By using AWS re:Post, you agree to the Terms of Use

not authorized to perform: sagemaker:CreateModel on resource


I have been given AmazonSagemakerFullAccess by my companie's AWS admin. No one at our company can figure out why I can't get this line to run to launch the model.


lang_id = sagemaker.Model( image_uri=container, model_data=model_location, role=role, sagemaker_session=sess ) lang_id.deploy(initial_instance_count=1, instance_type="ml.t2.medium")

***** ERROR MESSAGE *****

ClientError Traceback (most recent call last) <ipython-input-5-4c80ec284a4b> in <module> 2 image_uri=container, model_data=model_location, role=role, sagemaker_session=sess 3 ) ----> 4 lang_id.deploy(initial_instance_count=1, instance_type="ml.t2.medium") 5 6 from sagemaker.deserializers import JSONDeserializer

~/anaconda3/envs/tensorflow2_p36/lib/python3.6/site-packages/sagemaker/ in deploy(self, initial_instance_count, instance_type, serializer, deserializer, accelerator_type, endpoint_name, tags, kms_key, wait, data_capture_config, async_inference_config, serverless_inference_config, **kwargs) 1132 1133 self._create_sagemaker_model( -> 1134 instance_type, accelerator_type, tags, serverless_inference_config 1135 ) 1136

~/anaconda3/envs/tensorflow2_p36/lib/python3.6/site-packages/sagemaker/ in _create_sagemaker_model(self, instance_type, accelerator_type, tags, serverless_inference_config) 671 tags=tags, 672 ) --> 673 self.sagemaker_session.create_model(**create_model_args) 674 675 def _ensure_base_name_if_needed(self, image_uri, script_uri, model_uri):

~/anaconda3/envs/tensorflow2_p36/lib/python3.6/site-packages/sagemaker/ in create_model(self, name, role, container_defs, vpc_config, enable_network_isolation, primary_container, tags) 2715 raise 2716 -> 2717 self._intercept_create_request(create_model_request, submit, 2718 return name 2719

~/anaconda3/envs/tensorflow2_p36/lib/python3.6/site-packages/sagemaker/ in _intercept_create_request(self, request, create, func_name) 4294 func_name (str): the name of the function needed intercepting 4295 """ -> 4296 return create(request) 4297 4298

~/anaconda3/envs/tensorflow2_p36/lib/python3.6/site-packages/sagemaker/ in submit(request) 2703 LOGGER.debug("CreateModel request: %s", json.dumps(request, indent=4)) 2704 try: -> 2705 self.sagemaker_client.create_model(**request) 2706 except ClientError as e: 2707 error_code = e.response["Error"]["Code"]

~/anaconda3/envs/tensorflow2_p36/lib/python3.6/site-packages/botocore/ in _api_call(self, *args, **kwargs) 506 ) 507 # The "self" in this scope is referring to the BaseClient. --> 508 return self._make_api_call(operation_name, kwargs) 509 510 = str(py_operation_name)

~/anaconda3/envs/tensorflow2_p36/lib/python3.6/site-packages/botocore/ in _make_api_call(self, operation_name, api_params) 909 error_code = parsed_response.get("Error", {}).get("Code") 910 error_class = self.exceptions.from_code(error_code) --> 911 raise error_class(parsed_response, operation_name) 912 else: 913 return parsed_response

ClientError: An error occurred (AccessDeniedException) when calling the CreateModel operation: User: arn:aws:sts::XXXXXXXXXX:assumed-role/sagemakeraccesstoservices/SageMaker is not authorized to perform: sagemaker:CreateModel on resource: arn:aws:sagemaker:us-east-2:XXXXXXXXXX:model/blazingtext-2022-08-09-13-58-21-739 because no identity-based policy allows the sagemaker:CreateModel action

1 Answer

Based on your description I understand that you are trying to create a Model using the Amazon SageMaker Python SDK with an assumed IAM Role with the AmazonSagemakerFullAccess policy, which should allow sagemaker:CreateModel. It's difficult to identify what the underlying issue is since multiple IAM mechanisms (like SCPs or explicit Denies) can prevent the sagemaker:CreateModel permission.

To work towards a solution I would recommend:

  1. Simulate the sagemaker:CreateModel action using the IAM Policy Simulator with your User/Role. This may identify the root cause for your issue and how it can be fixed.
  2. Open an AWS Support ticket describing the issue. AWS Support engineers are highly trained, experienced and well equipped to provide you with timely assistance.
profile picture
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions