelingJobs Grants permission to list labeling jobs List
ListLabelingJobsForWorkteam Grants permission to list labeling jobs for workteam List

workteam*

ListLineageGroups Grants permission to list lineage groups List
ListModelBiasJobDefinitions Grants permission to list model bias job definitions List
ListModelCardExportJobs Grants permission to list export jobs for a model card List

model-card*

ListModelCardVersions Grants permission to list versions of a model card List

model-card*

ListModelCards Grants permission to list model cards List
ListModelExplainabilityJobDefinitions Grants permission to list model explainability job definitions List
ListModelMetadata Grants permission to list model metadata for inference recommendations jobs List
ListModelPackageGroups Grants permission to list ModelPackageGroups List
ListModelPackages Grants permission to list ModelPackages List

model-package

ListModelQualityJobDefinitions Grants permission to list model quality job definitions List
ListModels Grants permission to list the models created with the CreateModel API List
ListMonitoringAlertHistory Grants permission to list the history of a monitoring alert List
ListMonitoringAlerts Grants permission to list monitoring alerts List
ListMonitoringExecutions Grants permission to list monitoring executions List
ListMonitoringSchedules Grants permission to list monitoring schedules List
ListNotebookInstanceLifecycleConfigs Grants permission to list the notebook instance lifecycle configurations that can be deployed using Amazon SageMaker List
ListNotebookInstances Grants permission to list the Amazon SageMaker notebook instances in the requester's account in an AWS Region List
ListPipelineExecutionSteps Grants permission to list steps for a pipeline execution List

pipeline-execution*

ListPipelineExecutions Grants permission to list executions for a pipeline List

pipeline*

ListPipelineParametersForExecution Grants permission to list parameters for a pipeline execution List

pipeline-execution*

ListPipelines Grants permission to list pipelines List
ListProcessingJobs Grants permission to list processing jobs List
ListProjects Grants permission to list Projects List
ListResourceCatalogs Grants permission to list resource catalogs List
ListSharedModelEvents [permission only] Grants permission to list shared model events List
ListSharedModelVersions [permission only] Grants permission to list shared model versions List

shared-model*

ListSharedModels [permission only] Grants permission to list shared models List
ListSpaces Grants permission to list the Spaces in your account List
ListStageDevices Grants permission to list stage devices List
ListStudioLifecycleConfigs Grants permission to list the Studio Lifecycle Configurations that can be deployed using Amazon SageMaker List
ListSubscribedWorkteams Grants permission to list subscribed workteams List
ListTags Grants permission to list the tag set associated with the specified resource List

action

algorithm

app

app-image-config

artifact

automl-job

cluster

code-repository

compilation-job

context

data-quality-job-definition

device

device-fleet

domain

edge-deployment-plan

edge-packaging-job

endpoint

endpoint-config

experiment

experiment-trial

experiment-trial-component

feature-group

flow-definition

human-task-ui

hyper-parameter-tuning-job

image

inference-component

inference-recommendations-job

labeling-job

model

model-bias-job-definition

model-card

model-explainability-job-definition

model-package

model-package-group

model-quality-job-definition

monitoring-schedule

notebook-instance

pipeline

processing-job

project

studio-lifecycle-config

training-job

transform-job

user-profile

workteam

ListTrainingJobs Grants permission to list training jobs List
ListTrainingJobsForHyperParameterTuningJob Grants permission to list training jobs for a hyper parameter tuning job List

hyper-parameter-tuning-job*

ListTransformJobs Grants permission to list transform jobs List
ListTrialComponents Grants permission to list trial components List
ListTrials Grants permission to list trials List
ListUserProfiles Grants permission to list the UserProfiles in your account List
ListWorkforces Grants permission to list workforces List
ListWorkteams Grants permission to list workteams List
PutLineageGroupPolicy Grants permission to put a lineage group policy Write
PutModelPackageGroupPolicy Grants permission to put a ModelPackageGroup policy Write

model-package-group*

PutRecord Grants permission to put a record to a feature group Write

feature-group*

QueryLineage Grants permission to explore the lineage graph List
RegisterDevices Grants permission to register a set of devices Write

device*

aws:RequestTag/${TagKey}

aws:TagKeys

RenderUiTemplate Grants permission to render a UI template used for a human annotation task Read

