Why do I receive errors when I launch a presigned URL on SageMaker AI notebook instances or SageMaker Studio domains?

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

When you launch a presigned URL on a SageMaker AI notebook instance or SageMaker Studio domain, you might receive the following error messages:

• "Invalid or Expired Auth Token. Request a new presigned URL to continue using SageMaker."
• "User: arn:aws:sts::account id:assumed-role/IAM role/IAM user is not authorized to perform: sagemaker:CreatePresignedNotebookInstanceUrl on resource: arn:aws:sagemaker:Region:account id:notebook-instance/notebook instance because no identity-based policy allows the sagemaker:CreatePresignedNotebookInstanceUrl action"
• "User: arn:aws:sts::account id:assumed-role/IAM role/SageMaker is not authorized to perform: sagemaker:CreatePresignedDomainUrl on resource: arn:aws:sagemaker:Region:account id:user-profile/domain id/user profile name because no identity-based policy allows the sagemaker:CreatePresignedDomainUrl action"

To troubleshoot these issues, complete the resolution for the error message that you received.

"Invalid or Expired Auth Token" error

You receive the Invalid of Expired Auth Token error when the SessionExpirationDurationInSeconds parameter in either CreatePresignedNotebookInstanceUrl or CreatePresignedDomainUrl exceeds the maximum duration of 12 hours. To resolve this issue, clear the cookies and session data from your web browser. Then, use the SageMaker AI console, AWS CLI, or Python SDK to generate a new presigned URL.

SageMaker AI notebook instance

To use the console, complete the following steps:

1. Open the SageMaker AI console.
2. In the navigation pane, under Applications and IDEs, choose Notebooks.
3. Select your notebook instance.
4. Choose Open Jupyter or Open JupyterLab.

To use the AWS CLI, run the create-presigned-notebook-instance-url command:

aws sagemaker create-presigned-notebook-instance-url --notebook-instance-name example-notebook-instance-name --session-expiration-duration-in-seconds example-session-expiration-duration

Note: Replace example-notebook-instance-name and example-session-expiration-duration with your values.

To use the Python SDK Boto3, run the create-presigned-notebook-instance-url command:

import boto3

client = boto3.client('sagemaker')

response = client.create_presigned_notebook_instance_url(
    NotebookInstanceName=example-notebook-name,
    SessionExpirationDurationInSeconds=example-session-expiration-duration
)

Note: Replace example-notebook-name and example-session-expiration-duration with your values.

The presigned URL that the AWS CLI or Python SDK generates is valid only for 5 minutes. After 5 minutes, you must generate a new presigned URL.

SageMaker Studio domain

To use the console, complete the following steps:

1. Open the SageMaker AI console.
2. In the navigation pane, under Admin configurations, choose Domains.
3. Select your domain.
4. Choose User profiles, and then select your user profile name.
5. Choose Launch, and then choose Studio.

To use the AWS CLI, run the create-presigned-domain-url command:

aws sagemaker create-presigned-domain-url --domain-id example-domain-id --user-profile-name example-user-profile-name --session-expiration-duration-in-seconds example-session-expiration-duration

Note: Replace example-domain-id, example-user-profile-name, and example-session-expiration-duration with your values.

To use the Python SDK Boto3, run the create-presigned-domain-url command:

import boto3

client = boto3.client('sagemaker')

response = client.create_presigned_domain_url(
    DomainId=example-domain-id,
    UserProfileName=example-user-profile-name,
    SessionExpirationDurationInSeconds=example-session-expiration-duration,
)

Note: Replace example-domain-id, example-user-profile-name, and example-session-expiration-duration with your values.

The presigned URL that the AWS CLI or Python SDK generates is valid only for 5 minutes. After 5 minutes, you must generate a new presigned URL.

"Not authorized to perform" error

To launch a SageMaker AI notebook or SageMaker Studio domain, your AWS Identity and Access Management (IAM) role must have permission to create a presigned URL.

For a SageMaker AI notebook instance, add the sagemaker:CreatePresignedNotebookInstanceUrl action to your IAM role's identity-based policy. For a SageMaker Studio domain, add the sagemaker:CreatePresignedDomainUrl action to the IAM policy.

Related information

Connect to a notebook instance through an Amazon Virtual Private Cloud (Amazon VPC) interface endpoint