When a data scientist starts a training job, it is useful to enforce tagging so that cost can be allocated to the training job. We need to enforce both the tag key and the value. For example, a tag key can be ‘project’ and its value could be ‘projectA’. The user should not be able to launch a training job without the ‘project’ key and that key should only be able to take a value of ‘projectA’ so that the cost can be allocated to the right project. Here’s the SageMaker policy for accomplishing that
sagemaker_policy = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricData",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:CreateLogGroup",
"logs:DescribeLogStreams",
"logs:GetLogEvents",
"s3:GetObject",
"s3:PutObject",
"s3:ListBucket",
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"iam:PassRole",
"sagemaker:DescribeTrainingJob",
"sagemaker:AddTags"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"sagemaker:CreateTrainingJob"
],
"Resource": "*",
"Condition": {"StringEquals": {
"aws:RequestTag/project": [
"projectA"
]
}
}
}
]
}