How do I troubleshoot errors when I import data into my Amazon SageMaker Studio using SageMaker Data Wrangler?

3 minute read
0

I'm getting errors when I try to import data from Amazon Simple Storage Service (Amazon S3) or Amazon Athena using Amazon SageMaker Data Wrangler.

Resolution

Lifecycle permission error

When you try to import data from Amazon Athena into Data Wrangler, you might get the following error:

S3LifecyclePermissionError: You don't have permission to read expiration rules from the bucket that you specified.

This error occurs because the SageMaker execution role associated with the user profile doesn't have the required permissions to access the Amazon S3 Lifecycle configurations for managing data retention and expiration.

To resolve this error, add the following AWS Identity and Access Management (IAM) policy to the SageMaker execution role (Example: AmazonSageMaker-ExecutionRole-xxxxxxxxxxxxxxx):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "LifecycleConfig",
      "Effect": "Allow",
      "Action": [
        "s3:GetLifecycleConfiguration",
        "s3:PutLifecycleConfiguration"
      ],
      "Resource": "*"
    }
  ]
}

For Resource, you can include only those Region-specific buckets that must be accessed. GetBucketLifecycleConfiguration returns the lifecycle configuration information set on the bucket, while PutBucketLifecycleConfiguration creates a new Lifecycle configuration for the bucket.

Access denied error

You might get the following error when you run a processing job with unencrypted output settings.

com.amazonaws.services.s3.model.AmazonS3Exception: Access Denied

You might get this error because of the following reasons:

  • The SageMaker execution role doesn't have the required permissions to perform S3 operations.
  • Either the S3 bucket policy or Amazon Virtual Private Cloud (Amazon VPC) endpoint policy has explicitly denied permissions for PutObject. This might be the case if you enforced only encrypted connections to the S3 bucket by providing a specific AWS Key Management Service (AWS KMS) key.

To resolve this error, do the following:

  • Check if the SageMaker execution role has minimum permissions for S3 bucket operations:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:ListBucket",
        "s3:CreateBucket",
      ],
      "Resource": [
        "arn:aws:s3:::sagemaker-us-east-1-1111222233334444",
        "arn:aws:s3:::sagemaker-us-east-1-1111222233334444/*"
      ]
    }
  ]
}
  • Be sure that S3 bucket policy or VPC endpoint policy doesn't explicitly deny the required permissions for S3 operations.
  • Consider passing the AWS KMS key to the processing job that allows to decrypt objects in the S3 bucket from where the data is imported.
  • Consider using a different S3 bucket for importing your data that's encrypted at rest using the Amazon S3 server-side encryption.

AWS OFFICIAL
AWS OFFICIALUpdated 7 months ago