Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Sagemaker Studio - create domain error

1

A customer is trying to setup Sagemaker studio. He is following our published instructions to set up using IAM: https://docs.aws.amazon.com/sagemaker/latest/dg/onboard-iam.html

But is getting an error: User: arn:aws:iam:xxxx:user/user1 is not authorized to perform: sagemaker:CreateDomain on resource: arn:aws:sagemaker: us-east-2:xxxx:domain/yyyy

He has admin priviledges on the account and AmazonSageMakerFullAccess. We noticed that the AmazonSageMakerFullAccess policy actually has a limitation. You can perform all sagemaker actions, but not on a resource with arn “arn:aws:sagemaker:::domain/*”. We confirmed there are no other domains in that region with the CLI as you are only allowed one – so that isn’t blocking. And aws sagemaker list-user-profiles returns no user profiles.

Has anyone seen that error before or know the workaround? Should he create a custom policy to enable creating domains or would there be any implications of that? Are there specific permissions he should have so as to onboard using IAM?

Themen
Maschinelles Lernen & KI
Tags
Amazon SageMaker
Sprache
English
AWS
rabinon
gefragt vor 4 Jahren3106 Aufrufe
1 Antwort
1
Akzeptierte Antwort

A user with admin privileges would have access to "iam:CreateServiceLinkedRole" and "sagemaker:CreateDomain" actions, unless SCPs or permissions boundaries are involved. However, for the purpose of onboarding Amazon SageMaker Studio with limited permissions, I would grant the user least privilege by reviewing Control Access to the Amazon SageMaker API by Using Identity-based Policies and Actions, Resources, and Condition Keys for Amazon SageMaker documentation:

{
    "Effect": "Allow",
    "Action": "sagemaker:CreateDomain",
    "Resource": "arn:aws:sagemaker:<REGION>:<ACCOUNT-ID>:domain/*"
}

NOTE: An AWS account is limited to one Domain, per region, see CreateDomain.

{
    "Effect": "Allow",
    "Action": "iam:CreateServiceLinkedRole",
    "Resource": "*",
    "Condition": {
        "StringEquals": {
            "iam:AWSServiceName": "sagemaker.amazonaws.com"
        }
    }
}

Cheers!

AWS
AWS-User-2530299
beantwortet vor 4 Jahren
profile picture
EXPERTE
Giovanni Lauria
überprüft vor einem Monat

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt