1개 답변
- 최신
- 최다 투표
- 가장 많은 댓글
1
A user with admin privileges would have access to "iam:CreateServiceLinkedRole"
and "sagemaker:CreateDomain"
actions, unless SCPs or permissions boundaries are involved. However, for the purpose of onboarding Amazon SageMaker Studio with limited permissions, I would grant the user least privilege by reviewing Control Access to the Amazon SageMaker API by Using Identity-based Policies and Actions, Resources, and Condition Keys for Amazon SageMaker documentation:
{
"Effect": "Allow",
"Action": "sagemaker:CreateDomain",
"Resource": "arn:aws:sagemaker:<REGION>:<ACCOUNT-ID>:domain/*"
}
NOTE: An AWS account is limited to one Domain, per region, see CreateDomain.
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "sagemaker.amazonaws.com"
}
}
}
Cheers!
답변함 4년 전
관련 콘텐츠
- AWS 공식업데이트됨 일 년 전