Actions, resources, and condition keys for Amazon SageMaker - Service Authorization Reference

Actions, resources, and condition keys for Amazon SageMaker

Amazon SageMaker (service prefix: sagemaker ) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by Amazon SageMaker

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see The actions table .

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AddAssociation Grants permission to associate a lineage entity (artifact, context, action, experiment, experiment-trial-component) to another. Write

action*

artifact*

context*

experiment*

experiment-trial-component*

AddTags Adds or overwrites one or more tags for the specified Amazon SageMaker resource. Tagging

action

algorithm

app

app-image-config

artifact

automl-job

code-repository

context

data-quality-job-definition

device

device-fleet

domain

edge-packaging-job

endpoint

endpoint-config

experiment

experiment-trial

experiment-trial-component

feature-group

flow-definition

human-task-ui

hyper-parameter-tuning-job

image

labeling-job

model

model-bias-job-definition

model-explainability-job-definition

model-package

model-package-group

model-quality-job-definition

monitoring-schedule

notebook-instance

pipeline

processing-job

project

training-job

transform-job

user-profile

workteam

aws:RequestTag/${TagKey}

aws:TagKeys

AssociateTrialComponent Associate a trial component with a trial. Write

experiment-trial*

experiment-trial-component*

BatchGetMetrics [permission only] Retrieve metrics associated with SageMaker Resources such as Training Jobs. This API is not publicly exposed at this point, however admins can control this action Read

training-job*

BatchPutMetrics [permission only] Publish metrics associated with a SageMaker Resource such as a Training Job. This API is not publicly exposed at this point, however admins can control this action Write

training-job*

CreateAction Grants permission to create an action. Write

action*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateAlgorithm Grants permission to create an algorithm. Write

algorithm*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateApp Grants permission to create an App for a SageMaker Studio UserProfile Write

app*

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:InstanceTypes

sagemaker:ImageArns

sagemaker:ImageVersionArns

CreateAppImageConfig Grants permission to create an AppImageConfig Write

app-image-config*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateArtifact Grants permission to create an artifact. Write

artifact*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateAutoMLJob Creates automl job. Write

automl-job*

iam:PassRole

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:InterContainerTrafficEncryption

sagemaker:OutputKmsKey

sagemaker:VolumeKmsKey

sagemaker:VpcSecurityGroupIds

sagemaker:VpcSubnets

CreateCodeRepository Grants permission to create a CodeRepository. Write

code-repository*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateCompilationJob Create a compilation job. Write

compilation-job*

iam:PassRole

CreateContext Grants permission to create a context. Write

context*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateDataQualityJobDefinition Grants permission to create a data quality job definition. Write

data-quality-job-definition*

iam:PassRole

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:InstanceTypes

sagemaker:InterContainerTrafficEncryption

sagemaker:MaxRuntimeInSeconds

sagemaker:NetworkIsolation

sagemaker:OutputKmsKey

sagemaker:VolumeKmsKey

sagemaker:VpcSecurityGroupIds

sagemaker:VpcSubnets

CreateDeviceFleet Grants permission to create a device fleet Write

device-fleet*

iam:PassRole

aws:RequestTag/${TagKey}

aws:TagKeys

CreateDomain Grants permission to create a Domain for SageMaker Studio Write

domain*

iam:CreateServiceLinkedRole

iam:PassRole

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:AppNetworkAccessType

sagemaker:InstanceTypes

sagemaker:VpcSecurityGroupIds

sagemaker:VpcSubnets

sagemaker:DomainSharingOutputKmsKey

sagemaker:VolumeKmsKey

sagemaker:ImageArns

sagemaker:ImageVersionArns

CreateEdgePackagingJob Grants permission to create an edge packaging job Write

edge-packaging-job*

iam:PassRole

aws:RequestTag/${TagKey}

aws:TagKeys

CreateEndpoint Creates an endpoint using the endpoint configuration specified in the request. Write

endpoint*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateEndpointConfig Creates an endpoint configuration that can be deployed using Amazon SageMaker hosting services. Write

endpoint-config*

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:AcceleratorTypes

sagemaker:InstanceTypes

sagemaker:ModelArn

sagemaker:VolumeKmsKey

CreateExperiment Create an experiment. Write

experiment*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateFeatureGroup Creates feature group. Write

feature-group*

iam:PassRole

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:FeatureGroupOnlineStoreKmsKey

sagemaker:FeatureGroupOfflineStoreKmsKey

sagemaker:FeatureGroupOfflineStoreS3Uri

CreateFlowDefinition Creates a flow definition, which defines settings for a human workflow. Write

flow-definition*

iam:PassRole

sagemaker:WorkteamArn

sagemaker:WorkteamType

aws:RequestTag/${TagKey}

aws:TagKeys

CreateHumanTaskUi Defines the settings you will use for the human review workflow user interface. Write

human-task-ui*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateHyperParameterTuningJob Creates hyper parameter tuning job that can be deployed using Amazon SageMaker. Write

