This week addresses "operating ML solutions safely, controllably, and affordably." The first day's topic is permissions. SageMaker separates work into two categories: actions users call directly and actions SageMaker performs on behalf of users. Confusing these two is why permission scenarios trip you up. Today we organize execution roles to distinguish user permissions from service permissions, and how to design least privilege.
Permissions in SageMaker work through two paths.
sagemaker:CreateTrainingJob, sagemaker:CreateEndpoint