# Setting up permissions
You must give users, groups, or roles permission to interact with Amazon Personalize resources. And you must give Amazon Personalize permission to access the resources you create in Amazon Personalize and to perform tasks on your behalf.
**To set up permissions**
1. Give Amazon Personalize permission to access your resources in Amazon Personalize and permission to perform tasks on your behalf. See [Giving Amazon Personalize permission to access your resources](set-up-required-permissions.md).
1. Give your users, groups, or roles permission to interact with Amazon Personalize resources and pass your service role to Amazon Personalize. See [Giving users permission to access Amazon Personalize](grant-user-permissions.md).
1. Modify your Amazon Personalize service role's trust policy so it prevents the [confused deputy problem](cross-service-confused-deputy-prevention.md). For a trust relationship policy example, see [Cross-service confused deputy prevention](cross-service-confused-deputy-prevention.md). For information modifying a role's trust policy, see [Modifying a role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_modify.html).
1. If you use AWS Key Management Service (AWS KMS) for encryption, you must grant Amazon Personalize and your Amazon Personalize IAM service role permission to use your key. For more information, see [Giving Amazon Personalize permission to use your AWS KMS key](granting-personalize-key-access.md).
1. Complete the steps in [Giving Amazon Personalize access to Amazon S3 resources](granting-personalize-s3-access.md) to use IAM and Amazon S3 bucket policies to give Amazon Personalize access to your Amazon S3 resources.
**Topics**
+ [Giving Amazon Personalize permission to access your resources](set-up-required-permissions.md)
+ [Giving users permission to access Amazon Personalize](grant-user-permissions.md)
+ [Giving Amazon Personalize access to Amazon S3 resources](granting-personalize-s3-access.md)
+ [Giving Amazon Personalize permission to use your AWS KMS key](granting-personalize-key-access.md)
# Giving Amazon Personalize permission to access your resources
To give Amazon Personalize permission to access your resources, you create an IAM policy that provides Amazon Personalize full access to your Amazon Personalize resources. Or you can use the AWS managed `AmazonPersonalizeFullAccess` policy. `AmazonPersonalizeFullAccess` provides more permissions than are necessary. We recommend creating a new IAM policy that only grants the necessary permissions. For more information about managed policies, see [AWS managed policies](security_iam_id-based-policy-examples.md#using-managed-policies).
After you create a policy, you create an IAM role for Amazon Personalize and attach the new policy to it.
**Topics**
+ [Creating a new IAM policy for Amazon Personalize](#create-role-policy)
+ [Creating an IAM role for Amazon Personalize](#set-up-create-role-with-permissions)
## Creating a new IAM policy for Amazon Personalize
Create an IAM policy that provides Amazon Personalize full access to your Amazon Personalize resources.
**To use the JSON policy editor to create a policy**
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane on the left, choose **Policies**.
If this is your first time choosing **Policies**, the **Welcome to Managed Policies** page appears. Choose **Get Started**.
1. At the top of the page, choose **Create policy**.
1. In the **Policy editor** section, choose the **JSON** option.
1. Enter the following JSON policy document:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"personalize:*"
],
"Resource": "*"
}
]
}
```
1. Choose **Next**.
**Note**
You can switch between the **Visual** and **JSON** editor options anytime. However, if you make changes or choose **Next** in the **Visual** editor, IAM might restructure your policy to optimize it for the visual editor. For more information, see [Policy restructuring](https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_policies.html#troubleshoot_viseditor-restructure) in the *IAM User Guide*.
1. On the **Review and create** page, enter a **Policy name** and a **Description** (optional) for the policy that you are creating. Review **Permissions defined in this policy** to see the permissions that are granted by your policy.
