I am an IAM user. The permission policies I have from the admin are IAMFullAccess, AmazonS3FullAccess, AmazonSageMakerFullAccess, and AmazonEC2FullAccess. When trying to onboard sagemaker, I get the following two exceptions
AccessDeniedException
User: arn:aws:iam::123456789:user/username is not authorized to perform: sagemaker:CreateDomain on resource: arn:aws:sagemaker:region:123456789:domain/domain because no identity-based policy allows the sagemaker:CreateDomain action
and
ValidationException
Access denied in getting/accepting the portfolio shared by SageMaker. Please call withservicecatalog:AcceptPortfolioShare & servicecatalog:ListAcceptedPortfolioShares permission.
The first exception seems to indicate that I have not been given any identity-based policy that allows me to call createdomain on the sagemaker api, but as I listed at the beginning I have been given a full access policy for sagemaker and other services, and I attach the AmazonSageMakerFullAccess policy to the execution role when trying to onboard. Looking at this error online I found a suggestion to add a policy containing kms:CreateGrant and dms:DescribeKey, but it didn't help and looking at the api-permissions-reference (https://docs.aws.amazon.com/sagemaker/latest/dg/api-permissions-reference.html) I only need such things if I specified a customer managed key, which I did not. I found a question on this forum that was related (https://repost.aws/questions/QUyWQfPusnSHG6Ujfzx27o1w/sagemaker-studio-create-domain-error), but the answer seems to have listed permission policies that are needed. These are permissions I should already have in the full access policies.
I created a seperate personal account and was able to successfully onboard sagemaker with no issues, so the problem is coming specifically from the IAM account and its permissions.
