기계 번역으로 제공되는 번역입니다. 제공된 번역과 원본 영어의 내용이 상충하는 경우에는 영어 버전이 우선합니다.
# 사전 조건
시작하기 전에 다음 필수 조건을 완료합니다.
+ Studio 액세스 권한이 있는 SageMaker AI 도메인에 온보딩합니다. Studio를 도메인의 기본 환경으로 설정할 권한이 없는 경우 관리자에게 문의하세요. 자세한 내용은 [Amazon SageMaker AI 도메인 개요를](https://docs.aws.amazon.com/sagemaker/latest/dg/gs-studio-onboard.html) 참조하세요.
+ 현재 버전 설치의 단계에 AWS CLI 따라를 업데이트합니다. [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv1.html#install-tool-bundled)
+ 로컬 컴퓨터에서 `aws configure`를 실행하고 AWS 보안 인증을 제공하세요. 자격 AWS 증명에 대한 자세한 내용은 [AWS 자격 증명 이해 및 가져오기를 참조하세요](https://docs.aws.amazon.com/IAM/latest/UserGuide/security-creds.html).
## 필수 IAM 권한
SageMaker AI 모델 사용자 지정을 수행하려면 SageMaker AI 도메인 실행에 적절한 권한을 추가해야 합니다. 이렇게 하려면 인라인 IAM 권한 정책을 생성하여 IAM 역할에 연결할 수 있습니다. 정책 추가에 대한 자세한 내용은 Identity and *AWS Access Management 사용 설명서의* [IAM 자격 증명 권한 추가 및 제거](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html)를 참조하세요.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowNonAdminStudioActions",
"Effect": "Allow",
"Action": [
"sagemaker:CreatePresignedDomainUrl",
"sagemaker:DescribeDomain",
"sagemaker:DescribeUserProfile",
"sagemaker:DescribeSpace",
"sagemaker:ListSpaces",
"sagemaker:DescribeApp",
"sagemaker:ListApps"
],
"Resource": [
"arn:aws:sagemaker:*:*:domain/*",
"arn:aws:sagemaker:*:*:user-profile/*",
"arn:aws:sagemaker:*:*:app/*",
"arn:aws:sagemaker:*:*:space/*"
]
},
{
"Sid": "LambdaListPermissions",
"Effect": "Allow",
"Action": [
"lambda:ListFunctions"
],
"Resource": [
"*"
]
},
{
"Sid": "LambdaPermissionsForRewardFunction",
"Effect": "Allow",
"Action": [
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:InvokeFunction",
"lambda:GetFunction"
],
"Resource": [
"arn:aws:lambda:*:*:function:*SageMaker*",
"arn:aws:lambda:*:*:function:*sagemaker*",
"arn:aws:lambda:*:*:function:*Sagemaker*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "LambdaLayerForAWSSDK",
"Effect": "Allow",
"Action": [
"lambda:GetLayerVersion"
],
"Resource": [
"arn:aws:lambda:*:336392948345:layer:AWSSDK*"
]
},
{
"Sid": "SageMakerPublicHubPermissions",
"Effect": "Allow",
"Action": [
"sagemaker:ListHubContents"
],
"Resource": [
"arn:aws:sagemaker:*:aws:hub/SageMakerPublicHub"
]
},
{
"Sid": "SageMakerHubPermissions",
"Effect": "Allow",
"Action": [
"sagemaker:ListHubs",
"sagemaker:ListHubContents",
"sagemaker:DescribeHubContent",
"sagemaker:DeleteHubContent",
"sagemaker:ListHubContentVersions",
"sagemaker:Search"
],
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "JumpStartAccess",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::jumpstart*"
]
},
{
"Sid": "ListMLFlowOperations",
"Effect": "Allow",
"Action": [
"sagemaker:ListMlflowApps",
"sagemaker:ListMlflowTrackingServers"
],
"Resource": [
"*"
]
},
{
"Sid": "MLFlowAccess",
"Effect": "Allow",
"Action": [
"sagemaker:UpdateMlflowApp",
"sagemaker:DescribeMlflowApp",
"sagemaker:CreatePresignedMlflowAppUrl",
"sagemaker:CallMlflowAppApi",
"sagemaker-mlflow:*"
],
"Resource": [
"arn:aws:sagemaker:*:*:mlflow-app/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "BYODataSetS3Access",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::*SageMaker*",
"arn:aws:s3:::*Sagemaker*",
"arn:aws:s3:::*sagemaker*"
]
},
{
"Sid": "AllowHubPermissions",
"Effect": "Allow",
"Action": [
"sagemaker:ImportHubContent"
],
"Resource": [
"arn:aws:sagemaker:*:*:hub/*",
"arn:aws:sagemaker:*:*:hub-content/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "PassRoleForSageMaker",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/service-role/AmazonSageMaker-ExecutionRole-*"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": "sagemaker.amazonaws.com",
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "PassRoleForAWSLambda",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/service-role/AmazonSageMaker-ExecutionRole-*"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": "lambda.amazonaws.com",
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "PassRoleForBedrock",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/service-role/AmazonSageMaker-ExecutionRole-*"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": "bedrock.amazonaws.com",
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "TrainingJobRun",
"Effect": "Allow",
"Action": [
"sagemaker:CreateTrainingJob",
"sagemaker:DescribeTrainingJob",
"sagemaker:ListTrainingJobs"
],
"Resource": [
"arn:aws:sagemaker:*:*:training-job/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "ModelPackageAccess",
"Effect": "Allow",
"Action": [
"sagemaker:CreateModelPackage",
"sagemaker:DescribeModelPackage",
"sagemaker:ListModelPackages",
"sagemaker:CreateModelPackageGroup",
"sagemaker:DescribeModelPackageGroup",
"sagemaker:ListModelPackageGroups",
"sagemaker:CreateModel"
],
"Resource": [
"arn:aws:sagemaker:*:*:model-package-group/*",
"arn:aws:sagemaker:*:*:model-package/*",
"arn:aws:sagemaker:*:*:model/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "TagsPermission",
"Effect": "Allow",
"Action": [
"sagemaker:AddTags",
"sagemaker:ListTags"
],
"Resource": [
"arn:aws:sagemaker:*:*:model-package-group/*",
"arn:aws:sagemaker:*:*:model-package/*",
"arn:aws:sagemaker:*:*:hub/*",
"arn:aws:sagemaker:*:*:hub-content/*",
"arn:aws:sagemaker:*:*:training-job/*",
"arn:aws:sagemaker:*:*:model/*",
"arn:aws:sagemaker:*:*:endpoint/*",
"arn:aws:sagemaker:*:*:endpoint-config/*",
"arn:aws:sagemaker:*:*:pipeline/*",
"arn:aws:sagemaker:*:*:inference-component/*",
"arn:aws:sagemaker:*:*:action/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "LogAccess",
"Effect": "Allow",
"Action": [
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:GetLogEvents"
],
"Resource": [
"arn:aws:logs:*:*:log-group*",
"arn:aws:logs:*:*:log-group:/aws/sagemaker/TrainingJobs:log-stream:*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "BedrockDeploy",
"Effect": "Allow",
"Action": [
"bedrock:CreateModelImportJob"
],
"Resource": [
"arn:aws:bedrock:*:*:*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "BedrockOperations",
"Effect": "Allow",
"Action": [
"bedrock:GetModelImportJob",
"bedrock:GetImportedModel",
"bedrock:ListProvisionedModelThroughputs",
"bedrock:ListCustomModelDeployments",
"bedrock:ListCustomModels",
"bedrock:ListModelImportJobs",
"bedrock:GetEvaluationJob",
"bedrock:CreateEvaluationJob",
"bedrock:InvokeModel"
],
"Resource": [
"arn:aws:bedrock:*:*:evaluation-job/*",
"arn:aws:bedrock:*:*:imported-model/*",
"arn:aws:bedrock:*:*:model-import-job/*",
"arn:aws:bedrock:*:*:foundation-model/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "BedrockFoundationModelOperations",
"Effect": "Allow",
"Action": [
"bedrock:GetFoundationModelAvailability",
"bedrock:ListFoundationModels"
],
"Resource": [
"*"
]
},
{
"Sid": "SageMakerPipelinesAndLineage",
"Effect": "Allow",
"Action": [
"sagemaker:ListActions",
"sagemaker:ListArtifacts",
"sagemaker:QueryLineage",
"sagemaker:ListAssociations",
"sagemaker:AddAssociation",
"sagemaker:DescribeAction",
"sagemaker:AddAssociation",
"sagemaker:CreateAction",
"sagemaker:CreateContext",
"sagemaker:DescribeTrialComponent"
],
"Resource": [
"arn:aws:sagemaker:*:*:artifact/*",
"arn:aws:sagemaker:*:*:action/*",
"arn:aws:sagemaker:*:*:context/*",
"arn:aws:sagemaker:*:*:action/*",
"arn:aws:sagemaker:*:*:model-package/*",