1. Choose **Create policy** to save your new policy.
## Creating an IAM role for Amazon Personalize
To use Amazon Personalize, you must create an AWS Identity and Access Management service role for Amazon Personalize. A service role is an [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) that a service assumes to perform actions on your behalf. An IAM administrator can create, modify, and delete a service role from within IAM. For more information, see [Create a role to delegate permissions to an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html) in the *IAM User Guide*. After you create a service role for Amazon Personalize, grant the role additional permissions listed in [Additional service role permissions](#additional-service-role-permissions) as necessary.
**To create the service role for Personalize (IAM console)**
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane of the IAM console, choose **Roles**, and then choose **Create role**.
1. For **Trusted entity type**, choose **AWS service**.
1. For **Service or use case**, choose **Personalize**, and then choose the **Personalize** use case.
1. Choose **Next**.
1. Chose the policy that you created in the previous procedure.
1. (Optional) Set a [permissions boundary](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html). This is an advanced feature that is available for service roles, but not service-linked roles.
1. Open the **Set permissions boundary** section, and then choose **Use a permissions boundary to control the maximum role permissions**.
IAM includes a list of the AWS managed and customer-managed policies in your account.
1. Select the policy to use for the permissions boundary.
1. Choose **Next**.
1. Enter a role name or a role name suffix to help you identify the purpose of the role.
**Important**
When you name a role, note the following:
Role names must be unique within your AWS account, and can't be made unique by case.
For example, don't create roles named both **PRODROLE** and **prodrole**. When a role name is used in a policy or as part of an ARN, the role name is case sensitive, however when a role name appears to customers in the console, such as during the sign-in process, the role name is case insensitive.
You can't edit the name of the role after it's created because other entities might reference the role.
1. (Optional) For **Description**, enter a description for the role.
1. (Optional) To edit the use cases and permissions for the role, in the **Step 1: Select trusted entities** or **Step 2: Add permissions** sections, choose **Edit**.
1. (Optional) To help identify, organize, or search for the role, add tags as key-value pairs. For more information about using tags in IAM, see [Tags for AWS Identity and Access Management resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide*.
1. Review the role, and then choose **Create role**.
After you create a role for Amazon Personalize, you are ready to grant it [access to your Amazon S3 bucket](granting-personalize-s3-access.md) and [any AWS KMS keys](granting-personalize-key-access.md).
### Additional service role permissions
After you create the role and grant it permissions to access your resources in Amazon Personalize, do the following:
1. Modify your Amazon Personalize service role's trust policy so it prevents the [confused deputy problem](cross-service-confused-deputy-prevention.md). For a trust relationship policy example, see [Cross-service confused deputy prevention](cross-service-confused-deputy-prevention.md). For information modifying a role's trust policy, see [Modifying a role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_modify.html).
1. If you use AWS Key Management Service (AWS KMS) for encryption, you must grant Amazon Personalize and your Amazon Personalize IAM service role permission to use your key. For more information, see [Giving Amazon Personalize permission to use your AWS KMS key](granting-personalize-key-access.md).
# Giving users permission to access Amazon Personalize
To provide your users access to Amazon Personalize, you create an IAM policy that grants permission to access your Amazon Personalize resources and pass your service role to Amazon Personalize. Then you use that policy when you add permissions to your users, groups or roles.
## Creating a new IAM policy for your users
Create an IAM policy that provides Amazon Personalize full access to your Amazon Personalize resources and `PassRole` permissions to pass your service role to Amazon Personalize (created in [Creating an IAM role for Amazon Personalize](set-up-required-permissions.md#set-up-create-role-with-permissions)).
**To use the JSON policy editor to create a policy**
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane on the left, choose **Policies**.
If this is your first time choosing **Policies**, the **Welcome to Managed Policies** page appears. Choose **Get Started**.
1. At the top of the page, choose **Create policy**.
1. In the **Policy editor** section, choose the **JSON** option.
1. Enter the following JSON policy document:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"personalize:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "arn:aws:iam::123456789012:role/ServiceRoleName",
"Condition": {
"StringEquals": {
"iam:PassedToService": "personalize.amazonaws.com"
}
}
}
]
}
```
1. Choose **Next**.
**Note**
You can switch between the **Visual** and **JSON** editor options anytime. However, if you make changes or choose **Next** in the **Visual** editor, IAM might restructure your policy to optimize it for the visual editor. For more information, see [Policy restructuring](https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_policies.html#troubleshoot_viseditor-restructure) in the *IAM User Guide*.
