I want to know about the AWS Identity and Access Management (IAM) permissions that are required for using Amazon SageMaker.
Short Description
Because Amazon SageMaker accesses other AWS services, SageMaker must have permission to use those services. These permissions are managed through execution roles.
Execution roles are IAM roles that give SageMaker permission to perform operations on your behalf. When you create a resource that requires permissions, SageMaker will create an execution role in the console to grant those permissions.
By default, this execution role includes the AmazonSageMakerFullAccess policy. For information on what permissions are granted by the AmazonSageMakerFullAccess policy, see AWS managed policy: AmazonSageMakerFullAccess.
Resolution
The level of access an IAM role requires depends on what API resources you invoke. For example, the minimum permissions needed for a CreateNotebookInstance call are different than those needed for a CreateTrainingJob call.
If you don't want to grant full access, create your own IAM role. Then, attach IAM policies to the role. The policies must include the permissions for the API actions that you plan to invoke with the execution role.
See the following for the permissions that are required in the execution role's IAM policies.
You must also attach a trust policy to the execution role. For more information, see SageMaker roles.
If you plan to use the execution role to invoke other SageMaker actions, you must add those permissions to the execution role's IAM policies. For a list of permissions that are required for each API action, see Amazon SageMaker API permissions: actions, permissions, and resources reference.
Related information
How do I resolve Amazon S3 AccessDenied errors in Amazon SageMaker training jobs?