"arn:aws:sagemaker:*:*:context/*",
"arn:aws:sagemaker:*:*:pipeline/*",
"arn:aws:sagemaker:*:*:experiment-trial-component/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "ListOperations",
"Effect": "Allow",
"Action": [
"sagemaker:ListInferenceComponents",
"sagemaker:ListWorkforces"
],
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "SageMakerInference",
"Effect": "Allow",
"Action": [
"sagemaker:DescribeInferenceComponent",
"sagemaker:CreateEndpoint",
"sagemaker:CreateEndpointConfig",
"sagemaker:DescribeEndpoint",
"sagemaker:DescribeEndpointConfig",
"sagemaker:ListEndpoints"
],
"Resource": [
"arn:aws:sagemaker:*:*:inference-component/*",
"arn:aws:sagemaker:*:*:endpoint/*",
"arn:aws:sagemaker:*:*:endpoint-config/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "SageMakerPipelines",
"Effect": "Allow",
"Action": [
"sagemaker:DescribePipelineExecution",
"sagemaker:ListPipelineExecutions",
"sagemaker:ListPipelineExecutionSteps",
"sagemaker:CreatePipeline",
"sagemaker:UpdatePipeline",
"sagemaker:StartPipelineExecution"
],
"Resource": [
"arn:aws:sagemaker:*:*:pipeline/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
}
]
}
```
[AmazonSageMakerFullAccessPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSageMakerFullAccess.html)를 실행 역할에 연결한 경우이 축소된 정책을 추가할 수 있습니다.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "LambdaListPermissions",
"Effect": "Allow",
"Action": [
"lambda:ListFunctions"
],
"Resource": [
"*"
]
},
{
"Sid": "LambdaPermissionsForRewardFunction",
"Effect": "Allow",
"Action": [
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:InvokeFunction",
"lambda:GetFunction"
],
"Resource": [
"arn:aws:lambda:*:*:function:*SageMaker*",
"arn:aws:lambda:*:*:function:*sagemaker*",
"arn:aws:lambda:*:*:function:*Sagemaker*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "LambdaLayerForAWSSDK",
"Effect": "Allow",
"Action": [
"lambda:GetLayerVersion"
],
"Resource": [
"arn:aws:lambda:*:336392948345:layer:AWSSDK*"
]
},
{
"Sid": "S3Access",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::*SageMaker*",
"arn:aws:s3:::*Sagemaker*",
"arn:aws:s3:::*sagemaker*",
"arn:aws:s3:::jumpstart*"
]
},
{
"Sid": "PassRoleForSageMakerAndLambdaAndBedrock",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/service-role/AmazonSageMaker-ExecutionRole-*"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"lambda.amazonaws.com",
"bedrock.amazonaws.com"
],
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "BedrockDeploy",
"Effect": "Allow",
"Action": [
"bedrock:CreateModelImportJob"
],
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "BedrockOperations",
"Effect": "Allow",
"Action": [
"bedrock:GetModelImportJob",
"bedrock:GetImportedModel",
"bedrock:ListProvisionedModelThroughputs",
"bedrock:ListCustomModelDeployments",
"bedrock:ListCustomModels",
"bedrock:ListModelImportJobs",
"bedrock:GetEvaluationJob",
"bedrock:CreateEvaluationJob",
"bedrock:InvokeModel"
],
"Resource": [
"arn:aws:bedrock:*:*:evaluation-job/*",
"arn:aws:bedrock:*:*:imported-model/*",
"arn:aws:bedrock:*:*:model-import-job/*",
"arn:aws:bedrock:*:*:foundation-model/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "BedrockFoundationModelOperations",
"Effect": "Allow",
"Action": [
"bedrock:GetFoundationModelAvailability",
"bedrock:ListFoundationModels"
],
"Resource": [
"*"
]
}
]
}
```
그런 다음 **신뢰 정책 편집**을 클릭하고 다음 정책으로 바꾼 다음 **정책 업데이트를** 클릭해야 합니다.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"Service": "sagemaker.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"Service": "bedrock.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
```