1. On the **Review and create** page, enter a **Policy name** and a **Description** (optional) for the policy that you are creating. Review **Permissions defined in this policy** to see the permissions that are granted by your policy.
1. Choose **Create policy** to save your new policy.
To grant only the permissions required to perform a task in Amazon Personalize, modify the preceding policy to include only the required actions for your user. For a complete list of Amazon Personalize actions, see [Actions, resources, and condition keys for Amazon Personalize](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonpersonalize.html).
## Providing access to Amazon Personalize
Attach the new IAM policy when you provide permissions to your users.
To provide access, add permissions to your users, groups, or roles:
+ Users and groups in AWS IAM Identity Center:
Create a permission set. Follow the instructions in [Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/howtocreatepermissionset.html) in the *AWS IAM Identity Center User Guide*.
+ Users managed in IAM through an identity provider:
Create a role for identity federation. Follow the instructions in [Create a role for a third-party identity provider (federation)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-idp.html) in the *IAM User Guide*.
+ IAM users:
+ Create a role that your user can assume. Follow the instructions in [Create a role for an IAM user](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-user.html) in the *IAM User Guide*.
+ (Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in [Adding permissions to a user (console)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*.
# Giving Amazon Personalize access to Amazon S3 resources
To give Amazon Personalize access to your Amazon S3 bucket, do the following:
1. If you haven't already, follow the steps in [Setting up permissions](aws-personalize-set-up-permissions.md) to set up permissions so Amazon Personalize can access your resources in Amazon Personalize on your behalf.
1. Attach a policy to the Amazon Personalize service role (see [Creating an IAM role for Amazon Personalize](set-up-required-permissions.md#set-up-create-role-with-permissions)) that allows access to your Amazon S3 bucket. For more information, see [Attaching an Amazon S3 policy to your Amazon Personalize service role](#attaching-s3-policy-to-role).
1. Attach a bucket policy to the Amazon S3 bucket containing your data files so Amazon Personalize can access them. For more information, see [Attaching an Amazon Personalize access policy to your Amazon S3 bucket](#attach-bucket-policy).
1. If you use AWS Key Management Service (AWS KMS) for encryption, you must grant Amazon Personalize and your Amazon Personalize IAM service role permission to use your key. For more information, see [Giving Amazon Personalize permission to use your AWS KMS key](granting-personalize-key-access.md).
**Note**
Because Amazon Personalize doesn’t communicate with AWS VPCs, Amazon Personalize can't interact with Amazon S3 buckets that allow only VPC access.
**Topics**
+ [Attaching an Amazon S3 policy to your Amazon Personalize service role](#attaching-s3-policy-to-role)
+ [Attaching an Amazon Personalize access policy to your Amazon S3 bucket](#attach-bucket-policy)
## Attaching an Amazon S3 policy to your Amazon Personalize service role
To attach an Amazon S3 policy to your Amazon Personalize role do the following:
1. Sign in to the IAM console ([https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/)).
1. In the navigation pane, choose **Policies**, and choose **Create policy**.
1. Choose the JSON tab, and update the policy as follows. Replace `amzn-s3-demo-bucket` with the name of your bucket. You can use the following policy for dataset import jobs or data deletion jobs. If you are using a batch workflow or creating a dataset export job, Amazon Personalize needs additional permissions. See [Service role policy for batch workflows](#role-policy-for-batch-workflows) or [Amazon S3 bucket policy for exporting a dataset](#bucket-policy-for-export).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Id": "PersonalizeS3BucketAccessPolicy",
"Statement": [
{
"Sid": "PersonalizeS3BucketAccessPolicy",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket",
"arn:aws:s3:::amzn-s3-demo-bucket/*"
]
}
]
