How can I troubleshoot permissions issues while creating a SageMaker Feature Group?
I'm trying to create an Amazon SageMaker Feature Group, but I'm getting the "AccessDenied" error.
Short description
SageMaker "AccessDenied" errors indicate that the AWS Identity and Access Management (IAM) role doesn't have sufficient permissions to perform the Create Feature Group operation. You might get the “AccessDenied” error when the execution role permissions are missing or misconfigured the following:
- Missing AmazonSageMakerFeatureStoreAccess policy and Amazon Simple Storage Service (Amazon S3) bucket naming requirements
- Missing LakeFormation permissions
- Missing AWS Key Management Service (AWS KMS) policy
- Amazon S3 bucket policy
Resolution
Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.
To view a detailed error message while creating Feature Group, run the following command from terminal, and check the FailureReason:
$ aws sagemaker describe-feature-group --feature-group-name nameofthefeaturegroup
Missing AmazonSageMakerfeatureStoreAccess policy and Amazon S3 bucket naming requirements
The execution role that you're using might be missing the Amazon managed AmazonSageMakerFeatureStore policy. Review the policies attached to the execution role. Then, attach the AmazonSageMakerFeatureStoreAccess policy if it's missing:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetBucketAcl", "s3:PutObjectAcl" ], "Resource": [ "arn:aws:s3:::*SageMaker*", "arn:aws:s3:::*Sagemaker*", "arn:aws:s3:::*sagemaker*" ] } ] }
The creation of the Feature Group might fail even after adding the AmazonSageMakerFeatureStoreAccess policy. Because the policy is an Amazon managed policy that's stored in an S3 bucket, the bucket must have the word "sagemaker" in the name.
Missing Lake Formation permissions
The creation of the Feature Group might fail due to insufficient AWS Lake Formation permissions. When a Feature Group is created, an AWS Glue database is automatically created. Any Feature Groups created using SageMaker are created as tables within this AWS Glue database.
Confirm that the execution role used is granted permission to create an AWS Glue database. If the execution role doesn't have permission, do the following:
Note: AWS Lake Formation requires each principal (user or role) to be authorized to perform actions on Lake Formation managed resources.
- Open the LakeFormation console
- From the left sidebar, choose Permissions, then Data Permissions
- Choose Grant
- Choose the IAM execution role from the principals dropdown menu, then grant the required permissions
For more information about granting database permissions, see Granting permissions on a database or table shared with your account.
Missing AWS KMS policy
The CreateFeatureGroup API call might fail due to missing AWS KMS policies. To check, review the IAM policies of the execution role and then confirm that it has the following policies attached:
kms:GenerateDataKey kms:Decrypt kms: Encrypt
If the preceding polices aren't visible after running the CLI command, attach the policies and then retry.
S3 bucket policy
The "AccessDenied" errors might also occur due to an Amazon S3 bucket policy preventing access to the bucket. Review the S3 bucket policy and then check if the execution role used to create the Feature Group has the access to the bucket.
Related information
Granting permissions on a database or table shared with your account
Relevant content
- Accepted Answer
asked 2 years ago - asked 3 years ago
- asked 7 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
