Importing dataset files to encrypted s3 bucket

Question

Sagemaker Canvas allows updating files in S3 bucket either by drag'n drop or using "Select files from your computer" features. When the s3 bucket used (similar to sagemaker--) in encrypted with custom KMS key, the upload fails with "Upload fails" (HTTP 400).

Is using KMS key encrypted bucket possible? We already have a KMS key policy in place allowing these actions for canvas IAM role:
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:Encrypt*",
                "kms:Describe*",
                "kms:Decrypt*"

Something else needed?

Answer

Hello,

Thank you for contacting us and for using Amazon Sagemaker.

I understand that you encountered an "Upload fails" (HTTP 400) message when trying to upload your dataset file from custom KMS key encrypted bucket to Sagemaker Canvas.

This error might be seen when the kms bucket policy or the role isn't properly configured.

Since as you mentioned, you do already have a KMS key policy in place allowing these actions for canvas IAM role: "kms:ReEncrypt", "kms:GenerateDataKey", "kms:Encrypt", "kms:Describe", "kms:Decrypt*", we would need to further investigate into the same.

To be able to replicate and troubleshoot into this further, we'd need your IAM role arn, KMS key arn and Sagemaker Studio details. Hence, for further investigation on this issue, I'd recommend you to open a case with SageMaker Support Engineering team so that you can share above mentioned details securely.

Open a support case with AWS using the link:

https://console.aws.amazon.com/support/home?#/case/create

Importing dataset files to encrypted s3 bucket

Relevant content