Permissions for @turbot/aws-sagemaker
Taking a look at permissions and associated grant levels for each permission for SageMaker:
| Permission | Grant Level | Help |
|---|---|---|
| ec2:DescribeSecurityGroups | Metadata | |
| ec2:DescribeSubnets | Metadata | |
| ec2:DescribeVpcs | Metadata | |
| iam:ListRoles | Metadata | |
| iam:PassRole | Admin | Required to create SageMaker instances/models. |
| kms:ListAliases | Metadata | While creating NotebookInstance Amazon SageMaker uses it to encrypt data at rest on the ML storage volume which is attached to notebook instance |
| sagemaker:AddTags | Operator | |
| sagemaker:CreateCodeRepository | Admin | |
| sagemaker:CreateDomain | Admin | |
| sagemaker:CreateEndpoint | Admin | |
| sagemaker:CreateEndpointConfig | Admin | |
| sagemaker:CreateHyperParameterTuningJob | Admin | |
| sagemaker:CreateModel | Admin | |
| sagemaker:CreateNotebookInstance | Admin | |
| sagemaker:CreateNotebookInstanceLifecycleConfig | Admin | Admin can create lifecycle configuration for notebook instance. |
| sagemaker:CreatePresignedNotebookInstanceUrl | Admin | |
| sagemaker:CreateTrainingJob | Admin | |
| sagemaker:CreateTransformJob | Admin | |
| sagemaker:CreateUserProfile | Admin | |
| sagemaker:DeleteCodeRepository | Admin | |
| sagemaker:DeleteDomain | Admin | |
| sagemaker:DeleteEndpoint | Admin | |
| sagemaker:DeleteEndpointConfig | Admin | |
| sagemaker:DeleteModel | Admin | |
| sagemaker:DeleteNotebookInstance | Admin | |
| sagemaker:DeleteNotebookInstanceLifecycleConfig | Admin | |
| sagemaker:DeleteTags | Operator | |
| sagemaker:DeleteUserProfile | Admin | |
| sagemaker:DescribeEndpoint | Metadata | |
| sagemaker:DescribeEndpointConfig | Metadata | |
| sagemaker:DescribeHyperParameterTuningJob | Metadata | |
| sagemaker:DescribeModel | Metadata | |
| sagemaker:DescribeNotebookInstance | Metadata | |
| sagemaker:DescribeNotebookInstanceLifecycleConfig | Metadata | |
| sagemaker:DescribeTrainingJob | Metadata | |
| sagemaker:DescribeTransformJob | Metadata | |
| sagemaker:InvokeEndpoint | Operator | |
| sagemaker:ListEndpointConfigs | Metadata | |
| sagemaker:ListEndpoints | Metadata | |
| sagemaker:ListHyperParameterTuningJobs | Metadata | |
| sagemaker:ListModels | Metadata | |
| sagemaker:ListNotebookInstanceLifecycleConfigs | Metadata | |
| sagemaker:ListNotebookInstances | Metadata | |
| sagemaker:ListTags | Metadata | |
| sagemaker:ListTrainingJobs | Metadata | |
| sagemaker:ListTrainingJobsForHyperParameterTuningJob | Metadata | |
| sagemaker:ListTransformJobs | Metadata | |
| sagemaker:StartNotebookInstance | Operator | |
| sagemaker:StopHyperParameterTuningJob | Operator | Operators can stop a running hyperparameter tuning job and all running training jobs that this hyperparameter tuning job launched |
| sagemaker:StopNotebookInstance | Operator | |
| sagemaker:StopTrainingJob | Operator | |
| sagemaker:StopTransformJob | Operator | |
| sagemaker:UpdateCodeRepository | Admin | |
| sagemaker:UpdateDomain | Admin | |
| sagemaker:UpdateEndpoint | Admin | |
| sagemaker:UpdateEndpointWeightsAndCapacities | Admin | |
| sagemaker:UpdateNotebookInstance | Admin | |
| sagemaker:UpdateNotebookInstanceLifecycleConfig | Admin |