What are the minimum permissions that I need for Amazon SageMaker?
Last updated: 2020-09-14
What AWS Identity and Access Management (IAM) permissions are required for using Amazon SageMaker?
Execution roles are IAM roles that give SageMaker permission to perform operations on your behalf. SageMaker can create an execution role for you in the console when you create a resource that requires one, such as a notebook instance. However, this execution role includes the AmazonSageMakerFullAccess policy by default. If you don't want to grant full access, create your own IAM role. Then, attach IAM policies to the role. The policies must include the permissions for the API actions that you plan to invoke with the execution role.
Required execution role permissions
You pass the execution role when you make the following API calls. Refer to the following links for the permissions that are required in the execution role’s IAM policies.
You must also attach a trust policy to the execution role. For more information, see SageMaker roles.
Required permissions for SageMaker API actions
If you plan to use the execution role to invoke other SageMaker actions, you must add those permissions to the execution role's IAM policies. For a list of permissions that are required for each API action, see Amazon SageMaker API permissions: actions, permissions, and resources reference.