hyper-parameter-tuning-job*

iam:PassRole

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:FileSystemAccessMode

sagemaker:FileSystemDirectoryPath

sagemaker:FileSystemId

sagemaker:FileSystemType

sagemaker:InstanceTypes

sagemaker:InterContainerTrafficEncryption

sagemaker:MaxRuntimeInSeconds

sagemaker:NetworkIsolation

sagemaker:OutputKmsKey

sagemaker:VolumeKmsKey

sagemaker:VpcSecurityGroupIds

sagemaker:VpcSubnets

CreateImage Grants permissions to create a SageMaker Image. Write

image*

iam:PassRole

aws:RequestTag/${TagKey}

aws:TagKeys

CreateImageVersion Grants permissions to create a SageMaker ImageVersion. Write

image*

CreateLabelingJob Starts a labeling job. A labeling job takes unlabeled data in and produces labeled data as output, which can be used for training SageMaker models. Write

labeling-job*

iam:PassRole

sagemaker:WorkteamArn

sagemaker:WorkteamType

sagemaker:VolumeKmsKey

sagemaker:OutputKmsKey

aws:RequestTag/${TagKey}

aws:TagKeys

CreateModel Creates a model in Amazon SageMaker. In the request, you specify a name for the model and describe one or more containers. Write

model*

iam:PassRole

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:NetworkIsolation

sagemaker:VpcSecurityGroupIds

sagemaker:VpcSubnets

CreateModelBiasJobDefinition Grants permission to create a model bias job definition. Write

model-bias-job-definition*

iam:PassRole

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:InstanceTypes

sagemaker:InterContainerTrafficEncryption

sagemaker:MaxRuntimeInSeconds

sagemaker:NetworkIsolation

sagemaker:OutputKmsKey

sagemaker:VolumeKmsKey

sagemaker:VpcSecurityGroupIds

sagemaker:VpcSubnets

CreateModelExplainabilityJobDefinition Grants permission to create a model explainability job definition. Write

model-explainability-job-definition*

iam:PassRole

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:InstanceTypes

sagemaker:InterContainerTrafficEncryption

sagemaker:MaxRuntimeInSeconds

sagemaker:NetworkIsolation

sagemaker:OutputKmsKey

sagemaker:VolumeKmsKey

sagemaker:VpcSecurityGroupIds

sagemaker:VpcSubnets

CreateModelPackage Grants permission to create a ModelPackage. Write

model-package

model-package-group

aws:RequestTag/${TagKey}

aws:TagKeys

CreateModelPackageGroup Grants permission to create a ModelPackageGroup. Write

model-package-group*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateModelQualityJobDefinition Grants permission to create a model quality job definition. Write

model-quality-job-definition*

iam:PassRole

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:InstanceTypes

sagemaker:InterContainerTrafficEncryption

sagemaker:MaxRuntimeInSeconds

sagemaker:NetworkIsolation

sagemaker:OutputKmsKey

sagemaker:VolumeKmsKey

sagemaker:VpcSecurityGroupIds

sagemaker:VpcSubnets

CreateMonitoringSchedule Grants permission to create a monitoring schedule. Write

monitoring-schedule*

iam:PassRole

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:InstanceTypes

sagemaker:InterContainerTrafficEncryption

sagemaker:MaxRuntimeInSeconds

sagemaker:NetworkIsolation

sagemaker:OutputKmsKey

sagemaker:VolumeKmsKey

sagemaker:VpcSecurityGroupIds

sagemaker:VpcSubnets

CreateNotebookInstance Creates an Amazon SageMaker notebook instance. A notebook instance is an Amazon EC2 instance running on a Jupyter Notebook. Write

notebook-instance*

iam:PassRole

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:AcceleratorTypes

sagemaker:DirectInternetAccess

sagemaker:InstanceTypes

sagemaker:RootAccess

sagemaker:VolumeKmsKey

sagemaker:VpcSecurityGroupIds

sagemaker:VpcSubnets

CreateNotebookInstanceLifecycleConfig Creates an notebook instance lifecycle configuration that can be deployed using Amazon SageMaker. Write

notebook-instance-lifecycle-config*

CreatePipeline Grants permission to create a pipeline. Write

pipeline*

iam:PassRole

aws:RequestTag/${TagKey}

aws:TagKeys

CreatePresignedDomainUrl Grants permission to return a URL that you can use from your browser to connect to the Domain as a specified UserProfile when AuthMode is 'IAM' Write

user-profile*

aws:SourceIp

aws:SourceVpc

aws:SourceVpce

CreatePresignedNotebookInstanceUrl Returns a URL that you can use from your browser to connect to the Notebook Instance. Write

notebook-instance*

CreateProcessingJob Starts a processing job. After processing completes, Amazon SageMaker saves the resulting artifacts and other optional output to an Amazon S3 location that you specify. Write

processing-job*

iam:PassRole

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:InstanceTypes

sagemaker:MaxRuntimeInSeconds

sagemaker:NetworkIsolation

sagemaker:OutputKmsKey

sagemaker:VolumeKmsKey

sagemaker:VpcSecurityGroupIds

sagemaker:VpcSubnets

sagemaker:InterContainerTrafficEncryption

CreateProject Grants permission to create a Project. Write

project*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateTrainingJob Starts a model training job. After training completes, Amazon SageMaker saves the resulting model artifacts and other optional output to an Amazon S3 location that you specify. Write

