How do I troubleshoot permissions issues when I create a SageMaker Feature Group?

3 minute read
0

I want to create an Amazon SageMaker Feature Group and I get an "AccessDenied" error.

Short description

SageMaker "AccessDenied" errors indicate that the AWS Identity and Access Management (IAM) role doesn't have sufficient permissions to perform the Create Feature Group operation.

You get an "AccessDenied" error when the execution role permissions have the following missing or misconfigured information:

  • AmazonSageMakerFeatureStoreAccess policy and Amazon Simple Storage Service (Amazon S3) bucket naming requirements
  • AWS Lake Formation permissions
  • AWS Key Management Service (AWS KMS) policy
  • Amazon S3 bucket policy

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

To see a detailed error message when you create a Feature Group, run the following command from your terminal, and then check the FailureReason:

$ aws sagemaker describe-feature-group --feature-group-name nameofthefeaturegroup

Missing AmazonSageMakerfeatureStoreAccess policy and Amazon S3 bucket naming requirements

If your execution role is missing the AmazonSageMakerFeatureStore policy, first review the policies attached to the execution role. Then, attach the AmazonSageMakerFeatureStoreAccess policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetBucketAcl",
        "s3:PutObjectAcl"
      ],
      "Resource": [
        "arn:aws:s3:::*SageMaker*",
        "arn:aws:s3:::*Sagemaker*",
        "arn:aws:s3:::*sagemaker*"
      ]
    }
  ]
}

If the Feature Group creation fails after you add the AmazonSageMakerFeatureStoreAccess policy, then check that the bucket has the word "sagemaker" in the name. This naming convention is required for an Amazon managed policy that's stored in an S3 bucket.

Missing Lake Formation permissions

The creation of the Feature Group fails because of insufficient AWS Lake Formation permissions. When you create a Feature Group, an AWS Glue database is automatically created. Any Feature Groups that you created using SageMaker are created as tables within this AWS Glue database.

Confirm that the execution role has permission to create an AWS Glue database. If the execution role doesn't have permission, then complete these steps:

  1. Open the LakeFormation console.
  2. From the left sidebar, choose Permissions, and then choose Data Permissions.
  3. Choose Grant.
  4. Choose the IAM execution role from the principals dropdown list, and then grant the required permissions.

Note: AWS Lake Formation requires each principal (user or role) to be authorized to perform actions on Lake Formation managed resources.

For more information about granting database permissions, see Granting permissions on a database or table shared with your account.

Missing AWS KMS policy

The CreateFeatureGroup API call fails because of missing AWS KMS policies. To check for this issue, review the IAM policies of the execution role, and then confirm that it has the following policies attached:

kms:GenerateDataKeykms:Decrypt
kms: Encrypt

If the preceding polices aren't visible after you run the AWS CLI command, attach the policies, and then retry it.

S3 bucket policy

The "AccessDenied" errors occur because of an Amazon S3 bucket policy preventing access to the bucket. Review the S3 bucket policy, and then check if the execution role used to create the Feature Group has access to the bucket.

Related information

Granting resource link permissions

AWS OFFICIAL
AWS OFFICIALUpdated 21 days ago