iam:PassRole

RetryPipelineExecution Grants permission to retry a pipeline execution Write

pipeline-execution*

Grants permission to search for SageMaker objects Read

sagemaker:SearchVisibilityCondition/${FilterKey}

SendHeartbeat Grants permission to publish heartbeat data from devices. After you deploy a model onto edge devices this api is used to report device status Write

device*

SendPipelineExecutionStepFailure Grants permission to fail a pending callback step Write

pipeline-execution*

SendPipelineExecutionStepSuccess Grants permission to succeed a pending callback step Write

pipeline-execution*

SendSharedModelEvent [permission only] Grants permission to send a shared model event Write

shared-model-event*

StartEdgeDeploymentStage Grants permission to start an edge deployment stage Write

edge-deployment-plan*

StartHumanLoop Grants permission to start a human loop Write

flow-definition*

StartInferenceExperiment Grants permission to start an inference experiment Write

inference-experiment*

StartMonitoringSchedule Grants permission to start a monitoring schedule Write

monitoring-schedule*

StartNotebookInstance Grants permission to start a notebook instance. This launches an EC2 instance with the latest version of the libraries and attaches your EBS volume Write

notebook-instance*

StartPipelineExecution Grants permission to start a pipeline execution Write

pipeline*

StopAutoMLJob Grants permission to stop a running AutoML job Write

automl-job*

StopCompilationJob Grants permission to stop a compilation job Write

compilation-job*

StopEdgeDeploymentStage Grants permission to stop an edge deployment stage Write

edge-deployment-plan*

StopEdgePackagingJob Grants permission to stop an edge packaging job Write

edge-packaging-job*

StopHumanLoop Grants permission to stop a specified human loop Write

human-loop*

StopHyperParameterTuningJob Grants permission to stop a running hyper parameter tuning job create via the CreateHyperParameterTuningJob Write

hyper-parameter-tuning-job*

StopInferenceExperiment Grants permission to stop an inference experiment Write

inference-experiment*

StopInferenceRecommendationsJob Grants permission to stop an inference recommendations job Write

inference-recommendations-job*

StopLabelingJob Grants permission to stop a labeling job. Any labels already generated will be exported before stopping Write

labeling-job*

StopMonitoringSchedule Grants permission to stop a monitoring schedule Write

monitoring-schedule*

StopNotebookInstance Grants permission to stop a notebook instance. This terminates the EC2 instance. Before terminating the instance, Amazon SageMaker disconnects the EBS volume from it. Amazon SageMaker preserves the EBS volume Write

notebook-instance*

StopPipelineExecution Grants permission to stop a pipeline execution Write

pipeline-execution*

StopProcessingJob Grants permission to stop a processing job. To stop a job, Amazon SageMaker sends the algorithm the SIGTERM signal, which delays job termination for 120 seconds Write

processing-job*

StopTrainingJob Grants permission to stop a training job. To stop a job, Amazon SageMaker sends the algorithm the SIGTERM signal, which delays job termination for 120 seconds Write

training-job*

StopTransformJob Grants permission to stop a transform job. When Amazon SageMaker receives a StopTransformJob request, the status of the job changes to Stopping. After Amazon SageMaker stops the job, the status is set to Stopped Write

transform-job*

UpdateAction Grants permission to update an action Write

action*

UpdateAppImageConfig Grants permission to update an AppImageConfig Write

app-image-config*

UpdateArtifact Grants permission to update an artifact Write

artifact*

UpdateCluster Grants permission to update a SageMaker HyperPod cluster Write

cluster*

iam:PassRole

UpdateClusterSoftware Grants permission to update platform software for a SageMaker HyperPod cluster Write

cluster*

UpdateCodeRepository Grants permission to update a CodeRepository Write

code-repository*

UpdateContext Grants permission to update a context Write

context*

UpdateDeviceFleet Grants permission to update a device fleet Write

device-fleet*

UpdateDevices Grants permission to update a set of devices Write

device*

UpdateDomain Grants permission to update a Domain Write

domain*

sagemaker:VpcSecurityGroupIds

sagemaker:InstanceTypes

sagemaker:DomainSharingOutputKmsKey

sagemaker:ImageArns

sagemaker:ImageVersionArns

sagemaker:AppNetworkAccessType

sagemaker:VpcSubnets

UpdateEndpoint Grants permission to update an endpoint to use the endpoint configuration specified in the request Write