}
```
------
1. Choose **Next: Tags**. Optionally add any tags and choose **Review**.
1. Give the policy a name.
1. (Optional) For **Description**, enter a short sentence describing this policy, for example, **Allow Amazon Personalize to access its Amazon S3 bucket.**
1. Choose **Create policy**.
1. In the navigation pane, choose **Roles**, and choose the role you created for Amazon Personalize. See [Creating an IAM role for Amazon Personalize](set-up-required-permissions.md#set-up-create-role-with-permissions).
1. For **Permissions**, choose **Attach policies**.
1. To display the policy in the list, type part of the policy name in the **Filter policies** filter box.
1. Choose the check box next to the policy you created earlier in this procedure.
1. Choose **Attach policy**.
Before your role is ready for use with Amazon Personalize you must also attach a bucket policy to the Amazon S3 bucket containing your data. See [Attaching an Amazon Personalize access policy to your Amazon S3 bucket](#attach-bucket-policy).
### Service role policy for batch workflows
To complete a batch worklfow, Amazon Personalize needs permission to access and add files to your Amazon S3 bucket. Follow the steps above to attach the following policy to your Amazon Personalize role. Replace `amzn-s3-demo-bucket` with the name of your bucket. For more information on batch workflows, see [Getting batch item recommendations](getting-batch-recommendations.md) or [Getting batch user segments](getting-user-segments.md).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Id": "PersonalizeS3BucketAccessPolicy",
"Statement": [
{
"Sid": "PersonalizeS3BucketAccessPolicy",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket",
"arn:aws:s3:::amzn-s3-demo-bucket/*"
]
}
]
}
```
------
### Service role policy for exporting a dataset
To export a dataset, your Amazon Personalize service role needs permission to use the `PutObject` and `ListBucket` Actions on your Amazon S3 bucket. The following example policy grants Amazon Personalize `PutObject` and `ListBucket` permissions. Replace `amzn-s3-demo-bucket` with the name of your bucket and attach the policy to your service role for Amazon Personalize. For information about attaching policies to a service role see [Attaching an Amazon S3 policy to your Amazon Personalize service role](#attaching-s3-policy-to-role).
```
{
"Version": "2012-10-17",
"Id": "PersonalizeS3BucketAccessPolicy",
"Statement": [
{
"Sid": "PersonalizeS3BucketAccessPolicy",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket",
"arn:aws:s3:::amzn-s3-demo-bucket/*"
]
}
]
}
```
## Attaching an Amazon Personalize access policy to your Amazon S3 bucket
Amazon Personalize needs permission to access the S3 bucket. You can use the following policy for dataset import jobs or data deletion jobs. Replace `amzn-s3-demo-bucket` with the name of your bucket. For batch workflows, see [Amazon S3 bucket policy for batch workflows](#bucket-policy-for-batch-workflows).
For more information on Amazon S3 bucket policies, see [How Do I Add an S3 Bucket Policy?](https://docs.aws.amazon.com/AmazonS3/latest/user-guide/add-bucket-policy.html).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Id": "PersonalizeS3BucketAccessPolicy",
"Statement": [
{
"Sid": "PersonalizeS3BucketAccessPolicy",
"Effect": "Allow",
"Principal": {
"Service": "personalize.amazonaws.com"
},
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket",
"arn:aws:s3:::amzn-s3-demo-bucket/*"
]
}
]
}
```
------
### Amazon S3 bucket policy for batch workflows
For batch workflows, Amazon Personalize needs permission to access and add files to your Amazon S3 bucket. Attach the following policy to your bucket. Replace `amzn-s3-demo-bucket` with the name of your bucket.
