本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
SageMakerStudioUserIAMDefaultExecutionPolicy
描述:在 SageMaker Unified Studio 中使用 IAM 角色的执行策略。允许用户访问本地账户中的资源(不包括对数据资源的访问权限),以便基于 IAM 使用 Uni SageMaker fied Studio。
SageMakerStudioUserIAMDefaultExecutionPolicy 是一项 AWS 托管式策略。
使用此策略
您可以将 SageMakerStudioUserIAMDefaultExecutionPolicy 附加到您的用户、组和角色。
策略详细信息
-
类型: AWS 托管策略
-
创建时间:世界标准时间 2025 年 8 月 18 日 17:19
-
编辑时间:世界标准时间 2025 年 8 月 26 日 21:34
-
ARN:
arn:aws:iam::aws:policy/SageMakerStudioUserIAMDefaultExecutionPolicy
策略版本
策略版本:v2(默认)
此策略的默认版本是定义策略权限的版本。当使用该策略的用户或角色请求访问 AWS 资源时, AWS 会检查策略的默认版本以确定是否允许该请求。
JSON 策略文档
{ "Version" : "2012-10-17", "Statement" : [ { "Sid" : "DataZone", "Effect" : "Allow", "Action" : [ "datazone:CreateAsset*", "datazone:CreateConnection", "datazone:CreateProject", "datazone:DeleteAsset*", "datazone:DeleteConnection", "datazone:DeleteProject", "datazone:Get*", "datazone:List*", "datazone:PostLineageEvent", "datazone:Search", "datazone:SearchListings", "datazone:SearchUserProfiles", "datazone:UpdateAssetFilter", "datazone:UpdateConnection", "datazone:UpdateProject" ], "Resource" : "*" }, { "Sid" : "IamSts", "Effect" : "Allow", "Action" : [ "iam:GetRole", "iam:ListRoles", "sts:AssumeRole" ], "Resource" : "*" }, { "Sid" : "CreateSLR", "Effect" : "Allow", "Action" : "iam:CreateServiceLinkedRole", "Resource" : [ "arn:aws:iam::*:role/aws-service-role/neptune-graph.amazonaws.com/AWSServiceRoleForNeptuneGraph", "arn:aws:iam::*:role/aws-service-role/redshift.amazonaws.com/AWSServiceRoleForRedshift", "arn:aws:iam::*:role/aws-service-role/sagemaker.amazonaws.com/AWSServiceRoleForAmazonSageMakerNotebooks", "arn:aws:iam::*:role/aws-service-role/ops.emr-serverless.amazonaws.com/AWSServiceRoleForAmazonEMRServerless", "arn:aws:iam::*:role/aws-service-role/airflow.amazonaws.com/AWSServiceRoleForAmazonMWAA", "arn:aws:iam::*:role/aws-service-role/elasticmapreduce.amazonaws.com/AWSServiceRoleForEMRCleanup", "arn:aws:iam::*:role/aws-service-role/sagemaker.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_SageMakerEndpoint", "arn:aws:iam::*:role/aws-service-role/observability.aoss.amazonaws.com/AWSServiceRoleForAmazonOpenSearchServerless" ] }, { "Sid" : "TagSession", "Effect" : "Allow", "Action" : "sts:TagSession", "Resource" : "*", "Condition" : { "ForAllValues:StringLike" : { "aws:TagKeys" : [ "AmazonDataZone*" ] } } }, { "Sid" : "SourceIdentity", "Effect" : "Allow", "Action" : "sts:SetSourceIdentity", "Resource" : "*", "Condition" : { "StringLike" : { "sts:SourceIdentity" : "${aws:PrincipalTag/datazone:userId}" } } }, { "Sid" : "Q", "Effect" : "Allow", "Action" : [ "glue:StartCompletion", "q:Get*", "q:List*", "q:PassRequest", "q:SendMessage", "q:StartConversation" ], "Resource" : "*" }, { "Sid" : "SSM", "Effect" : "Allow", "Action" : [ "ssm:GetParameter*" ], "Resource" : [ "arn:aws:ssm:*:*:parameter/amazon/datazone/q*", "arn:aws:ssm:*:*:parameter/amazon/datazone/genAI/*", "arn:aws:ssm:*::parameter/aws/service/sagemaker-distribution/*" ] }, { "Sid" : "SageMakerUserTagPermissions", "Effect" : "Allow", "Action" : [ "sagemaker:CreatePresignedDomainUrl", "sagemaker:CreateUserProfile", "sagemaker:DeleteUserProfile" ], "Resource" : "arn:aws:sagemaker:*:*:user-profile/*", "Condition" : { "StringEquals" : { "aws:ResourceTag/AmazonDataZoneUser" : "${aws:PrincipalTag/datazone:userId}" } } }, { "Sid" : "SageMakerPrivateSpace", "Effect" : "Allow", "Action" : [ "sagemaker:CreateApp", "sagemaker:CreateSpace", "sagemaker:DeleteApp", "sagemaker:DeleteSpace", "sagemaker:UpdateSpace" ], "Resource" : [ "arn:aws:sagemaker:*:*:space/*", "arn:aws:sagemaker:*:*:app/*" ], "Condition" : { "StringEquals" : { "aws:ResourceTag/AmazonDataZoneUser" : "${aws:PrincipalTag/datazone:userId}", "sagemaker:SpaceSharingType" : [ "Private" ] } } }, { "Sid" : "ResourceGroupsPermissions", "Effect" : "Allow", "Action" : [ "resource-groups:GetGroupQuery", "resource-groups:ListGroupResources" ], "Resource" : "*" }, { "Sid" : "SageMakerPermissions", "Effect" : "Allow", "Action" : [ "sagemaker:Batch*", "sagemaker:Describe*", "sagemaker:List*", "sagemaker:Search", "sagemaker:*Endpoint*", "sagemaker:*Model*", "sagemaker:*InferenceComponent*", "sagemaker:*Job*" ], "Resource" : "*" }, { "Sid" : "SageMakerTagPermissions", "Effect" : "Allow", "Action" : [ "sagemaker:AddTags", "sagemaker:DeleteTags" ], "Resource" : "*", "Condition" : { "ForAllValues:StringNotLike" : { "aws:TagKeys" : [ "AmazonDataZone*", "sagemaker:shared-with:*" ] }, "ForAllValues:StringLike" : { "aws:TagKeys" : [ "ProjectUserTag*", "sagemaker*", "sm-jumpstart*", "endpoint-has-jumpstart-model" ] } } }, { "Sid" : "LogsAndMetrics", "Effect" : "Allow", "Action" : [ "cloudwatch:PutMetricData", "logs:CreateLogGroup", "logs:CreateLogStream", "logs:Describe*", "logs:Get*", "logs:PutLogEvents", "logs:StopQuery" ], "Resource" : "*" }, { "Sid" : "Glue", "Effect" : "Allow", "Action" : [ "glue:CancelStatement", "glue:CreateSession", "glue:DeleteSession", "glue:CreateCatalog", "glue:Describe*", "glue:Get*", "glue:List*", "glue:NotifyEvent", "glue:RunStatement", "glue:StartCompletion", "glue:StopSession", "glue:UseGlueStudio", "glue:TagResource", "glue:*Job*" ], "Resource" : "*" }, { "Sid" : "GlueDatabase", "Effect" : "Allow", "Action" : [ "glue:*" ], "Resource" : [ "arn:aws:glue:*:*:database/*", "arn:aws:glue:*:*:table/*", "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:catalog/*" ] }, { "Sid" : "GlueLakeFormation", "Effect" : "Allow", "Action" : [ "glue:*" ], "Resource" : "*", "Condition" : { "StringEquals" : { "glue:LakeFormationPermissions" : "Enabled" } } }, { "Sid" : "LFAccess", "Effect" : "Allow", "Action" : [ "lakeformation:DescribeResource", "lakeformation:GetDataAccess", "lakeformation:ListResources" ], "Resource" : "*" }, { "Sid" : "SQLWorkBench", "Effect" : "Allow", "Action" : [ "sqlworkbench:*" ], "Resource" : "*" }, { "Sid" : "RedshiftData", "Effect" : "Allow", "Action" : "redshift-data:*", "Resource" : "*", "Condition" : { "StringEquals" : { "redshift-data:statement-owner-iam-userid" : "${aws:userid}" } } }, { "Sid" : "RedShiftActions", "Effect" : "Allow", "Action" : [ "redshift-data:BatchExecuteStatement", "redshift-data:Describe*", "redshift-data:ExecuteStatement", "redshift-data:List*", "redshift-serverless:GetManagedWorkgroup", "redshift-serverless:GetNamespace", "redshift-serverless:GetWorkgroup", "redshift-serverless:List*", "redshift:Describe*" ], "Resource" : "*" }, { "Sid" : "Bedrock", "Effect" : "Allow", "Action" : "bedrock:*", "Resource" : "*" }, { "Sid" : "PassRole", "Effect" : "Allow", "Action" : [ "iam:PassRole" ], "Resource" : "arn:aws:iam::*:role/${aws:PrincipalTag/AmazonDataZonePassedRolePath}", "Condition" : { "StringEquals" : { "iam:PassedToService" : [ "bedrock.amazonaws.com", "glue.amazonaws.com", "lakeformation.amazonaws.com", "sagemaker.amazonaws.com", "scheduler.amazonaws.com" ], "aws:ResourceAccount" : "${aws:PrincipalAccount}" } } }, { "Sid" : "S3List", "Effect" : "Allow", "Action" : [ "s3:GetBucketAcl", "s3:List*" ], "Resource" : "*" }, { "Sid" : "S3CrossAccount", "Effect" : "Allow", "Action" : [ "s3:GetObject*" ], "Resource" : "*", "Condition" : { "StringNotEquals" : { "aws:ResourceAccount" : "${aws:PrincipalAccount}" } } }, { "Sid" : "Scheduler", "Effect" : "Allow", "Action" : [ "scheduler:CreateSchedule", "scheduler:DeleteSchedule", "scheduler:Get*", "scheduler:List*", "scheduler:UpdateSchedule" ], "Resource" : "*" }, { "Sid" : "FederatedConn", "Effect" : "Allow", "Action" : [ "dynamodb:List*", "dynamodb:Describe*", "dynamodb:Scan", "dynamodb:PartiQLSelect", "dynamodb:Query", "secretsmanager:ListSecrets" ], "Resource" : "*" }, { "Sid" : "Athena", "Effect" : "Allow", "Action" : [ "athena:BatchGet*", "athena:CreateNamedQuery", "athena:CreateNotebook", "athena:CreatePreparedStatement", "athena:CreatePresignedNotebookUrl", "athena:DeleteNamedQuery", "athena:DeleteNotebook", "athena:DeletePreparedStatement", "athena:ExportNotebook", "athena:Get*", "athena:ImportNotebook", "athena:List*", "athena:StartCalculationExecution", "athena:StartQueryExecution", "athena:StartSession", "athena:StopCalculationExecution", "athena:StopQueryExecution", "athena:TerminateSession", "athena:UpdateNamedQuery", "athena:UpdateNotebook", "athena:UpdateNotebookMetadata", "athena:UpdatePreparedStatement" ], "Resource" : "*" }, { "Sid" : "PrivateSecret", "Effect" : "Allow", "Action" : [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue" ], "Resource" : "*", "Condition" : { "StringEquals" : { "aws:ResourceTag/AmazonDataZoneProject" : "${datazone:projectId}" } } }, { "Sid" : "SharedSecret", "Effect" : "Allow", "Action" : [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue" ], "Resource" : "*", "Condition" : { "StringEquals" : { "aws:ResourceTag/for-use-with-all-datazone-projects" : "true" } } }, { "Sid" : "GenerateRecommendations", "Effect" : "Allow", "Action" : [ "codewhisperer:GenerateRecommendations" ], "Resource" : "*" }, { "Sid" : "Ecr", "Effect" : "Allow", "Action" : [ "ecr:BatchCheckLayerAvailability", "ecr:BatchGetImage", "ecr:DescribeImages", "ecr:GetAuthorizationToken", "ecr:GetDownloadUrlForLayer" ], "Resource" : "*" } ] }
了解更多信息