endpoint*

UpdateEndpointWeightsAndCapacities Grants permission to update variant weight, capacity, or both of one or more variants associated with an endpoint Write

endpoint*

UpdateExperiment Grants permission to update an experiment Write

experiment*

UpdateFeatureGroup Grants permission to update a feature group Write

feature-group*

UpdateFeatureMetadata Grants permission to update a feature metadata Write

feature-group*

UpdateHub Grants permission to update hubs Write

hub*

UpdateImage Grants permission to update the properties of a SageMaker Image Write

image*

iam:PassRole

UpdateImageVersion Grants permission to update the properties of a SageMaker ImageVersion Write

image-version*

UpdateInferenceComponent Grants permission to update an inference component to use the specification and configurations specified in the request Write

inference-component*

UpdateInferenceComponentRuntimeConfig Grants permission to update the runtime config of a given inference component Write

inference-component*

UpdateInferenceExperiment Grants permission to update an inference experiment Write

inference-experiment*

UpdateModelCard Grants permission to update a model card Write

model-card*

UpdateModelPackage Grants permission to update a ModelPackage Write

model-package*

sagemaker:ModelApprovalStatus

sagemaker:CustomerMetadataProperties/${MetadataKey}

sagemaker:CustomerMetadataPropertiesToRemove

UpdateMonitoringAlert Grants permission to update a monitoring alert Write

monitoring-schedule*

monitoring-schedule-alert*

UpdateMonitoringSchedule Grants permission to update a monitoring schedule Write

monitoring-schedule*

iam:PassRole

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:InstanceTypes

sagemaker:MaxRuntimeInSeconds

sagemaker:NetworkIsolation

sagemaker:OutputKmsKey

sagemaker:VolumeKmsKey

sagemaker:VpcSecurityGroupIds

sagemaker:VpcSubnets

sagemaker:InterContainerTrafficEncryption

UpdateNotebookInstance Grants permission to update a notebook instance. Notebook instance updates include upgrading or downgrading the EC2 instance used for your notebook instance to accommodate changes in your workload requirements Write

notebook-instance*

sagemaker:AcceleratorTypes

sagemaker:InstanceTypes

sagemaker:MinimumInstanceMetadataServiceVersion

sagemaker:RootAccess

UpdateNotebookInstanceLifecycleConfig Grants permission to updates a notebook instance lifecycle configuration created with the CreateNotebookInstanceLifecycleConfig API Write

notebook-instance-lifecycle-config*

UpdatePipeline Grants permission to update a pipeline Write

pipeline*

iam:PassRole

UpdatePipelineExecution Grants permission to update a pipeline execution Write

pipeline-execution*

UpdateProject Grants permission to update a Project Write

project*

aws:RequestTag/${TagKey}

aws:TagKeys

UpdateSharedModel [permission only] Grants permission to update a shared model Write

shared-model*

UpdateSpace Grants permission to update a Space Write

space*

sagemaker:InstanceTypes

sagemaker:ImageArns

sagemaker:ImageVersionArns

sagemaker:OwnerUserProfileArn

sagemaker:SpaceSharingType

UpdateTrainingJob Grants permission to update a training job Write

training-job*

sagemaker:InstanceTypes

sagemaker:KeepAlivePeriod

sagemaker:EnableRemoteDebug

UpdateTrial Grants permission to update a trial Write

experiment-trial*

UpdateTrialComponent Grants permission to update a trial component Write

experiment-trial-component*

UpdateUserProfile Grants permission to update a UserProfile Write

user-profile*

sagemaker:InstanceTypes

sagemaker:VpcSecurityGroupIds

sagemaker:InstanceTypes

sagemaker:DomainSharingOutputKmsKey

sagemaker:ImageArns

sagemaker:ImageVersionArns

UpdateWorkforce Grants permission to update a workforce Write

workforce*

UpdateWorkteam Grants permission to update a workteam Write

workteam*

Resource types defined by Amazon SageMaker

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys
device arn:${Partition}:sagemaker:${Region}:${Account}:device-fleet/${DeviceFleetName}/device/${DeviceName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

device-fleet arn:${Partition}:sagemaker:${Region}:${Account}:device-fleet/${DeviceFleetName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