training-job*

iam:PassRole

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:FileSystemAccessMode

sagemaker:FileSystemDirectoryPath

sagemaker:FileSystemId

sagemaker:FileSystemType

sagemaker:InstanceTypes

sagemaker:InterContainerTrafficEncryption

sagemaker:MaxRuntimeInSeconds

sagemaker:NetworkIsolation

sagemaker:OutputKmsKey

sagemaker:VolumeKmsKey

sagemaker:VpcSecurityGroupIds

sagemaker:VpcSubnets

CreateTransformJob Starts a transform job. After the results are obtained, Amazon SageMaker saves them to an Amazon S3 location that you specify. Write

transform-job*

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:InstanceTypes

sagemaker:ModelArn

sagemaker:OutputKmsKey

sagemaker:VolumeKmsKey

CreateTrial Create a trial. Write

experiment-trial*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateTrialComponent Create a trial component. Write

experiment-trial-component*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateUserProfile Grants permission to create a UserProfile for a SageMaker Studio Domain Write

user-profile*

iam:PassRole

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:VpcSecurityGroupIds

sagemaker:InstanceTypes

sagemaker:DomainSharingOutputKmsKey

sagemaker:ImageArns

sagemaker:ImageVersionArns

CreateWorkforce Create a workforce. Write

workforce*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateWorkteam Create a workteam. Write

workteam*

aws:RequestTag/${TagKey}

aws:TagKeys

DeleteAction Grants permission to delete an action. Write

action*

DeleteAlgorithm Grants permission to delete an algorithm. Write

algorithm*

DeleteApp Grants permission to delete an App Write

app*

DeleteAppImageConfig Grants permission to delete an AppImageConfig Write

app-image-config*

DeleteArtifact Grants permission to delete an artifact. Write

artifact*

DeleteAssociation Grants permission to delete the association from a lineage entity (artifact, context, action, experiment, experiment-trial-component) to another. Write

action*

artifact*

context*

experiment*

experiment-trial-component*

DeleteCodeRepository Grants permission to delete a CodeRepository. Write

code-repository*

DeleteContext Grants permission to delete a context. Write

context*

DeleteDataQualityJobDefinition Grants permission to delete the data quality job definition created using the CreateDataQualityJobDefinition API. Write

data-quality-job-definition*

DeleteDeviceFleet Grants permission to delete a device fleet Write

device-fleet*

DeleteDomain Grants permission to delete a Domain Write

domain*

DeleteEndpoint Deletes an endpoint. Amazon SageMaker frees up all the resources that were deployed when the endpoint was created. Write

endpoint*

DeleteEndpointConfig Deletes the endpoint configuration created using the CreateEndpointConfig API. The DeleteEndpointConfig API deletes only the specified configuration. It does not delete any endpoints created using the configuration. Write

endpoint-config*

DeleteExperiment Deletes an experiment. Write

experiment*

DeleteFeatureGroup Deletes a feature group. Write

feature-group*

aws:RequestTag/${TagKey}

DeleteFlowDefinition Deltes the specified flow definition. Write

flow-definition*

DeleteHumanLoop Deletes the specified human loop. Write

human-loop*

DeleteImage Grants permissions to delete a SageMaker Image. Write

image*

DeleteImageVersion Grants permissions to delete a SageMaker ImageVersion. Write

image-version*

DeleteModel Deletes a model created using the CreateModel API. The DeleteModel API deletes only the model entry in Amazon SageMaker that you created by calling the CreateModel API. It does not delete model artifacts, inference code, or the IAM role that you specified when creating the model. Write

model*

DeleteModelBiasJobDefinition Grants permission to delete the model bias job definition created using the CreateModelBiasJobDefinition API. Write

model-bias-job-definition*

DeleteModelExplainabilityJobDefinition Grants permission to delete the model explainability job definition created using the CreateModelExplainabilityJobDefinition API. Write

model-explainability-job-definition*

DeleteModelPackage Grants permission to delete a ModelPackage. Write

model-package*

DeleteModelPackageGroup Grants permission to delete a ModelPackageGroup. Write

model-package-group*

DeleteModelPackageGroupPolicy Grants permission to delete a ModelPackageGroup policy. Write

model-package-group*

DeleteModelQualityJobDefinition Grants permission to delete the model quality job definition created using the CreateModelQualityJobDefinition API. Write

model-quality-job-definition*

DeleteMonitoringSchedule Grants permission to delete a monitoring schedule. Write

monitoring-schedule*

DeleteNotebookInstance Deletes an Amazon SageMaker notebook instance. Before you can delete a notebook instance, you must call the StopNotebookInstance API. Write

notebook-instance*

DeleteNotebookInstanceLifecycleConfig Deletes an notebook instance lifecycle configuration that can be deployed using Amazon SageMaker. Write

notebook-instance-lifecycle-config*

DeletePipeline Grants permission to delete a pipeline. Write

pipeline*

DeleteProject Grants permission to delete a project. Write

project*

DeleteRecord Delete a record from a feature group. Write

feature-group*

DeleteTags Deletes the specified set of tags from an Amazon SageMaker resource. Tagging

