# IAM roles for Amazon SageMaker Unified Studio
**Topics**
+ [AmazonSageMakerDomainExecution role](AmazonSageMakerDomainExecution.md)
+ [AmazonSageMakerDomainService role](AmazonSageMakerDomainService.md)
+ [AmazonSageMakerManageAccess-- role](AmazonSageMakerManageAccess.md)
+ [AmazonSageMakerProvisioning- role](AmazonSageMakerProvisioning.md)
+ [AmazonDataZoneBedrockModelManagementRole](AmazonDataZoneBedrockModelManagementRole.md)
+ [AmazonDataZoneBedrockFMConsumptionRole](AmazonDataZoneBedrockFMConsumptionRole.md)
+ [AmazonSageMakerQueryExecution](AmazonSageMakerQueryExecution.md)
# AmazonSageMakerDomainExecution role
The AmazonSageMakerDomainExecution role has the [AWS policy: SageMakerStudioDomainExecutionRolePolicy](security-iam-awsmanpol-SageMakerStudioDomainExecutionRolePolicy.md) attached. This is an IAM role that Amazon SageMaker Unified Studio requires to call APIs on behalf of authorized users, including those logged in to Amazon SageMaker Unified Studio.
The default `AmazonSageMakerDomainExecution` role has the following trust policy attached:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "datazone.amazonaws.com"
},
"Action": [
"sts:AssumeRole",
"sts:TagSession",
"sts:SetContext"
],
"Condition": {
"StringEquals": {
"aws:SourceAccount": "{{source_account_id}}"
},
"ForAllValues:StringLike": {
"aws:TagKeys": "datazone*"
}
}
}
]
}
```
------
# AmazonSageMakerDomainService role
The AmazonSageMakerDomainService role has the [AWS policy: SageMakerStudioDomainServiceRolePolicy](security-iam-awsmanpol-SageMakerStudioDomainServiceRolePolicy.md) attached. This is a service role for domain level actions performed by Amazon SageMaker Unified Studio.
The default `AmazonSageMakerDomainService` role has the following trust policy attached:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "datazone.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "{{domain_account}}"
}
}
}
]
}
```
------
# AmazonSageMakerManageAccess-- role
AmazonSageMakerManageAccess-- role grants Amazon SageMaker Unified Studio permissions to publish, grant access, and revoke access to Amazon SageMaker Lakehouse, AWS Glue Data Catalog and Amazon Redshift data. It also grants Amazon SageMaker Unified Studio access to publish and manage subscriptions on Amazon SageMaker Catalog data and AI assets.
AmazonSageMakerManageAccess-- role has the following Amazon DataZone managed policies attached:
+ AmazonDataZoneGlueManageAccessRolePolicy
+ AmazonDataZoneRedshiftManageAccessRolePolicy
+ AmazonDataZoneSageMakerAccess
The default `AmazonSageMakerManageAccess--` role has the following inline policy attached:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Sid": "RedshiftSecretStatement",
"Effect":"Allow",
"Action":"secretsmanager:GetSecretValue",
"Resource":"*",
"Condition":{
"StringEquals":{
"secretsmanager:ResourceTag/AmazonDataZoneDomain":"{{domainId}}"
}
}
}
]
}
```
------
The default `AmazonSageMakerManageAccess--` role has the following trust policy attached:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "datazone.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "111122223333"
},
"ArnEquals": {
"aws:SourceArn": "arn:aws:datazone:us-east-1:111122223333:domain/dzd-12345"
}
}
}
]
}
```
------
# AmazonSageMakerProvisioning- role
AmazonSageMakerProvisioning- role is used by Amazon SageMaker Unified Studio to provision and manage resources defined in the selected blueprints in your account.
AmazonSageMakerProvisioning- role has the [AWS policy: SageMakerStudioProjectProvisioningRolePolicy](security-iam-awsmanpol-SageMakerStudioProjectProvisioningRolePolicy.md) attached.
