How do I troubleshoot issues when I access a SageMaker AI Project in SageMaker AI Studio?

Resolution

Troubleshoot missing permissions

SageMaker AI Projects uses the AWS Service Catalog to use or create project templates and provision AWS resources for your AWS accounts. Your SageMaker AI Studio domain users can only access or view these templates when you grant Projects permissions.

If your user doesn't have Projects permissions, then your user receives an error message similar to the following example:

"Amazon SageMaker project templates aren't activated for your account. Contact your administrator to activate SageMaker project templates."

To resolve this issue, grant Projects permissions for the administrator and domain execution role users.

You might also have permission issues because the following items are missing, deleted, modified, or recreated manually:

• A service role that SageMaker AI Studio created when you activated SageMaker AI Project
• Amazon SageMaker AI JumpStart

To resolve this issue, complete the following steps to turn off SageMaker AI project templates and SageMaker AI JumpStart:

1. Open the SageMaker AI console.
2. In the navigation pane, choose Domains.
3. Select your domain.
4. Choose the App Configurations tab.
5. Under SageMaker Studio Classic, choose Edit.
6. Under SageMaker Projects and JumpStart, turn off the following options:
   Enable Amazon SageMaker project templates and Amazon SageMaker JumpStart for this account
   Enable Amazon SageMaker project templates and Amazon SageMaker JumpStart for Studio users
7. Choose Submit.
8. Delete all the AWS Identity and Access Management (IAM) roles that start with AmazonSageMakerServiceCatalogProduct*.
9. Use the preceding instructions to turn on the toggle switches that activate SageMaker AI project templates and JumpStart. This step creates several new roles for you.

Troubleshoot network issues in VPC only mode

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

Internet access isn't active with the virtual private cloud (VPC) only network access type. You can only run a Studio AI notebook when the following conditions are true:

• Your VPC has an interface endpoint to the SageMaker AI API and runtime or a NAT gateway with internet access.
• Your security groups allow outbound connections.

If you don't need NAT gateway access for your SageMaker AI project, then you must create AWS PrivateLink interface VPC endpoints to connect to com.amazonaws.[region].servicecatalog. For example, if you're using SageMaker AI Studio in the eu-west-1 AWS Region, then use com.amazonaws.eu-west-1.servicecatalog. For more information, see Requirements to use VPC only mode.

To verify that your studio's network settings allow connection to SageMaker AI API and Service Catalog endpoints, run the following commands from a SageMaker AI Studio system terminal.

Run the following command to check access to the SageMaker AI API endpoint:

curl -v https://api.sagemaker.example-region.amazonaws.com

Run the following command to check access to the Service Catalog endpoint in the desired Region:

curl -v https://servicecatalog.example-region.amazonaws.com

If you get the Connection timed out error when you run the preceding commands, then verify that you configured your VPC network settings for VPC only mode.

To view the list of available projects from the system terminal, run the list-projects AWS CLI command:

aws sagemaker list-projects --sort-by CreationTime --sort-order Descending

Note: If you can't view the same list in the SageMaker AI Studio interface, then make sure to update your Studio's domain.

Then, complete the following steps:

1. Launch SageMaker AI Studio app.
2. On the menu at the top, choose View.
3. On the menu bar, choose Activate Command Palette. Or, press Ctrl + Shift + C.
4. Search for Reset Application State in the Search bar, and then choose this option.