action

algorithm

app

app-image-config

artifact

automl-job

code-repository

compilation-job

context

data-quality-job-definition

device

device-fleet

domain

edge-packaging-job

endpoint

endpoint-config

experiment

experiment-trial

experiment-trial-component

feature-group

flow-definition

human-task-ui

hyper-parameter-tuning-job

image

labeling-job

model

model-bias-job-definition

model-explainability-job-definition

model-package

model-package-group

model-quality-job-definition

monitoring-schedule

notebook-instance

pipeline

processing-job

project

training-job

transform-job

user-profile

workteam

aws:TagKeys

DeleteTrial Deletes a trial. Write

experiment-trial*

DeleteTrialComponent Deletes a trial component. Write

experiment-trial-component*

DeleteUserProfile Grants permission to delete a UserProfile Write

user-profile*

DeleteWorkforce Deletes a workforce. Write

workforce*

DeleteWorkteam Deletes a workteam. Write

workteam*

DeregisterDevices Grants permission to deregister a set of devices Write

device*

DescribeAction Grants permission to get information about an action. Read

action*

DescribeAlgorithm Grants permission to describe an algorithm. Read

algorithm*

DescribeApp Grants permission to describe an App Read

app*

DescribeAppImageConfig Grants permission to describe an AppImageConfig Read

app-image-config*

DescribeArtifact Grants permission to get information about an artifact. Read

artifact*

DescribeAutoMLJob Describes an automl job that was created via CreateAutoMLJob API. Read

automl-job*

DescribeCodeRepository Grants permission to describe a CodeRepository. Read

code-repository*

DescribeCompilationJob Returns information about a compilation job. Read

compilation-job*

DescribeContext Grants permission to get information about a context. Read

context*

DescribeDataQualityJobDefinition Grants permission to return information about a data quality job definition. Read

data-quality-job-definition*

DescribeDevice Grants permission to access information about a device Read

device*

DescribeDeviceFleet Grants permission to access information about a device fleet Read

device-fleet*

DescribeDomain Grants permission to describe a Domain Read

domain*

DescribeEdgePackagingJob Grants permission to access information about an edge packaging job Read

edge-packaging-job*

DescribeEndpoint Returns the description of an endpoint. Read

endpoint*

DescribeEndpointConfig Returns the description of an endpoint configuration, which was created using the CreateEndpointConfig API. Read

endpoint-config*

DescribeExperiment Returns information about an experiment. Read

experiment*

DescribeFeatureGroup Returns information about a feature group. Read

feature-group*

DescribeFlowDefinition Returns detailed information about the specified flow definition. Read

flow-definition*

DescribeHumanLoop Returns detailed information about the specified human loop. Read

human-loop*

DescribeHumanTaskUi Returns detailed information about the specified human review workflow user interface. Read

human-task-ui*

DescribeHyperParameterTuningJob Describes a hyper parameter tuning job that was created via CreateHyperParameterTuningJob API. Read

hyper-parameter-tuning-job*

DescribeImage Grants permissions to return information about a SageMaker Image. Read

image*

DescribeImageVersion Grants permissions to return information about a SageMaker ImageVersion. Read

image-version*

DescribeLabelingJob Returns information about a labeling job. Read

labeling-job*

DescribeModel Describes a model that you created using the CreateModel API. Read

model*

DescribeModelBiasJobDefinition Grants permission to return information about a model bias job definition. Read

model-bias-job-definition*

DescribeModelExplainabilityJobDefinition Grants permission to return information about a model explainability job definition. Read

model-explainability-job-definition*

DescribeModelPackage Grants permission to describe a ModelPackage. Read

model-package*

DescribeModelPackageGroup Grants permission to describe a ModelPackageGroup. Read

model-package-group*

DescribeModelQualityJobDefinition Grants permission to return information about a model quality job definition. Read

model-quality-job-definition*

DescribeMonitoringSchedule Grants permission to return information about a monitoring schedule. Read

monitoring-schedule*

DescribeNotebookInstance Returns information about a notebook instance. Read

notebook-instance*

DescribeNotebookInstanceLifecycleConfig Describes an notebook instance lifecycle configuration that was created via CreateNotebookInstanceLifecycleConfig API. Read

notebook-instance-lifecycle-config*

DescribePipeline Grants permission to get information about a pipeline. Read

pipeline*

DescribePipelineDefinitionForExecution Grants permission to get the pipeline definition for a pipeline execution. Read

pipeline-execution*

DescribePipelineExecution Grants permission to get information about a pipeline execution. Read

pipeline-execution*

DescribeProcessingJob Returns information about a processing job. Read

processing-job*

DescribeProject Grants permission to describe a project. Read

project*

DescribeSubscribedWorkteam Returns information about a subscribed workteam. Read

workteam*

DescribeTrainingJob Returns information about a training job. Read

training-job*

DescribeTransformJob Returns information about a transform job. Read

transform-job*

DescribeTrial Returns information about a trial. Read

experiment-trial*

DescribeTrialComponent Returns information about a trial component. Read

experiment-trial-component*

DescribeUserProfile Grants permission to describe a UserProfile Read

user-profile*

DescribeWorkforce Returns information about a workforce. Read

workforce*

DescribeWorkteam Returns information about a workteam. Read

workteam*

DisableSagemakerServicecatalogPortfolio Grants permission to disable a SageMaker Service Catalog Portfolio. Write
DisassociateTrialComponent Disassociate a trial component with a trial. Write

