Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

Sagemaker Studio - create domain error

1

A customer is trying to setup Sagemaker studio. He is following our published instructions to set up using IAM: https://docs.aws.amazon.com/sagemaker/latest/dg/onboard-iam.html

But is getting an error: User: arn:aws:iam:xxxx:user/user1 is not authorized to perform: sagemaker:CreateDomain on resource: arn:aws:sagemaker: us-east-2:xxxx:domain/yyyy

He has admin priviledges on the account and AmazonSageMakerFullAccess. We noticed that the AmazonSageMakerFullAccess policy actually has a limitation. You can perform all sagemaker actions, but not on a resource with arn “arn:aws:sagemaker:::domain/*”. We confirmed there are no other domains in that region with the CLI as you are only allowed one – so that isn’t blocking. And aws sagemaker list-user-profiles returns no user profiles.

Has anyone seen that error before or know the workaround? Should he create a custom policy to enable creating domains or would there be any implications of that? Are there specific permissions he should have so as to onboard using IAM?

Temas
Aprendizaje automático e IA
Etiquetas
Amazon SageMaker
Idioma
English
AWS
rabinon
preguntada hace 4 años3106 visualizaciones
1 Respuesta
1
Respuesta aceptada

A user with admin privileges would have access to "iam:CreateServiceLinkedRole" and "sagemaker:CreateDomain" actions, unless SCPs or permissions boundaries are involved. However, for the purpose of onboarding Amazon SageMaker Studio with limited permissions, I would grant the user least privilege by reviewing Control Access to the Amazon SageMaker API by Using Identity-based Policies and Actions, Resources, and Condition Keys for Amazon SageMaker documentation:

{
    "Effect": "Allow",
    "Action": "sagemaker:CreateDomain",
    "Resource": "arn:aws:sagemaker:<REGION>:<ACCOUNT-ID>:domain/*"
}

NOTE: An AWS account is limited to one Domain, per region, see CreateDomain.

{
    "Effect": "Allow",
    "Action": "iam:CreateServiceLinkedRole",
    "Resource": "*",
    "Condition": {
        "StringEquals": {
            "iam:AWSServiceName": "sagemaker.amazonaws.com"
        }
    }
}

Cheers!

AWS
AWS-User-2530299
respondido hace 4 años
profile picture
EXPERTO
Giovanni Lauria
revisado hace un mes

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante