Sagemaker Studio - create domain error
A customer is trying to setup Sagemaker studio. He is following our published instructions to set up using IAM: https://docs.aws.amazon.com/sagemaker/latest/dg/onboard-iam.html
But is getting an error: User: arn:aws:iam:xxxx:user/user1 is not authorized to perform: sagemaker:CreateDomain on resource: arn:aws:sagemaker: us-east-2:xxxx:domain/yyyy
He has admin priviledges on the account and AmazonSageMakerFullAccess. We noticed that the AmazonSageMakerFullAccess policy actually has a limitation. You can perform all sagemaker actions, but not on a resource with arn “arn:aws:sagemaker:::domain/*”. We confirmed there are no other domains in that region with the CLI as you are only allowed one – so that isn’t blocking. And aws sagemaker list-user-profiles returns no user profiles.
Has anyone seen that error before or know the workaround? Should he create a custom policy to enable creating domains or would there be any implications of that? Are there specific permissions he should have so as to onboard using IAM?
- 新しい順
- 投票が多い順
- コメントが多い順
A user with admin privileges would have access to "iam:CreateServiceLinkedRole" and "sagemaker:CreateDomain" actions, unless SCPs or permissions boundaries are involved. However, for the purpose of onboarding Amazon SageMaker Studio with limited permissions, I would grant the user least privilege by reviewing Control Access to the Amazon SageMaker API by Using Identity-based Policies and Actions, Resources, and Condition Keys for Amazon SageMaker documentation:
{
"Effect": "Allow",
"Action": "sagemaker:CreateDomain",
"Resource": "arn:aws:sagemaker:<REGION>:<ACCOUNT-ID>:domain/*"
}
NOTE: An AWS account is limited to one Domain, per region, see CreateDomain.
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "sagemaker.amazonaws.com"
}
}
}
Cheers!
関連するコンテンツ
AWS公式更新しました 1年前- AWS公式更新しました 6ヶ月前