experiment-trial*

experiment-trial-component*

processing-job*

EnableSagemakerServicecatalogPortfolio Grants permission to enable a SageMaker Service Catalog Portfolio. Write
GetDeviceFleetReport Grants permission to access a summary of the devices in a device fleet Read

device-fleet*

GetDeviceRegistration Grants permission to get device registration. After you deploy a model onto edge devices this api is used to get current device registration Read

device*

GetModelPackageGroupPolicy Grants permission to get a ModelPackageGroup policy. Read

model-package-group*

GetRecord Get a record from a feature group. Read

feature-group*

GetSagemakerServicecatalogPortfolioStatus Grants permission to get a SageMaker Service Catalog Portfolio. Read
GetSearchSuggestions Get search suggestions when provided with keyword. Read
InvokeEndpoint After you deploy a model into production using Amazon SageMaker hosting services, your client applications use this API to get inferences from the model hosted at the specified endpoint. Read

endpoint*

sagemaker:TargetModel

ListActions Grants permission to list actions. List
ListAlgorithms Grants permission to list Algorithms. List
ListAppImageConfigs Grants permission to list the AppImageConfigs in your account List
ListApps Grants permission to list the Apps in your account List
ListArtifacts Grants permission to list artifacts. List
ListAssociations Grants permission to list associations. List
ListAutoMLJobs Lists automl jobs created via the CreateAutoMLJob. List
ListCandidatesForAutoMLJob Lists candidates for automl job created via the CreateAutoMLJob. List
ListCodeRepositories Grants permission to list code repositories. List
ListCompilationJobs Lists compilation jobs. List
ListContexts Grants permission to list contexts. List
ListDataQualityJobDefinitions Grants permission to list data quality job definitions. List
ListDeviceFleets Grants permission to list device fleets List
ListDevices Grants permission to list devices. List
ListDomains Grants permission to list the Domains in your account List
ListEdgePackagingJobs Grants permission to list edge packaging jobs List
ListEndpointConfigs Lists endpoint configurations. List
ListEndpoints Lists endpoints. List
ListExperiments Lists experiments. List
ListFeatureGroups Lists feature groups. List
ListFlowDefinitions Returns summary information about flow definitions, given the specified parameters. List
ListHumanLoops Returns summary information about human loops, given the specified parameters. List
ListHumanTaskUis Returns summary information about human review workflow user interfaces, given the specified parameters. List
ListHyperParameterTuningJobs Lists hyper parameter tuning jobs that was created using Amazon SageMaker. List
ListImageVersions Grants permissions to list ImageVersions that belong to a SageMaker Image. List

image*

ListImages Grants permissions to list SageMaker Images in your account. List
ListLabelingJobs Lists labeling jobs. List
ListLabelingJobsForWorkteam Lists labeling jobs for workteam. List

workteam*

ListModelBiasJobDefinitions Grants permission to list model bias job definitions. List
ListModelExplainabilityJobDefinitions Grants permission to list model explainability job definitions. List
ListModelPackageGroups Grants permission to list ModelPackageGroups. List
ListModelPackages Grants permission to list ModelPackages. List
ListModelQualityJobDefinitions Grants permission to list model quality job definitions. List
ListModels Lists the models created with the CreateModel API. List
ListMonitoringExecutions Grants permission to list monitoring executions. List
ListMonitoringSchedules Grants permission to list monitoring schedules. List
ListNotebookInstanceLifecycleConfigs Lists notebook instance lifecycle configurations that can be deployed using Amazon SageMaker. List
ListNotebookInstances Returns a list of the Amazon SageMaker notebook instances in the requester's account in an AWS Region. List
ListPipelineExecutionSteps Grants permission to list steps for a pipeline execution List

pipeline-execution*

ListPipelineExecutions Grants permission to list executions for a pipeline List

pipeline*

ListPipelineParametersForExecution Grants permission to list parameters for a pipeline execution List

pipeline-execution*

ListPipelines Grants permission to list pipelines. List
ListProcessingJobs Lists processing jobs. List
ListProjects Grants permission to list Projects. List
ListSubscribedWorkteams Lists subscribed workteams. List
ListTags Returns the tag set associated with the specified resource. List

action

algorithm

app

app-image-config

artifact

automl-job

code-repository

context

data-quality-job-definition

device

device-fleet

domain

edge-packaging-job

endpoint

endpoint-config

experiment

experiment-trial

experiment-trial-component

feature-group

flow-definition

human-task-ui

hyper-parameter-tuning-job

image

labeling-job

model

model-bias-job-definition

model-explainability-job-definition

model-package

model-package-group

model-quality-job-definition

monitoring-schedule

notebook-instance

pipeline

project

training-job

transform-job

user-profile

workteam

ListTrainingJobs Lists training jobs. List
ListTrainingJobsForHyperParameterTuningJob Lists training jobs for a hyper parameter tuning job that was created using Amazon SageMaker. List

hyper-parameter-tuning-job*

ListTransformJobs Lists transform jobs. List
ListTrialComponents Lists trial components. List
ListTrials Lists trials. List
ListUserProfiles Grants permission to list the UserProfiles in your account List
ListWorkforces Lists workforces. List
ListWorkteams Lists workteams. List
PutModelPackageGroupPolicy Grants permission to put a ModelPackageGroup policy. Write