The default `AmazonSageMakerProvisioning-` role has the following trust policy attached:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "datazone.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "{{domain_account}}"
}
}
}
]
}
```
------
**Important**
If you are using your own query execution role (instead of the default [AmazonSageMakerQueryExecution](AmazonSageMakerQueryExecution.md) role), then you must modify the permissions of your provisioning role (whether you're using this default AmazonSageMakerProvisioning role or your own custom provisioning role) to include `iam:PassRole` and `iam:GetRole` permissions. These permissions enable your provisioning role to pass the query execution role to AWS LakeFormation during creation of federated connections. You can include these permissions by attaching the following inline policy to your provisioning role:
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "IamRolePermissionsForQueryExecution",
"Effect": "Allow",
"Action": [
"iam:PassRole",
"iam:GetRole"
],
"Resource": "arn:aws:iam::*:role/{your-role}"
}
]
}
```
# AmazonDataZoneBedrockModelManagementRole
Amazon SageMaker Unified Studio uses this role to create an inference profile for an Amazon Bedrock model in a project. The inference profile is required for the project to interact with the model. You can either let Amazon SageMaker Unified Studio automatically create a unique provisioning role, or you can provide a custom provisioning role.
The AmazonDataZoneBedrockModelManagementRole has the [AWS policy: AmazonDataZoneBedrockModelManagementPolicy](security-iam-awsmanpol-AmazonDataZoneBedrockModelManagementPolicy.md) attached.
The default `AmazonDataZoneBedrockModelManagementRole` has the following trust policy attached:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "datazone.amazonaws.com"
},
"Action": [
"sts:AssumeRole",
"sts:SetContext"
],
"Condition": {
"StringEquals": {
"aws:SourceAccount": "{{accountId}}"
}
}
}
]
}
```
------
# AmazonDataZoneBedrockFMConsumptionRole
A consumption role is required for each Amazon Bedrock model that you want to enable in the playground for non-builders. Amazon SageMaker Unified Studio can create a consumption role per model by default or you have the option to configure a single existing consumption role for all models.
The AmazonDataZoneBedrockFMConsumptionRole has the [AWS policy: AmazonDataZoneBedrockModelConsumptionPolicy](security-iam-awsmanpol-AmazonDataZoneBedrockModelConsumptionPolicy.md) attached.
The default `AmazonDataZoneBedrockFMConsumptionRole` has the following inline policy attached:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowInferenceProfileToInvokeFoundationModels",
"Effect": "Allow",
"Action": [
"bedrock:InvokeModel",
"bedrock:InvokeModelWithResponseStream"
],
"Resource": [
"arn:aws:bedrock:us-east-1::foundation-model/{{modelId}}"
],
"Condition": {
"ArnLike": {
"bedrock:InferenceProfileArn": "arn:aws:bedrock:*:111122223333:application-inference-profile/*"
}
}
}
]
}
```
------
The default `AmazonDataZoneBedrockFMConsumptionRole` has the following trust policy attached:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "datazone.amazonaws.com"
},
"Action": [
"sts:AssumeRole",
"sts:SetContext"
],
"Condition": {
"StringEquals": {
"aws:SourceAccount": "{{accountId}}"
}
}
}
]
}
```
------
# AmazonSageMakerQueryExecution
This role is used while running a query execution. AWS LakeFormation assumes this role to vend credentials needed by Amazon Athena during query execution.
The AmazonSageMakerQueryExecution role has the [AWS policy: SageMakerStudioQueryExecutionRolePolicy](security-iam-awsmanpol-SageMakerStudioQueryExecutionRolePolicy.md) attached.
The default `AmazonSageMakerQueryExecution` role has the following trust policy attached:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"lakeformation.amazonaws.com",
"glue.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole",
"sts:SetContext"
],
"Condition": {
"StringEquals": {
"aws:SourceAccount": "{{source_account}}"
}
}
}
]
}
```
------
**Important**
If you are using your own query execution role (instead of this default AmazonSageMakerQueryExecution role), then you must modify the permissions of your provisioning role (whether you're using this default [AmazonSageMakerProvisioning- role](AmazonSageMakerProvisioning.md) role or your own custom provisioning role) to include `iam:PassRole` and `iam:GetRole` permissions. These permissions enable your provisioning role to pass the query execution role to AWS LakeFormation during creation of federated connections. You can include these permissions by attaching the following inline policy to your provisioning role:
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "IamRolePermissionsForQueryExecution",
"Effect": "Allow",
"Action": [
"iam:PassRole",
"iam:GetRole"
],
"Resource": "arn:aws:iam::*:role/{your-role}"
}
]
}
```