1回答
- 新しい順
- 投票が多い順
- コメントが多い順
1
A user with admin privileges would have access to "iam:CreateServiceLinkedRole"
and "sagemaker:CreateDomain"
actions, unless SCPs or permissions boundaries are involved. However, for the purpose of onboarding Amazon SageMaker Studio with limited permissions, I would grant the user least privilege by reviewing Control Access to the Amazon SageMaker API by Using Identity-based Policies and Actions, Resources, and Condition Keys for Amazon SageMaker documentation:
{
"Effect": "Allow",
"Action": "sagemaker:CreateDomain",
"Resource": "arn:aws:sagemaker:<REGION>:<ACCOUNT-ID>:domain/*"
}
NOTE: An AWS account is limited to one Domain, per region, see CreateDomain.
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "sagemaker.amazonaws.com"
}
}
}
Cheers!
回答済み 4年前
関連するコンテンツ
- AWS公式更新しました 1年前
- AWS公式更新しました 6ヶ月前