model-package-group*

PutRecord Put a record to a feature group. Write

feature-group*

RegisterDevices Grants permission to register a set of devices Write

device*

aws:RequestTag/${TagKey}

aws:TagKeys

RenderUiTemplate Render a UI template used for a human annotation task. Read

iam:PassRole

Search Search for SageMaker objects. Read
SendHeartbeat Grants permission to publish heartbeat data from devices. After you deploy a model onto edge devices this api is used to report device status Write

device*

StartHumanLoop Starts a human loop. Write

flow-definition*

StartMonitoringSchedule Starts a monitoring schedule. Write

monitoring-schedule*

StartNotebookInstance Launches an EC2 instance with the latest version of the libraries and attaches your EBS volume. Write

notebook-instance*

StartPipelineExecution Grants permission to start a pipeline execution. Write

pipeline*

StopAutoMLJob Stops a running automl job created via the CreateAutoMLJob. Write

automl-job*

StopCompilationJob Stops a compilation job. Write

compilation-job*

StopEdgePackagingJob Grants permission to stop an edge packaging job Write

edge-packaging-job*

StopHumanLoop Stops the specified human loop. Write

human-loop*

StopHyperParameterTuningJob Stops a running hyper parameter tuning job create via the CreateHyperParameterTuningJob. Write

hyper-parameter-tuning-job*

StopLabelingJob Stops a labeling job. Any labels already generated will be exported before stopping. Write

labeling-job*

StopMonitoringSchedule Stops a monitoring schedule. Write

monitoring-schedule*

StopNotebookInstance Terminates the EC2 instance. Before terminating the instance, Amazon SageMaker disconnects the EBS volume from it. Amazon SageMaker preserves the EBS volume. Write

notebook-instance*

StopPipelineExecution Grants permission to stop a pipeline execution. Write

pipeline-execution*

StopProcessingJob Stops a processing job. To stop a job, Amazon SageMaker sends the algorithm the SIGTERM signal, which delays job termination for 120 seconds. Write

processing-job*

StopTrainingJob Stops a training job. To stop a job, Amazon SageMaker sends the algorithm the SIGTERM signal, which delays job termination for 120 seconds. Write

training-job*

StopTransformJob Stops a transform job. When Amazon SageMaker receives a StopTransformJob request, the status of the job changes to Stopping. After Amazon SageMaker stops the job, the status is set to Stopped Write

transform-job*

UpdateAction Grants permission to update an action. Write

action*

UpdateAppImageConfig Grants permission to update an AppImageConfig Write

app-image-config*

UpdateArtifact Grants permission to update an artifact. Write

artifact*

UpdateCodeRepository Grants permission to update a CodeRepository. Write

code-repository*

UpdateContext Grants permission to update a context. Write

context*

UpdateDeviceFleet Grants permission to update a device fleet Write

device-fleet*

UpdateDevices Grants permission to update a set of devices Write

device*

UpdateDomain Grants permission to update a Domain Write

domain*

sagemaker:VpcSecurityGroupIds

sagemaker:InstanceTypes

sagemaker:DomainSharingOutputKmsKey

sagemaker:ImageArns

sagemaker:ImageVersionArns

UpdateEndpoint Updates an endpoint to use the endpoint configuration specified in the request. Write

endpoint*

UpdateEndpointWeightsAndCapacities Updates variant weight, capacity, or both of one or more variants associated with an endpoint. Write

endpoint*

UpdateExperiment Updates an experiment. Write

experiment*

UpdateImage Grants permissions to update the properties of a SageMaker Image. Write

image*

iam:PassRole

UpdateModelPackage Grants permission to update a ModelPackage. Write

model-package*

UpdateMonitoringSchedule Updates a monitoring schedule. Write

monitoring-schedule*

iam:PassRole

aws:RequestTag/${TagKey}

aws:TagKeys

sagemaker:InstanceTypes

sagemaker:MaxRuntimeInSeconds

sagemaker:NetworkIsolation

sagemaker:OutputKmsKey

sagemaker:VolumeKmsKey

sagemaker:VpcSecurityGroupIds

sagemaker:VpcSubnets

sagemaker:InterContainerTrafficEncryption

UpdateNotebookInstance Updates a notebook instance. Notebook instance updates include upgrading or downgrading the EC2 instance used for your notebook instance to accommodate changes in your workload requirements. You can also update the VPC security groups. Write

notebook-instance*

sagemaker:AcceleratorTypes

sagemaker:InstanceTypes

sagemaker:RootAccess

UpdateNotebookInstanceLifecycleConfig Updates a notebook instance lifecycle configuration created with the CreateNotebookInstanceLifecycleConfig API. Write

notebook-instance-lifecycle-config*

UpdatePipeline Grants permission to update a pipeline. Write

pipeline*

iam:PassRole

UpdatePipelineExecution Grants permission to update a pipeline execution. Write

pipeline-execution*

UpdateTrainingJob Updates a training job. Write

training-job*

sagemaker:InstanceTypes

UpdateTrial Updates a trial. Write

experiment-trial*

UpdateTrialComponent Updates a trial component. Write

experiment-trial-component*

UpdateUserProfile Grants permission to update a UserProfile Write

user-profile*

sagemaker:InstanceTypes

sagemaker:VpcSecurityGroupIds

sagemaker:InstanceTypes

sagemaker:DomainSharingOutputKmsKey

sagemaker:ImageArns

sagemaker:ImageVersionArns

UpdateWorkforce Updates a workforce. Write

workforce*

UpdateWorkteam Updates a workteam. Write

workteam*

Resource types defined by Amazon SageMaker

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The resource types table .