For more information on adding an Amazon S3 bucket policy to a bucket, see [How Do I Add an S3 Bucket Policy?](https://docs.aws.amazon.com/AmazonS3/latest/user-guide/add-bucket-policy.html). For more information on batch workflows, see [Getting batch item recommendations](getting-batch-recommendations.md) or [Getting batch user segments](getting-user-segments.md).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Id": "PersonalizeS3BucketAccessPolicy",
"Statement": [
{
"Sid": "PersonalizeS3BucketAccessPolicy",
"Effect": "Allow",
"Principal": {
"Service": "personalize.amazonaws.com"
},
"Action": [
"s3:GetObject",
"s3:ListBucket",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket",
"arn:aws:s3:::amzn-s3-demo-bucket/*"
]
}
]
}
```
------
### Amazon S3 bucket policy for exporting a dataset
To export a dataset, Amazon Personalize needs permission to use the `PutObject` and `ListBucket` Actions on your Amazon S3 bucket. The following example policy grants the Amazon Personalize principle `PutObject` and `ListBucket` permissions. Replace `amzn-s3-demo-bucket` with the name of your bucket and attach the policy to your bucket. For information on adding an Amazon S3 bucket policy to a bucket, see [How Do I Add an S3 Bucket Policy?](https://docs.aws.amazon.com/AmazonS3/latest/user-guide/add-bucket-policy.html) in the Amazon Simple Storage Service User Guide.
```
{
"Version": "2012-10-17",
"Id": "PersonalizeS3BucketAccessPolicy",
"Statement": [
{
"Sid": "PersonalizeS3BucketAccessPolicy",
"Effect": "Allow",
"Principal": {
"Service": "personalize.amazonaws.com"
},
"Action": [
"s3:PutObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket",
"arn:aws:s3:::amzn-s3-demo-bucket/*"
]
}
]
}
```
# Giving Amazon Personalize permission to use your AWS KMS key
If you specify a AWS Key Management Service (AWS KMS) key when you use the Amazon Personalize console or APIs, or if you use your AWS KMS key to encrypt an Amazon S3 bucket, you must grant Amazon Personalize permission to use your key. To grant permissions, your AWS KMS key policy *and* IAM policy attached to your service role must grant Amazon Personalize permission to use your key. This applies for creating the following in Amazon Personalize.
+ Dataset groups
+ Dataset import job (only AWS KMS key policy must grant permissions)
+ Dataset export jobs
+ Batch inference jobs
+ Batch segment jobs
+ Metric attributions
Your AWS KMS key policy and IAM policies must grant permissions for the following actions:
+ Decrypt
+ GenerateDataKey
+ DescribeKey
+ CreateGrant (only required in key policy)
+ ListGrants
Revoking AWS KMS key permissions after creating a resource can lead to issues when creating a filter or getting recommendations. For more information about AWS KMS policies, see [Using key policies in AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html) in the *AWS Key Management Service Developer Guide*. For information on creating an IAM policy, see [Creating IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) in the *IAM User Guide*. For information on attaching an IAM policy to role, see [Adding and removing IAM identity permissions ](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html) in the *IAM User Guide*.
**Topics**
+ [Key policy example](#export-job-key-policy)
+ [IAM policy example](#export-job-iam-policy)
## Key policy example
The following key policy example grants Amazon Personalize and your role the minimum permissions for the preceding Amazon Personalize operations. If you specify a key when you create a dataset group and want to export data from a dataset, your key policy must include the `GenerateDataKeyWithoutPlaintext` action.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Id": "key-policy-123",
"Statement": [
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/",
"Service": "personalize.amazonaws.com"
},
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey",
"kms:DescribeKey",
"kms:CreateGrant",
"kms:ListGrants"
],
"Resource": "*"
}
]
}
```
------
## IAM policy example
The following IAM policy example grants a role the minimum AWS KMS permissions required for the preceding Amazon Personalize operations. For dataset import jobs, only the AWS KMS key policy needs to grant permissions.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey",
"kms:DescribeKey",
"kms:ListGrants"
],
"Resource": "*"
}
]
}
```
------