Amazon SageMaker (sagemaker)

2026-06-03

12 new actions, 1 new resource, 6 new conditions | 22 updated actions

Additions

    Actions
  • CallWithBearerToken
    • Description:  Grants permission to use bearer token in SageMaker Job and Inference runtime endpoints APIs
    • Access:  Read
    • Conditions: 

      sagemaker:BearerTokenType
  • CompleteRollout
    • Description:  Grants permission to mark a rollout as complete for a job
    • Access:  Write
    • Resources: 

      Name: job

      Required: Yes

  • CreateJob
    • Description:  Grants permission to create a SageMaker model customization job
    • Access:  Write
    • Resources: 

      Name: job

      Required: Yes

    • Conditions: 

      aws:RequestTag/${TagKey}

      aws:TagKeys

      sagemaker:OutputKmsKeyArn

      sagemaker:VpcSecurityGroupIds

      sagemaker:VpcSubnets
    • Dependents: 

      iam:PassRole

      sagemaker:AddTags
  • DeleteJob
    • Description:  Grants permission to delete a SageMaker model customization job
    • Access:  Write
    • Resources: 

      Name: job

      Required: Yes

  • DescribeJob
    • Description:  Grants permission to return information about a SageMaker model customization job
    • Access:  Read
    • Resources: 

      Name: job

      Required: Yes

  • DescribeJobSchemaVersion
    • Description:  Grants permission to return information about a job schema version for a particular JobCategory for the CreateJob API
    • Access:  Read
  • ListJobSchemaVersions
    • Description:  Grants permission to list job schema versions for a particular JobCategory for the CreateJob API
    • Access:  List
  • ListJobs
    • Description:  Grants permission to list SageMaker model customization jobs
    • Access:  List
  • Sample
    • Description:  Grants permission to invoke a sample request against a job
    • Access:  Write
    • Resources: 

      Name: job

      Required: Yes

  • SampleWithResponseStream
    • Description:  Grants permission to invoke a streaming sample request against a job
    • Access:  Write
    • Resources: 

      Name: job

      Required: Yes

  • StopJob
    • Description:  Grants permission to stop a SageMaker model customization job
    • Access:  Write
    • Resources: 

      Name: job

      Required: Yes

  • UpdateReward
    • Description:  Grants permission to submit reward scores for a trajectory in a job
    • Access:  Write
    • Resources: 

      Name: job

      Required: Yes

    Resources
  • job
    • Arn:  arn:${Partition}:sagemaker:${Region}:${Account}:job/${JobCategory}/${JobName}
    • Conditions: 

      aws:ResourceTag/${TagKey}

      sagemaker:ResourceTag/${TagKey}
    Conditions
  • sagemaker:BearerTokenType
    • Description:  Filters access by the type of bearer token used in the request
    • Type:  String
  • sagemaker:DomainSharingOutputKmsKeyArn
    • Description:  Filters access by the Domain sharing output KMS key associated with the resource in the request. The ARN of the key-id must be used
    • Type:  ARN
  • sagemaker:FeatureGroupOfflineStoreKmsKeyArn
    • Description:  Filters access by the offline store kms key associated with the feature group resource in the request. The ARN of the key-id must be used
    • Type:  ARN
  • sagemaker:FeatureGroupOnlineStoreKmsKeyArn
    • Description:  Filters access by the online store kms key associated with the feature group resource in the request. The ARN of the key-id must be used
    • Type:  ARN
  • sagemaker:OutputKmsKeyArn
    • Description:  Filters access by the output kms key associated with the resource in the request. The ARN of the key-id must be used
    • Type:  ARN
  • sagemaker:VolumeKmsKeyArn
    • Description:  Filters access by the volume kms key associated with the resource in the request. The ARN of the key-id must be used
    • Type:  ARN