Resource types ARN Condition keys
device arn:$ { Partition}:sagemaker:$ { Region}:$ { Account}:device-fleet/$ { DeviceFleetName}/device/$ { DeviceName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

device-fleet arn:$ { Partition}:sagemaker:$ { Region}:$ { Account}:device-fleet/$ { DeviceFleetName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

edge-packaging-job arn:$ { Partition}:sagemaker:$ { Region}:$ { Account}:edge-packaging-job/$ { EdgePackagingJobName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

human-loop arn:$ { Partition}:sagemaker:$ { Region}:$ { Account}:human-loop/$ { HumanLoopName}
flow-definition arn:$ { Partition}:sagemaker:$ { Region}:$ { Account}:flow-definition/$ { FlowDefinitionName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

human-task-ui arn:$ { Partition}:sagemaker:$ { Region}:$ { Account}:human-task-ui/$ { HumanTaskUiName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

labeling-job arn:$ { Partition}:sagemaker:$ { Region}:$ { Account}:labeling-job/$ { LabelingJobName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

workteam arn:$ { Partition}:sagemaker:$ { Region}:$ { Account}:workteam/$ { WorkteamName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

workforce arn:$ { Partition}:sagemaker:$ { Region}:$ { Account}:workforce/$ { WorkforceName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

domain arn:$ { Partition}:sagemaker:$ { Region}:$ { Account}:domain/$ { DomainId}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

user-profile arn:$ { Partition}:sagemaker:$ { Region}:$ { Account}:user-profile/$ { DomainId}/$ { UserProfileName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

app arn:$ { Partition}:sagemaker:$ { Region}:$ { Account}:app/$ { DomainId}/$ { UserProfileName}/$ { AppType}/$ { AppName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

app-image-config arn:$ { Partition}:sagemaker:$ { Region}:$ { Account}:app-image-config/$ { AppImageConfigName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

notebook-instance arn:$ { Partition}:sagemaker:$ { Region}:$ { Account}:notebook-instance/$ { NotebookInstanceName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

notebook-instance-lifecycle-config arn:$ { Partition}:sagemaker:$ { Region}:$ { Account}:notebook-instance-lifecycle-config/$ { NotebookInstanceLifecycleConfigName}
code-repository arn:$ { Partition}:sagemaker:$ { Region}:$ { Account}:code-repository/$ { CodeRepositoryName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

image arn:$ { Partition}:sagemaker:$ { Region}:$ { Account}:image/$ { ImageName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

image-version arn:$ { Partition}:sagemaker:$ { Region}:$ { Account}:image-version/$ { ImageName}/$ { Version}
algorithm arn:$ { Partition}:sagemaker:$ { Region}:$ { Account}:algorithm/$ { AlgorithmName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

training-job arn:$ { Partition}:sagemaker:$ { Region}:$ { Account}:training-job/$ { TrainingJobName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

processing-job arn:$ { Partition}:sagemaker:$ { Region}:$ { Account}:processing-job/$ { ProcessingJobName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

hyper-parameter-tuning-job arn:$ { Partition}:sagemaker:$ { Region}:$ { Account}:hyper-parameter-tuning-job/$ { HyperParameterTuningJobName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

project arn:$ { Partition}:sagemaker:$ { Region}:$ { Account}:project/$ { ProjectName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

model-package arn:$ { Partition}:sagemaker:$ { Region}:$ { Account}:model-package/$ { ModelPackageName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

model-package-group arn:$ { Partition}:sagemaker:$ { Region}:$ { Account}:model-package-group/$ { ModelPackageGroupName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

model arn:$ { Partition}:sagemaker:$ { Region}:$ { Account}:model/$ { ModelName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

endpoint-config arn:$ { Partition}:sagemaker:$ { Region}:$ { Account}:endpoint-config/$ { EndpointConfigName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

endpoint arn:$ { Partition}:sagemaker:$ { Region}:$ { Account}:endpoint/$ { EndpointName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

transform-job arn:$ { Partition}:sagemaker:$ { Region}:$ { Account}:transform-job/$ { TransformJobName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

compilation-job arn:$ { Partition}:sagemaker:$ { Region}:$ { Account}:compilation-job/$ { CompilationJobName}
automl-job arn:$ { Partition}:sagemaker:$ { Region}:$ { Account}:automl-job/$ { AutoMLJobJobName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

monitoring-schedule arn:$ { Partition}:sagemaker:$ { Region}:$ { Account}:monitoring-schedule/$ { MonitoringScheduleName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

data-quality-job-definition arn:$ { Partition}:sagemaker:$ { Region}:$ { Account}:data-quality-job-definition/$ { DataQualityJobDefinitionName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

