StartEarthObservationJob API: Execution role permissions - Amazon SageMaker AI
Services or capabilities described in AWS documentation might vary by Region. To see the differences applicable to the AWS European Sovereign Cloud Region, see the AWS European Sovereign Cloud User Guide.

StartEarthObservationJob API: Execution role permissions

For an execution role that you can pass in a StartEarthObservationJob API request, you can attach the following minimum permissions policy to the role:

JSON
{
    "Version":"2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:AbortMultipartUpload",
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListBucketMultipartUploads"
            ],
            "Resource": [
                "arn:aws-eusc:s3:::*SageMaker*",
                "arn:aws-eusc:s3:::*Sagemaker*",
                "arn:aws-eusc:s3:::*sagemaker*"
            ]
        },
        {
        "Effect": "Allow",
        "Action": "sagemaker-geospatial:GetEarthObservationJob",
        "Resource":  "arn:aws-eusc:sagemaker-geospatial:*:*:earth-observation-job/*"
        },
        {
        "Effect": "Allow",
        "Action": "sagemaker-geospatial:GetRasterDataCollection",
        "Resource": "arn:aws-eusc:sagemaker-geospatial:*:*:raster-data-collection/*"
        }
    ]
    }

If your input Amazon S3 bucket is encrypted using server-side encryption with an AWS KMS managed key (SSE-KMS), see Using Amazon S3 Bucket Keys for more information.