edge-packaging-job arn:${Partition}:sagemaker:${Region}:${Account}:edge-packaging-job/${EdgePackagingJobName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

edge-deployment-plan arn:${Partition}:sagemaker:${Region}:${Account}:edge-deployment/${EdgeDeploymentPlanName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

human-loop arn:${Partition}:sagemaker:${Region}:${Account}:human-loop/${HumanLoopName}
flow-definition arn:${Partition}:sagemaker:${Region}:${Account}:flow-definition/${FlowDefinitionName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

human-task-ui arn:${Partition}:sagemaker:${Region}:${Account}:human-task-ui/${HumanTaskUiName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

hub arn:${Partition}:sagemaker:${Region}:${Account}:hub/${HubName}
hub-content arn:${Partition}:sagemaker:${Region}:${Account}:hub-content/${HubName}/${HubContentType}/${HubContentName}
inference-recommendations-job arn:${Partition}:sagemaker:${Region}:${Account}:inference-recommendations-job/${InferenceRecommendationsJobName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

inference-experiment arn:${Partition}:sagemaker:${Region}:${Account}:inference-experiment/${InferenceExperimentName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

labeling-job arn:${Partition}:sagemaker:${Region}:${Account}:labeling-job/${LabelingJobName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

workteam arn:${Partition}:sagemaker:${Region}:${Account}:workteam/${WorkteamName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

workforce arn:${Partition}:sagemaker:${Region}:${Account}:workforce/${WorkforceName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

domain arn:${Partition}:sagemaker:${Region}:${Account}:domain/${DomainId}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

user-profile arn:${Partition}:sagemaker:${Region}:${Account}:user-profile/${DomainId}/${UserProfileName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

space arn:${Partition}:sagemaker:${Region}:${Account}:space/${DomainId}/${SpaceName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

app arn:${Partition}:sagemaker:${Region}:${Account}:app/${DomainId}/${UserProfileName}/${AppType}/${AppName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

app-image-config arn:${Partition}:sagemaker:${Region}:${Account}:app-image-config/${AppImageConfigName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

studio-lifecycle-config arn:${Partition}:sagemaker:${Region}:${Account}:studio-lifecycle-config/${StudioLifecycleConfigName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

notebook-instance arn:${Partition}:sagemaker:${Region}:${Account}:notebook-instance/${NotebookInstanceName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

notebook-instance-lifecycle-config arn:${Partition}:sagemaker:${Region}:${Account}:notebook-instance-lifecycle-config/${NotebookInstanceLifecycleConfigName}
code-repository arn:${Partition}:sagemaker:${Region}:${Account}:code-repository/${CodeRepositoryName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

image arn:${Partition}:sagemaker:${Region}:${Account}:image/${ImageName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

image-version arn:${Partition}:sagemaker:${Region}:${Account}:image-version/${ImageName}/${Version}
algorithm arn:${Partition}:sagemaker:${Region}:${Account}:algorithm/${AlgorithmName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

cluster arn:${Partition}:sagemaker:${Region}:${Account}:cluster/${ClusterId}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

training-job arn:${Partition}:sagemaker:${Region}:${Account}:training-job/${TrainingJobName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

processing-job arn:${Partition}:sagemaker:${Region}:${Account}:processing-job/${ProcessingJobName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

hyper-parameter-tuning-job arn:${Partition}:sagemaker:${Region}:${Account}:hyper-parameter-tuning-job/${HyperParameterTuningJobName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

project arn:${Partition}:sagemaker:${Region}:${Account}:project/${ProjectName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

model-package arn:${Partition}:sagemaker:${Region}:${Account}:model-package/${ModelPackageName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

model-package-group arn:${Partition}:sagemaker:${Region}:${Account}:model-package-group/${ModelPackageGroupName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

model arn:${Partition}:sagemaker:${Region}:${Account}:model/${ModelName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

endpoint-config arn:${Partition}:sagemaker:${Region}:${Account}:endpoint-config/${EndpointConfigName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

endpoint arn:${Partition}:sagemaker:${Region}:${Account}:endpoint/${EndpointName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

inference-component arn:${Partition}:sagemaker:${Region}:${Account}:inference-component/${InferenceComponentName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

transform-job arn:${Partition}:sagemaker:${Region}:${Account}:transform-job/${TransformJobName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

