1 個回答
- 最新
- 最多得票
- 最多評論
1
A user with admin privileges would have access to "iam:CreateServiceLinkedRole"
and "sagemaker:CreateDomain"
actions, unless SCPs or permissions boundaries are involved. However, for the purpose of onboarding Amazon SageMaker Studio with limited permissions, I would grant the user least privilege by reviewing Control Access to the Amazon SageMaker API by Using Identity-based Policies and Actions, Resources, and Condition Keys for Amazon SageMaker documentation:
{
"Effect": "Allow",
"Action": "sagemaker:CreateDomain",
"Resource": "arn:aws:sagemaker:<REGION>:<ACCOUNT-ID>:domain/*"
}
NOTE: An AWS account is limited to one Domain, per region, see CreateDomain.
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "sagemaker.amazonaws.com"
}
}
}
Cheers!
已回答 4 年前
相關內容
- 已提問 10 個月前
- AWS 官方已更新 6 個月前
- AWS 官方已更新 1 年前
- AWS 官方已更新 1 年前