model-quality-job-definition arn:$ { Partition}:sagemaker:$ { Region}:$ { Account}:model-quality-job-definition/$ { ModelQualityJobDefinitionName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

model-bias-job-definition arn:$ { Partition}:sagemaker:$ { Region}:$ { Account}:model-bias-job-definition/$ { ModelBiasJobDefinitionName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

model-explainability-job-definition arn:$ { Partition}:sagemaker:$ { Region}:$ { Account}:model-explainability-job-definition/$ { ModelExplainabilityJobDefinitionName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

experiment arn:$ { Partition}:sagemaker:$ { Region}:$ { Account}:experiment/$ { ExperimentName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

experiment-trial arn:$ { Partition}:sagemaker:$ { Region}:$ { Account}:experiment-trial/$ { TrialName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

experiment-trial-component arn:$ { Partition}:sagemaker:$ { Region}:$ { Account}:experiment-trial-component/$ { TrialComponentName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

feature-group arn:$ { Partition}:sagemaker:$ { Region}:$ { Account}:feature-group/$ { FeatureGroupName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

pipeline arn:$ { Partition}:sagemaker:$ { Region}:$ { Account}:pipeline/$ { PipelineName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

pipeline-execution arn:$ { Partition}:sagemaker:$ { Region}:$ { Account}:pipeline/$ { PipelineName}/execution/$ { RandomString}
artifact arn:$ { Partition}:sagemaker:$ { Region}:$ { Account}:artifact/$ { HashOfArtifactSource}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

context arn:$ { Partition}:sagemaker:$ { Region}:$ { Account}:context/$ { ContextName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

action arn:$ { Partition}:sagemaker:$ { Region}:$ { Account}:action/$ { ActionName}

aws:ResourceTag/${TagKey}

sagemaker:ResourceTag/${TagKey}

Condition keys for Amazon SageMaker

Amazon SageMaker defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The condition keys table .

To view the global condition keys that are available to all services, see Available global condition keys .

Condition keys Description Type
aws:RequestTag/${TagKey} A key that is present in the request the user makes to the SageMaker service. String
aws:ResourceTag/${TagKey} A tag key and value pair. String
aws:SourceIp Filters access by the requestor's IP address String
aws:SourceVpc Filters access by the requestor's VPC String
aws:SourceVpce Filters access by the requestor's VPC endpoint String
aws:TagKeys The list of all the tag key names associated with the resource in the request. String
sagemaker:AcceleratorTypes The list of all accelerator types associated with the resource in the request. ArrayOfString
sagemaker:AppNetworkAccessType App network access type associated with the resource in the request. String
sagemaker:DirectInternetAccess The direct internet access associated with the resource in the request. String
sagemaker:DomainSharingOutputKmsKey The Domain sharing output KMS key associated with the resource in the request. ARN
sagemaker:FeatureGroupOfflineStoreKmsKey The offline store kms key associated with the feature group resource in the request. ARN
sagemaker:FeatureGroupOfflineStoreS3Uri The offline store s3 uri associated with the feature group resource in the request. String
sagemaker:FeatureGroupOnlineStoreKmsKey The online store kms key associated with the feature group resource in the request. ARN
sagemaker:FileSystemAccessMode File system access mode associated with the resource in the request. String
sagemaker:FileSystemDirectoryPath File system directory path associated with the resource in the request. String
sagemaker:FileSystemId A file system ID associated with the resource in the request. String
sagemaker:FileSystemType File system type associated with the resource in the request. String
sagemaker:HomeEfsFileSystemKmsKey This key is deprecated. It has been replaced by sagemaker:VolumeKmsKey. ARN
sagemaker:ImageArns Filters access by the list of all image arns associated with the resource in the request. ArrayOfString
sagemaker:ImageVersionArns Filters access by the list of all image version arns associated with the resource in the request. ArrayOfString
sagemaker:InstanceTypes The list of all instance types associated with the resource in the request. ArrayOfString
sagemaker:InterContainerTrafficEncryption The inter container traffic encryption associated with the resource in the request. Bool
sagemaker:MaxRuntimeInSeconds The max runtime in seconds associated with the resource in the request. Numeric
sagemaker:ModelArn The model arn associated with the resource in the request. ARN
sagemaker:NetworkIsolation The network isolation associated with the resource in the request. Bool
sagemaker:OutputKmsKey The output kms key associated with the resource in the request. ARN
sagemaker:ResourceTag/ The preface string for a tag key and value pair attached to a resource. String
sagemaker:ResourceTag/${TagKey} A tag key and value pair. String
sagemaker:RootAccess The root access associated with the resource in the request. String
sagemaker:TargetModel The target model associated with the Multi-Model Endpoint in the request. String
sagemaker:VolumeKmsKey The volume kms key associated with the resource in the request. ARN
sagemaker:VpcSecurityGroupIds The list of all vpc security group ids associated with the resource in the request. ArrayOfString
sagemaker:VpcSubnets The list of all vpc subnets associated with the resource in the request. ArrayOfString
sagemaker:WorkteamArn The workteam arn associated to the request. ARN
sagemaker:WorkteamType The workteam type associated to the request. This can be public-crowd, private-crowd or vendor-crowd. String