compilation-job arn:${Partition}:sagemaker:${Region}:${Account}:compilation-job/${CompilationJobName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

automl-job arn:${Partition}:sagemaker:${Region}:${Account}:automl-job/${AutoMLJobJobName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

monitoring-schedule arn:${Partition}:sagemaker:${Region}:${Account}:monitoring-schedule/${MonitoringScheduleName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

monitoring-schedule-alert arn:${Partition}:sagemaker:${Region}:${Account}:monitoring-schedule/${MonitoringScheduleName}/alert/${MonitoringScheduleAlertName}
data-quality-job-definition arn:${Partition}:sagemaker:${Region}:${Account}:data-quality-job-definition/${DataQualityJobDefinitionName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

model-quality-job-definition arn:${Partition}:sagemaker:${Region}:${Account}:model-quality-job-definition/${ModelQualityJobDefinitionName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

model-bias-job-definition arn:${Partition}:sagemaker:${Region}:${Account}:model-bias-job-definition/${ModelBiasJobDefinitionName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

model-explainability-job-definition arn:${Partition}:sagemaker:${Region}:${Account}:model-explainability-job-definition/${ModelExplainabilityJobDefinitionName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

experiment arn:${Partition}:sagemaker:${Region}:${Account}:experiment/${ExperimentName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

experiment-trial arn:${Partition}:sagemaker:${Region}:${Account}:experiment-trial/${TrialName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

experiment-trial-component arn:${Partition}:sagemaker:${Region}:${Account}:experiment-trial-component/${TrialComponentName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

feature-group arn:${Partition}:sagemaker:${Region}:${Account}:feature-group/${FeatureGroupName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

pipeline arn:${Partition}:sagemaker:${Region}:${Account}:pipeline/${PipelineName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

pipeline-execution arn:${Partition}:sagemaker:${Region}:${Account}:pipeline/${PipelineName}/execution/${RandomString}
artifact arn:${Partition}:sagemaker:${Region}:${Account}:artifact/${HashOfArtifactSource}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

context arn:${Partition}:sagemaker:${Region}:${Account}:context/${ContextName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

action arn:${Partition}:sagemaker:${Region}:${Account}:action/${ActionName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

lineage-group arn:${Partition}:sagemaker:${Region}:${Account}:lineage-group/${LineageGroupName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

model-card arn:${Partition}:sagemaker:${Region}:${Account}:model-card/${ModelCardName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

model-card-export-job arn:${Partition}:sagemaker:${Region}:${Account}:model-card/${ModelCardName}/export-job/${ExportJobName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

shared-model arn:${Partition}:sagemaker:${Region}:${Account}:shared-model/${SharedModelId}
shared-model-event arn:${Partition}:sagemaker:${Region}:${Account}:shared-model-event/${EventId}
sagemaker-catalog arn:${Partition}:sagemaker:${Region}:${Account}:sagemaker-catalog/${ResourceCatalogName}

