1 Antwort
- Neueste
- Die meisten Stimmen
- Die meisten Kommentare
1
A user with admin privileges would have access to "iam:CreateServiceLinkedRole"
and "sagemaker:CreateDomain"
actions, unless SCPs or permissions boundaries are involved. However, for the purpose of onboarding Amazon SageMaker Studio with limited permissions, I would grant the user least privilege by reviewing Control Access to the Amazon SageMaker API by Using Identity-based Policies and Actions, Resources, and Condition Keys for Amazon SageMaker documentation:
{
"Effect": "Allow",
"Action": "sagemaker:CreateDomain",
"Resource": "arn:aws:sagemaker:<REGION>:<ACCOUNT-ID>:domain/*"
}
NOTE: An AWS account is limited to one Domain, per region, see CreateDomain.
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "sagemaker.amazonaws.com"
}
}
}
Cheers!
beantwortet vor 4 Jahren
Relevanter Inhalt
- AWS OFFICIALAktualisiert vor einem Jahr
- AWS OFFICIALAktualisiert vor einem Jahr
- AWS OFFICIALAktualisiert vor einem Jahr
- AWS OFFICIALAktualisiert vor einem Jahr