Ao usar o AWS re:Post, você concorda com os AWS re:Post Termos de uso
AWS re:Postre:Post

Sagemaker Studio - create domain error

1

A customer is trying to setup Sagemaker studio. He is following our published instructions to set up using IAM: https://docs.aws.amazon.com/sagemaker/latest/dg/onboard-iam.html

But is getting an error: User: arn:aws:iam:xxxx:user/user1 is not authorized to perform: sagemaker:CreateDomain on resource: arn:aws:sagemaker: us-east-2:xxxx:domain/yyyy

He has admin priviledges on the account and AmazonSageMakerFullAccess. We noticed that the AmazonSageMakerFullAccess policy actually has a limitation. You can perform all sagemaker actions, but not on a resource with arn “arn:aws:sagemaker:::domain/*”. We confirmed there are no other domains in that region with the CLI as you are only allowed one – so that isn’t blocking. And aws sagemaker list-user-profiles returns no user profiles.

Has anyone seen that error before or know the workaround? Should he create a custom policy to enable creating domains or would there be any implications of that? Are there specific permissions he should have so as to onboard using IAM?

Tópicos
Machine Learning e IA
Tags
Amazon SageMaker
Idioma
English
AWS
rabinon
feita há 4 anos3106 visualizações
1 Resposta
1
Resposta aceita

A user with admin privileges would have access to "iam:CreateServiceLinkedRole" and "sagemaker:CreateDomain" actions, unless SCPs or permissions boundaries are involved. However, for the purpose of onboarding Amazon SageMaker Studio with limited permissions, I would grant the user least privilege by reviewing Control Access to the Amazon SageMaker API by Using Identity-based Policies and Actions, Resources, and Condition Keys for Amazon SageMaker documentation:

{
    "Effect": "Allow",
    "Action": "sagemaker:CreateDomain",
    "Resource": "arn:aws:sagemaker:<REGION>:<ACCOUNT-ID>:domain/*"
}

NOTE: An AWS account is limited to one Domain, per region, see CreateDomain.

{
    "Effect": "Allow",
    "Action": "iam:CreateServiceLinkedRole",
    "Resource": "*",
    "Condition": {
        "StringEquals": {
            "iam:AWSServiceName": "sagemaker.amazonaws.com"
        }
    }
}

Cheers!

AWS
AWS-User-2530299
respondido há 4 anos
profile picture
ESPECIALISTA
Giovanni Lauria
avaliado há um mês

Você não está conectado. Fazer login para postar uma resposta.

Uma boa resposta responde claramente à pergunta, dá feedback construtivo e incentiva o crescimento profissional de quem perguntou.

Diretrizes para responder a perguntas

Conteúdo relevante