Condition keys for Amazon SageMaker

Amazon SageMaker defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters access by a key that is present in the request the user makes to the SageMaker service String
aws:ResourceTag/${TagKey} Filters access by a tag key and value pair String
aws:TagKeys Filters access by the list of all the tag key names associated with the resource in the request ArrayOfString
sagemaker:AcceleratorTypes Filters access by the list of all accelerator types associated with the resource in the request ArrayOfString
sagemaker:AppNetworkAccessType Filters access by the app network access type associated with the resource in the request String
sagemaker:CustomerMetadataProperties/${MetadataKey} Filters access by a metadata key and value pair String
sagemaker:CustomerMetadataPropertiesToRemove Filters access by the list of metadata properties associated with the model-package resource in the request ArrayOfString
sagemaker:DirectInternetAccess Filters access by the direct internet access associated with the resource in the request String
sagemaker:DomainId This context key is included in some requests sent from SageMaker Studio. You can use the domainId as a policy variable to filter requests from specific SageMaker Domains String
sagemaker:DomainSharingOutputKmsKey Filters access by the Domain sharing output KMS key associated with the resource in the request ARN
sagemaker:EnableRemoteDebug Filters access by the remote debug config in the request Bool
sagemaker:FeatureGroupDisableGlueTableCreation Filters access by the DisableGlueTableCreation flag associated with the feature group resource in the request Bool
sagemaker:FeatureGroupEnableOnlineStore Filters access by the EnableOnlineStore flag associated with feature group in the request Bool
sagemaker:FeatureGroupOfflineStoreConfig Filters access by the presence of an OfflineStoreConfig in the feature group resource in the request. This access filter only supports the null-conditional operator Bool
sagemaker:FeatureGroupOfflineStoreKmsKey Filters access by the offline store kms key associated with the feature group resource in the request ARN
sagemaker:FeatureGroupOfflineStoreS3Uri Filters access by the offline store s3 uri associated with the feature group resource in the request String
sagemaker:FeatureGroupOnlineStoreKmsKey Filters access by the online store kms key associated with the feature group resource in the request ARN
sagemaker:FileSystemAccessMode Filters access by a file system access mode associated with the resource in the request String
sagemaker:FileSystemDirectoryPath Filters access by a file system directory path associated with the resource in the request String
sagemaker:FileSystemId Filters access by a file system ID associated with the resource in the request String
sagemaker:FileSystemType Filters access by a file system type associated with the resource in the request String
sagemaker:HomeEfsFileSystemKmsKey Filters access by a key that is present in the request the user makes to the SageMaker service. This key is deprecated. It has been replaced by sagemaker:VolumeKmsKey ARN
sagemaker:ImageArns Filters access by the list of all image arns associated with the resource in the request ArrayOfARN
sagemaker:ImageVersionArns Filters access by the list of all image version arns associated with the resource in the request ArrayOfARN
sagemaker:InstanceTypes Filters access by the list of all instance types associated with the resource in the request ArrayOfString
sagemaker:InterContainerTrafficEncryption Filters access by the inter container traffic encryption associated with the resource in the request Bool
sagemaker:KeepAlivePeriod Filters access by the keep-alive period associated with the resource in the request Numeric
sagemaker:MaxRuntimeInSeconds Filters access by the max runtime in seconds associated with the resource in the request Numeric
sagemaker:MinimumInstanceMetadataServiceVersion Filters access by the minimum instance metadata service version used by the resource in the request String
sagemaker:ModelApprovalStatus Filters access by the model approval status with the model-package in the request String
sagemaker:ModelArn Filters access by the model arn associated with the resource in the request ARN
sagemaker:NetworkIsolation Filters access by the network isolation associated with the resource in the request Bool
sagemaker:OutputKmsKey Filters access by the output kms key associated with the resource in the request ARN
sagemaker:OwnerUserProfileArn Filters access by the OwnerUserProfile arn associated with the space in the request ARN
sagemaker:ResourceTag/ Filters access by the preface string for a tag key and value pair attached to a resource String
sagemaker:ResourceTag/${TagKey} Filters access by a tag key and value pair String
sagemaker:RootAccess Filters access by the root access associated with the resource in the request String
sagemaker:SearchVisibilityCondition/${FilterKey} Limits the results of your search request to the resources that you can access. ${FilterKey} is a key that the VisibilityConditions configuration presents in the Search request String
sagemaker:ServerlessMaxConcurrency Filters access by limiting maximum concurrency used for Serverless inference in the request Numeric
sagemaker:ServerlessMemorySize Filters access by limiting memory size used for Serverless inference in the request Numeric
sagemaker:SpaceSharingType Filters access by the sharing type associated with the space in the request String
sagemaker:TaggingAction Filters access by the API actions to which a user can apply tags. Uses the name of the API operation that creates a taggable resource to filter access String
sagemaker:TargetModel Filters access by the target model associated with the Multi-Model Endpoint in the request String
sagemaker:UserProfileName This context key is included in some requests sent from SageMaker Studio. You can use the UserProfileName as a policy variable to filter requests from specific user profiles within a SageMaker Domain String
sagemaker:VolumeKmsKey Filters access by the volume kms key associated with the resource in the request ARN
sagemaker:VpcSecurityGroupIds Filters access by the list of all VPC security group ids associated with the resource in the request ArrayOfString
sagemaker:VpcSubnets Filters access by the list of all VPC subnets associated with the resource in the request ArrayOfString
sagemaker:WorkteamArn Filters access by the workteam arn associated to the request ARN
sagemaker:WorkteamType Filters access by the workteam type associated to the request. This can be public-crowd, private-crowd or vendor-crowd String