Updates

    Actions
  • CreateCluster
      Conditions
    • + sagemaker:OutputKmsKeyArn
    • + sagemaker:VolumeKmsKeyArn
    • - sagemaker:OutputKmsKey
    • - sagemaker:VolumeKmsKey
  • CreateClusterSchedulerConfig
      Conditions
    • + sagemaker:OutputKmsKeyArn
    • + sagemaker:VolumeKmsKeyArn
    • - sagemaker:OutputKmsKey
    • - sagemaker:VolumeKmsKey
  • CreateDomain
      Conditions
    • + sagemaker:OutputKmsKeyArn
    • + sagemaker:VolumeKmsKeyArn
    • - sagemaker:OutputKmsKey
    • - sagemaker:VolumeKmsKey
  • CreateEdgeDeploymentStage
      Conditions
    • + sagemaker:DomainSharingOutputKmsKeyArn
    • + sagemaker:VolumeKmsKeyArn
    • - sagemaker:DomainSharingOutputKmsKey
    • - sagemaker:VolumeKmsKey
  • CreateFeatureGroup
      Conditions
    • + sagemaker:VolumeKmsKeyArn
    • - sagemaker:VolumeKmsKey
  • CreateHub
      Conditions
    • + sagemaker:FeatureGroupOnlineStoreKmsKeyArn
    • + sagemaker:FeatureGroupOfflineStoreKmsKeyArn
    • - sagemaker:FeatureGroupOnlineStoreKmsKey
    • - sagemaker:FeatureGroupOfflineStoreKmsKey
  • CreateImageVersion
      Conditions
    • + sagemaker:OutputKmsKeyArn
    • + sagemaker:VolumeKmsKeyArn
    • - sagemaker:OutputKmsKey
    • - sagemaker:VolumeKmsKey
  • CreateMlflowTrackingServer
      Conditions
    • + sagemaker:VolumeKmsKeyArn
    • + sagemaker:OutputKmsKeyArn
    • - sagemaker:VolumeKmsKey
    • - sagemaker:OutputKmsKey
  • CreateModelExplainabilityJobDefinition
      Conditions
    • + sagemaker:OutputKmsKeyArn
    • + sagemaker:VolumeKmsKeyArn
    • - sagemaker:OutputKmsKey
    • - sagemaker:VolumeKmsKey
  • CreateModelQualityJobDefinition
      Conditions
    • + sagemaker:OutputKmsKeyArn
    • + sagemaker:VolumeKmsKeyArn
    • - sagemaker:OutputKmsKey
    • - sagemaker:VolumeKmsKey
  • CreateNotebookInstanceLifecycleConfig
      Conditions
    • + sagemaker:OutputKmsKeyArn
    • + sagemaker:VolumeKmsKeyArn
    • - sagemaker:OutputKmsKey
    • - sagemaker:VolumeKmsKey
  • CreateOptimizationJob
      Conditions
    • + sagemaker:OutputKmsKeyArn
    • + sagemaker:VolumeKmsKeyArn
    • - sagemaker:OutputKmsKey
    • - sagemaker:VolumeKmsKey
  • CreatePartnerApp
      Conditions
    • + sagemaker:VolumeKmsKeyArn
    • - sagemaker:VolumeKmsKey
  • CreateSharedModel
      Conditions
    • + sagemaker:OutputKmsKeyArn
    • + sagemaker:VolumeKmsKeyArn
    • - sagemaker:OutputKmsKey
    • - sagemaker:VolumeKmsKey
  • CreateTrial
      Conditions
    • + sagemaker:OutputKmsKeyArn
    • + sagemaker:VolumeKmsKeyArn
    • - sagemaker:OutputKmsKey
    • - sagemaker:VolumeKmsKey
  • CreateUserProfile
      Conditions
    • + sagemaker:OutputKmsKeyArn
    • + sagemaker:VolumeKmsKeyArn
    • - sagemaker:OutputKmsKey
    • - sagemaker:VolumeKmsKey
  • DeleteAIBenchmarkJob
      Conditions
    • + sagemaker:DomainSharingOutputKmsKeyArn
    • - sagemaker:DomainSharingOutputKmsKey
  • UpdateInferenceComponent
      Conditions
    • + sagemaker:DomainSharingOutputKmsKeyArn
    • - sagemaker:DomainSharingOutputKmsKey
  • UpdateTrial
      Conditions
    • + sagemaker:OutputKmsKeyArn
    • + sagemaker:VolumeKmsKeyArn
    • - sagemaker:OutputKmsKey
    • - sagemaker:VolumeKmsKey
  • AddTags
      Resources
    • + job
  • DeleteUserProfile
      Resources
    • + job
  • ListUserProfiles
      Resources
    • + job