ablog

不器用で落着きのない技術者のメモ

SageMaker GroundTruth で UpdateWorkforce API の実行権限を付与するIAM権限

AWS

SageMaker GroundTruth で UpdateWorkforce で許可する workforce に対するIPアドレスレンジを指定したい場合は、IAMポリシーで sagemaker:UpdateWorkforce を付与すればよい。逆に権限を与えたくない場合は sagemaker:UpdateWorkforce を付与しなければよい。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "sagemaker:UpdateWorkforce"
            ],
            "Resource": "*"
        }
    ]
}

あるとき

$ aws sagemaker update-workforce --workforce-name default
{
    "Workforce": {
        "WorkforceName": "default", 
        "SourceIpConfig": {
            "Cidrs": []
        }, 
        "WorkforceArn": "arn:aws:sagemaker:ap-northeast-1:123456789012:workforce/default"
    }
}

ないとき

$ aws sagemaker update-workforce --workforce-name default

An error occurred (AccessDeniedException) when calling the UpdateWorkforce operation: User: arn:aws:sts::123456789012:assumed-role/EC2Role/i-0fb4f8428c110ddbc is not authorized to perform: sagemaker:UpdateWorkforce on resource: arn:aws:sagemaker:ap-northeast-1:123456789012:workforce/default

参考

https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_UpdateWorkforce.html