Hi AWS, I am creating SageMaker domain but this time using Standard setup option as Quick setup is failing which I have raised in the thread https://repost.aws/questions/QULk3cThfOTc21vRT0LmZJ0A/could-not-create-sagemaker-domain-due-to-s3-bucket-creation-failure, even though the IAM role is having sufficient permissions. But now again a weird error is coming when I am trying to create the domain i.e. PermissionError: Unable to create Amazon EFS for domain 'd-g8mohmstv7ec' because you don't have permissions to use the specified resource as again the IAM role is having elasticfilesystem:* access for Resource: "*", still this error is not sorted.
Please guide the series of steps I need to follow as AWS Support is not able to solve either of the errors.
Are you you using the default domain setting or VPCOnly mode?
Are you seeing any KMS related permissions errors?
Below is a list of required permissions for creating a domain:
sagemaker:CreateDomain
iam:CreateServiceLinkedRole
iam:PassRole
Required if a KMS customer managed key is specified for KmsKeyId:
elasticfilesystem:CreateFileSystem
kms:CreateGrant
kms:Decrypt
kms:DescribeKey
kms:GenerateDataKeyWithoutPlainText
Required to create a domain that supports RStudio:
sagemaker:CreateApp
can you shed more light into the specific permissions error you got? (double check IAM permissions on the SageMaker roles) - also check out: SageMaker Create Domain API reference https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_CreateDomain.html
Are you you using the default domain setting or VPCOnly mode? Are you seeing any KMS related permissions errors?
Below is a list of required permissions for creating a domain: sagemaker:CreateDomain iam:CreateServiceLinkedRole iam:PassRole
Required if a KMS customer managed key is specified for KmsKeyId: elasticfilesystem:CreateFileSystem kms:CreateGrant kms:Decrypt kms:DescribeKey kms:GenerateDataKeyWithoutPlainText
Required to create a domain that supports RStudio: sagemaker:CreateApp